PDA

View Full Version : Handy iptables rules for Linux COD server admins



CaptainSlow
11th September 2015, 23:43
Back when I was running our COD servers on Linux, I had these entries in my rc.local file:



# ****sprintf() exploit Fix
iptables -A INPUT -p udp --dport 28962 -m length --length 1000:2000 -j REJECT
iptables -A INPUT -p udp --dport 28963 -m length --length 1000:2000 -j REJECT
iptables -A INPUT -p udp --dport 28964 -m length --length 1000:2000 -j REJECT

# ****UDP Flood Fix
iptables -A OUTPUT -p UDP -m length --length 1162:1168 -j DROP
iptables -A FORWARD -p UDP -m length --length 1162:1168 -j DROP
iptables -A INPUT -p UDP -m length --length 1162:1168 -j DROP
iptables -A INPUT -p UDP -m length --length 42 -m recent --set --name getstatus_cod
iptables -A INPUT -p UDP -m string --algo bm --string "getstatus" -m recent --update --seconds 1 --hitcount 20 --name getstatus_cod -j DROP
# These commands, for instance, would block external IPs that send queries
# at a rate of 2/second or higher
# add a host to the banlist and then drop the packet.
iptables -N QUERY-BLOCK
iptables -A QUERY-BLOCK -m recent --set --name blocked-hosts -j DROP
# is this a query packet? if so, block commonly attacked ports outright,
# then see if it's a known attacking IP, then see if it is sending at a high
# rate and should be added to the list of known attacking IPs.
iptables -N QUERY-CHECK
iptables -A QUERY-CHECK -p udp -m string ! --string "getstatus" --algo bm --from 32 --to 41 -j RETURN
iptables -A QUERY-CHECK -p udp --sport 0:1025 -j DROP
iptables -A QUERY-CHECK -p udp --sport 3074 -j DROP
iptables -A QUERY-CHECK -p udp --sport 7777 -j DROP
iptables -A QUERY-CHECK -p udp --sport 27015:27100 -j DROP
iptables -A QUERY-CHECK -p udp --sport 25200 -j DROP
iptables -A QUERY-CHECK -p udp --sport 25565 -j DROP
# is it already blocked? continue blocking it and update the counter so it
# gets blocked for at least another 30 seconds.
iptables -A QUERY-CHECK -m recent --update --name blocked-hosts --seconds 30 --hitcount 1 -j DROP
# check to see if it exceeds our rate threshold,
# and add it to the list if it does.
iptables -A QUERY-CHECK -m hashlimit --hashlimit-mode srcip --hashlimit-name getstatus --hashlimit-above 2/second -j QUERY-BLOCK
# look at all the packets going to q3/cod*/et/etc servers
iptables -A INPUT -p udp --dport 27960:29000 -j QUERY-CHECK


See the comments for what they're used for. I must admit I got it from someone else but I forgot the source. Adding these rules to your rc.local file ensures them to be set every time your server (re)boots.

IzNoGoD
12th September 2015, 12:00
I can bypass your sprintf fix just by inputting a string longer than 2k characters...

CaptainSlow
14th September 2015, 17:49
I can bypass your sprintf fix just by inputting a string longer than 2k characters...

I think the sprintf iptables rule that is in there, was a temporary fix before Luigi created his patch to properly fix it (see: http://aluigi.altervista.org/patches/codmsgfix.lpatch)

IzNoGoD
14th September 2015, 19:41
I think the sprintf iptables rule that is in there, was a temporary fix before Luigi created his patch to properly fix it (see: http://aluigi.altervista.org/patches/codmsgfix.lpatch)

In such case i'd advice you to remove it, only causes more server load

CaptainSlow
14th September 2015, 20:21
In such case i'd advice you to remove it, only causes more server load

You're correct. I'm not using them anymore as we've switched over to Windows, but to anyone running Linux just patch your file instead of this rule.