So, I was able to make the IPSec thing work to allow certain IPs also. You just set up a separate pass rule for the IPs you want to let in. Works fine. I used it to block all RCON except for those sent from HLStatsX and myself.
This line blocks all access to TCP port 27015: ipseccmd.exe -w REG -p "Block TCP 27015 Filter" -r "Block Inbound TCP 27015 Rule" -f *=0:27015:TCP -n BLOCK -x Then use this line to allow those you trust at the rcon port (shown with 216.40.218.146): ipseccmd.exe -w REG -p "Block TCP 27015 Filter" -r "Allow TCP 27015 From 216.40.218.146" -f 216.40.218.146=0:27015:TCP -n PASS -x I hope this helps someone. I've seen no adverse side effects to blocking TCP 27015 except for blocking RCON. It seems that all game data goes to UDP 27015. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Paloma Sent: Monday, April 28, 2008 10:43 PM To: 'Half-Life dedicated Win32 server mailing list' Subject: Re: [hlds] Nuke Exploit Info and Prevention You can block TCP/IP port 27015 on Windows Server using IPSec policies. IPSeccmd.exe -W REG -p "Block TCP 27015 Filter" -r "Block Inbound 27015 Rule" -f *=0:27015:TCP -n BLOCK -x This will of course prevent RCON connections. Allowing certain IP addresses is probably possible but I'm unsure of how to do it. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nephyrin Zey Sent: Monday, April 28, 2008 10:26 PM To: Half-Life dedicated Win32 server mailing list; Half-Life dedicated Linux server mailing list Subject: [hlds] Nuke Exploit Info and Prevention The nuke exploit works as follows: Connect to a server via TCP (rcon, does anything else use TCP? I have no idea.) on its port. Send a million garbage packets ??? Profit The server goes insane handling them. Solution: Limit incoming TCP packets to ~1/second from any given IP on that port, *OR* Block TCP access to the server's port except from trusted people. Linux IPtables rules: iptables -A INPUT -p tcp --dport 27015 -m hashlimit --hashlimit-mode srcip,dstip,dstport --hashlimit 1/sec --hashlimit-burst 1 --hashlimit-name TF_PACKET_LIMIT -j ACCEPT iptables -A INPUT -p tcp --dport 27015 -j DROP /etc/init.d/iptables save /etc/init.d/iptables start (Note: you probably shouldn't enable iptables blindly if you don't know what you're doing) Windows: Block TCP to 27015 except for trusted people. Or something. Someone who admins window servers will need to guide you! - Neph (sv_benchmark_force_start fix coming in a few minutes) _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
