Another update, because i love iptables so much, you might want to do --hashlimit-burst 3 instead of 1, so that 'bursts' of three packets can occur. This allows the rcon login packet + a command packet to get through before triggering the filter, so your first rcon command isn't lagged a second becuase it has to resend.
- Neph On Mon, Apr 28, 2008 at 11:52 PM, Nephyrin Zey <[EMAIL PROTECTED]> wrote: > While the iptables thing I posted (1 rcon/second) works fine, if you > instead want to do a whitelist like this in linux as well: > > iptables -A INPUT -p tcp --dport 27015 --source 123.123.12.3 -j ACCEPT > iptables -A INPUT -p tcp --dport 27015 --source 115.53.3.22 -j ACCEPT > [... repeat for as many IPs as you want to allow] > > iptables -A INPUT -p tcp --dport 27015 -j DROP > > you can also do > > iptables -A INPUT -p tcp --dport 27015 --source 123.123.12.3 -j ACCEPT > iptables -A INPUT -p tcp --dport 27015 --source 115.53.3.22 -j ACCEPT > [... repeat for as many IPs as you want to allow] > > iptables -A INPUT -p tcp --dport 27015 -m hashlimit --hashlimit-mode > srcip,dstip,dstport --hashlimit 1/sec --hashlimit-burst 1 > --hashlimit-name TF_PACKET_LIMIT -j ACCEPT > iptables -A INPUT -p tcp --dport 27015 -j DROP > > Do combine both - a whitelist, then a 1rcon/second limit for > non-whitelisted people. > > - Neph > > > > On Mon, Apr 28, 2008 at 11:45 PM, Tony Paloma <[EMAIL PROTECTED]> wrote: > > So, I was able to make the IPSec thing work to allow certain IPs also. You > > just set up a separate pass rule for the IPs you want to let in. Works > fine. > > I used it to block all RCON except for those sent from HLStatsX and > myself. > > > > This line blocks all access to TCP port 27015: > > ipseccmd.exe -w REG -p "Block TCP 27015 Filter" -r "Block Inbound TCP > 27015 > > > > Rule" -f *=0:27015:TCP -n BLOCK -x > > > > Then use this line to allow those you trust at the rcon port (shown with > > 216.40.218.146): > > ipseccmd.exe -w REG -p "Block TCP 27015 Filter" -r "Allow TCP 27015 From > > 216.40.218.146" -f 216.40.218.146=0:27015:TCP -n PASS -x > > > > I hope this helps someone. I've seen no adverse side effects to blocking > TCP > > 27015 except for blocking RCON. It seems that all game data goes to UDP > > 27015. > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > > > > > [mailto:[EMAIL PROTECTED] On Behalf Of Tony Paloma > > Sent: Monday, April 28, 2008 10:43 PM > > To: 'Half-Life dedicated Win32 server mailing list' > > Subject: Re: [hlds] Nuke Exploit Info and Prevention > > > > You can block TCP/IP port 27015 on Windows Server using IPSec policies. > > > > IPSeccmd.exe -W REG -p "Block TCP 27015 Filter" -r "Block Inbound 27015 > > Rule" -f *=0:27015:TCP -n BLOCK -x > > > > This will of course prevent RCON connections. Allowing certain IP > addresses > > is probably possible but I'm unsure of how to do it. > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Nephyrin Zey > > Sent: Monday, April 28, 2008 10:26 PM > > To: Half-Life dedicated Win32 server mailing list; Half-Life dedicated > Linux > > server mailing list > > Subject: [hlds] Nuke Exploit Info and Prevention > > > > The nuke exploit works as follows: > > > > Connect to a server via TCP (rcon, does anything else use TCP? I have > > no idea.) on its port. > > Send a million garbage packets > > ??? > > Profit > > > > The server goes insane handling them. > > Solution: > > Limit incoming TCP packets to ~1/second from any given IP on that port, > *OR* > > Block TCP access to the server's port except from trusted people. > > > > Linux IPtables rules: > > iptables -A INPUT -p tcp --dport 27015 -m hashlimit --hashlimit-mode > > srcip,dstip,dstport --hashlimit 1/sec --hashlimit-burst 1 > > --hashlimit-name TF_PACKET_LIMIT -j ACCEPT > > iptables -A INPUT -p tcp --dport 27015 -j DROP > > > > /etc/init.d/iptables save > > /etc/init.d/iptables start > > > > (Note: you probably shouldn't enable iptables blindly if you don't > > know what you're doing) > > > > Windows: > > Block TCP to 27015 except for trusted people. Or something. Someone > > who admins window servers will need to guide you! > > > > - Neph > > (sv_benchmark_force_start fix coming in a few minutes) > > > > _______________________________________________ > > To unsubscribe, edit your list preferences, or view the list archives, > > please visit: > > http://list.valvesoftware.com/mailman/listinfo/hlds > > > > > > _______________________________________________ > > To unsubscribe, edit your list preferences, or view the list archives, > > please visit: > > http://list.valvesoftware.com/mailman/listinfo/hlds > > > > > > _______________________________________________ > > To unsubscribe, edit your list preferences, or view the list archives, > please visit: > > http://list.valvesoftware.com/mailman/listinfo/hlds > > > _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
