Results 1 to 5 of 5

Thread: Handy iptables rules for Linux COD server admins

  1. #1
    Private CaptainSlow's Avatar
    Join Date
    Nov 2014
    Posts
    76
    Thanks
    38
    Thanked 28 Times in 23 Posts

    Handy iptables rules for Linux COD server admins

    Back when I was running our COD servers on Linux, I had these entries in my rc.local file:

    Code:
    # ****sprintf() exploit Fix
    iptables -A INPUT -p udp --dport 28962 -m length --length 1000:2000 -j REJECT
    iptables -A INPUT -p udp --dport 28963 -m length --length 1000:2000 -j REJECT
    iptables -A INPUT -p udp --dport 28964 -m length --length 1000:2000 -j REJECT
    
    # ****UDP Flood Fix
    iptables -A OUTPUT -p UDP -m length --length 1162:1168 -j DROP
    iptables -A FORWARD -p UDP -m length --length 1162:1168 -j DROP
    iptables -A INPUT -p UDP -m length --length 1162:1168 -j DROP
    iptables -A INPUT -p UDP -m length --length 42 -m recent --set --name getstatus_cod
    iptables -A INPUT -p UDP -m string --algo bm --string "getstatus" -m recent --update --seconds 1 --hitcount 20 --name getstatus_cod -j DROP
    # These commands, for instance, would block external IPs that send queries
    # at a rate of 2/second or higher
    # add a host to the banlist and then drop the packet.
    iptables -N QUERY-BLOCK
    iptables -A QUERY-BLOCK -m recent --set --name blocked-hosts -j DROP
    # is this a query packet? if so, block commonly attacked ports outright,
    # then see if it's a known attacking IP, then see if it is sending at a high
    # rate and should be added to the list of known attacking IPs.
    iptables -N QUERY-CHECK
    iptables -A QUERY-CHECK -p udp -m string ! --string "getstatus" --algo bm --from 32 --to 41 -j RETURN
    iptables -A QUERY-CHECK -p udp --sport 0:1025 -j DROP
    iptables -A QUERY-CHECK -p udp --sport 3074 -j DROP
    iptables -A QUERY-CHECK -p udp --sport 7777 -j DROP
    iptables -A QUERY-CHECK -p udp --sport 27015:27100 -j DROP
    iptables -A QUERY-CHECK -p udp --sport 25200 -j DROP
    iptables -A QUERY-CHECK -p udp --sport 25565 -j DROP
    # is it already blocked? continue blocking it and update the counter so it
    # gets blocked for at least another 30 seconds.
    iptables -A QUERY-CHECK -m recent --update --name blocked-hosts --seconds 30 --hitcount 1 -j DROP
    # check to see if it exceeds our rate threshold,
    # and add it to the list if it does.
    iptables -A QUERY-CHECK -m hashlimit --hashlimit-mode srcip --hashlimit-name getstatus --hashlimit-above 2/second -j QUERY-BLOCK
    # look at all the packets going to q3/cod*/et/etc servers
    iptables -A INPUT -p udp --dport 27960:29000 -j QUERY-CHECK
    See the comments for what they're used for. I must admit I got it from someone else but I forgot the source. Adding these rules to your rc.local file ensures them to be set every time your server (re)boots.

  2. The Following User Says Thank You to CaptainSlow For This Useful Post:

    raphael (6th August 2023)

  3. #2
    Assadministrator IzNoGoD's Avatar
    Join Date
    Aug 2012
    Posts
    1,718
    Thanks
    17
    Thanked 1,068 Times in 674 Posts
    I can bypass your sprintf fix just by inputting a string longer than 2k characters...
    "Does not work" is an error report for a bug between keyboard and chair.

    All hail Artie Effem

  4. #3
    Private CaptainSlow's Avatar
    Join Date
    Nov 2014
    Posts
    76
    Thanks
    38
    Thanked 28 Times in 23 Posts
    Quote Originally Posted by IzNoGoD View Post
    I can bypass your sprintf fix just by inputting a string longer than 2k characters...
    I think the sprintf iptables rule that is in there, was a temporary fix before Luigi created his patch to properly fix it (see: http://aluigi.altervista.org/patches/codmsgfix.lpatch)

  5. #4
    Assadministrator IzNoGoD's Avatar
    Join Date
    Aug 2012
    Posts
    1,718
    Thanks
    17
    Thanked 1,068 Times in 674 Posts
    Quote Originally Posted by CaptainSlow View Post
    I think the sprintf iptables rule that is in there, was a temporary fix before Luigi created his patch to properly fix it (see: http://aluigi.altervista.org/patches/codmsgfix.lpatch)
    In such case i'd advice you to remove it, only causes more server load
    "Does not work" is an error report for a bug between keyboard and chair.

    All hail Artie Effem

  6. The Following User Says Thank You to IzNoGoD For This Useful Post:

    CaptainSlow (14th September 2015)

  7. #5
    Private CaptainSlow's Avatar
    Join Date
    Nov 2014
    Posts
    76
    Thanks
    38
    Thanked 28 Times in 23 Posts
    Quote Originally Posted by IzNoGoD View Post
    In such case i'd advice you to remove it, only causes more server load
    You're correct. I'm not using them anymore as we've switched over to Windows, but to anyone running Linux just patch your file instead of this rule.

  8. The Following User Says Thank You to CaptainSlow For This Useful Post:

    raphael (6th August 2023)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •