Post by Gabriel on Apr 22, 2015 14:15:57 GMT
What does it do?
What is iptables?
Iptables is a linux-based packet filtering firewall which allows you to define incoming and outcoming packets. There is various commands/rules you can use to block players and bots from connecting to your server.
Top 5 Commands:
1. Block fake clients/fake bots from connecting to your server:
Commands:
Basically, what this does is check for a connection packet (sent by every "new" player when you join a server) and then wait to see if there is more than 1 per second. If there is, it will block any more connections from the same ip address (for a short period of time) and return a 'port unreachable' error code. This will cause q3fill to stop working.
Note: The cod1.1 server addon "codextended" prevents bots from connecting to your server by default. Visit cod1.eu for more information.
The "block fake clients" command has been taken from cheese's "how to block bots via iptables" tutorial from wy6.org, which has closed in january 2015. Cheese allowed us to post his tutorials on think-clan.com.
2. Fix the "q3msgboom" exploit:
Command:
This rule fixes the "q3msgboom" exploit by automatically dropping all packets bigger than 600 chars on port 28960 (change the port depending on your setup). By default, cod doesn't use any packets bigger than ~300-400 so it is safe to block anything bigger than 600.
What is the "q3msgboom" exploit?
If a client sends any command bigger than 1022 chars, the server will crash. See full description here: aluigi.altervista.org/adv/q3msgboom-adv.txt
3. Block an IP-Address from connecting to your server:
This will block the ip address "192.0.2.0". The blocked user will neither be able to connect to your server, nor see it in the master list. And if he attempts to connect to it directly, he will simply receive a time out as if the server doesn't exist.
4. Block an entire IP-Range:
Command:
This will block any ip-address that is within the range of 192.0.2.0 and 192.0.2.255.
If a banned user or flooder changes his ip very often, it is a good practice to ban his entire ip-range. An ip-range is the range assigned to an internet service provider.
To find out what range an ip-address belongs to, simply open the RIPE Whois Database - Enter the IP-Address and copy the "inetnum" range. If "RIPE" has no information about your ip, then try making a whois query at "ICANN" or "IANA".
5. Block an entire IP-Subnet:
Command:
Banning an ip-subnet is similar to banning a range. Some providers (especially if you're on a VPS server) may not allow banning ip ranges (for whatever reason).
You can then still ban ip ranges via subnets. The rule above will block 192.0.%.%
Things you should know:
1. Be cautious when applying a firewall rule. You can easily block yourself out of your own server by simply mistyping a rule.
2. Iptables rules will not be restored after a server restart so you either have to apply them again or simply make a file containing all the commands/rules and then execute it after every start. This way you can keep track of your rules and wont lose them. Don't forget to clear all your rules before executing the firewall file again.
See this for more information: www.adminsehow.com/2009/08/how-to-clear-all-iptables-rules/
3. If you have banned a person but even ip-range bans don't work and he manages to change his ip-address very often, then he is most likely using a VPN service.
The good news is that these people mostly use "free" vpn's and these are typically well known and detectable. In this case, it is best use some blocklist like "project honeypot" or "spamhaus.org" - These blacklists are easily integratable in iptables. See this post for more information: whatswhat.no/computer/linux/linux-server/549-linux-iptables-block-known-spammers-with-spamhaust-droplist
4. You can see a list of all applied iptables rules by typing the command iptables -L -n
5. If you are on a Windows machine, it is better to install a firewall like comodo and apply ip/ip-range bans there.
All credits to think clan site, think-clan.com
What is iptables?
Iptables is a linux-based packet filtering firewall which allows you to define incoming and outcoming packets. There is various commands/rules you can use to block players and bots from connecting to your server.
Top 5 Commands:
1. Block fake clients/fake bots from connecting to your server:
Commands:
iptables -A INPUT -m string --algo bm --string "connect" -m recent --set --name CONNECT
iptables -A INPUT -m recent --update --seconds 1 --hitcount 2 --name CONNECT -j REJECT --reject-with icmp-port-unreachableBasically, what this does is check for a connection packet (sent by every "new" player when you join a server) and then wait to see if there is more than 1 per second. If there is, it will block any more connections from the same ip address (for a short period of time) and return a 'port unreachable' error code. This will cause q3fill to stop working.
Note: The cod1.1 server addon "codextended" prevents bots from connecting to your server by default. Visit cod1.eu for more information.
The "block fake clients" command has been taken from cheese's "how to block bots via iptables" tutorial from wy6.org, which has closed in january 2015. Cheese allowed us to post his tutorials on think-clan.com.
2. Fix the "q3msgboom" exploit:
Command:
iptables -A INPUT -p udp --dport 28960 -m length --length 600:0xFFFF -j DROPThis rule fixes the "q3msgboom" exploit by automatically dropping all packets bigger than 600 chars on port 28960 (change the port depending on your setup). By default, cod doesn't use any packets bigger than ~300-400 so it is safe to block anything bigger than 600.
What is the "q3msgboom" exploit?
If a client sends any command bigger than 1022 chars, the server will crash. See full description here: aluigi.altervista.org/adv/q3msgboom-adv.txt
3. Block an IP-Address from connecting to your server:
iptables -A INPUT -s 192.0.2.0 -j DROPThis will block the ip address "192.0.2.0". The blocked user will neither be able to connect to your server, nor see it in the master list. And if he attempts to connect to it directly, he will simply receive a time out as if the server doesn't exist.
4. Block an entire IP-Range:
Command:
iptables -A INPUT -m iprange --src-range 192.0.2.0-192.0.2.255 -j DROPThis will block any ip-address that is within the range of 192.0.2.0 and 192.0.2.255.
If a banned user or flooder changes his ip very often, it is a good practice to ban his entire ip-range. An ip-range is the range assigned to an internet service provider.
To find out what range an ip-address belongs to, simply open the RIPE Whois Database - Enter the IP-Address and copy the "inetnum" range. If "RIPE" has no information about your ip, then try making a whois query at "ICANN" or "IANA".
5. Block an entire IP-Subnet:
Command:
iptables -A INPUT -s 192.0.2.0/16 -j DROPBanning an ip-subnet is similar to banning a range. Some providers (especially if you're on a VPS server) may not allow banning ip ranges (for whatever reason).
You can then still ban ip ranges via subnets. The rule above will block 192.0.%.%
Things you should know:
1. Be cautious when applying a firewall rule. You can easily block yourself out of your own server by simply mistyping a rule.
2. Iptables rules will not be restored after a server restart so you either have to apply them again or simply make a file containing all the commands/rules and then execute it after every start. This way you can keep track of your rules and wont lose them. Don't forget to clear all your rules before executing the firewall file again.
See this for more information: www.adminsehow.com/2009/08/how-to-clear-all-iptables-rules/
3. If you have banned a person but even ip-range bans don't work and he manages to change his ip-address very often, then he is most likely using a VPN service.
The good news is that these people mostly use "free" vpn's and these are typically well known and detectable. In this case, it is best use some blocklist like "project honeypot" or "spamhaus.org" - These blacklists are easily integratable in iptables. See this post for more information: whatswhat.no/computer/linux/linux-server/549-linux-iptables-block-known-spammers-with-spamhaust-droplist
4. You can see a list of all applied iptables rules by typing the command iptables -L -n
5. If you are on a Windows machine, it is better to install a firewall like comodo and apply ip/ip-range bans there.
All credits to think clan site, think-clan.com
