Re: [hlds_linux] Iptables Rule list

Fri, 04 Jun 2010 09:13:46 -0700 

You can also add some standard things to block

# Reject packets from RFC1918 class networks (i.e., spoofed)
$IPT -A INPUT -s 10.0.0.0/8     -j DROP
$IPT -A INPUT -s 169.254.0.0/16 -j DROP
$IPT -A INPUT -s 172.16.0.0/12  -j DROP
$IPT -A INPUT -s 127.0.0.0/8    -j DROP
$IPT -A INPUT -s 224.0.0.0/4      -j DROP
$IPT -A INPUT -d 224.0.0.0/4      -j DROP
$IPT -A INPUT -s 240.0.0.0/5      -j DROP
$IPT -A INPUT -d 240.0.0.0/5      -j DROP
$IPT -A INPUT -s 0.0.0.0/8        -j DROP
$IPT -A INPUT -d 0.0.0.0/8        -j DROP
$IPT -A INPUT -d 239.255.255.0/24 -j DROP
$IPT -A INPUT -d 255.255.255.255  -j DROP

# Drop invalid packets immediately
$IPT -A INPUT   -m state --state INVALID -j DROP
$IPT -A FORWARD -m state --state INVALID -j DROP
$IPT -A OUTPUT  -m state --state INVALID -j DROP

# Drop bogus TCP packets
$IPT -A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP

Philipp Reddigau skrev 2010-06-03 20:12:
> So,
> Maybe someone has more here the actual list:
>
> Specific length:
> iptables -A INPUT -p udp -m udp --dport 27015:29000 -m length --length 0 -j
> DROP
> iptables -A INPUT -p udp -m udp --dport 27015:29000 -m length --length 28 -j
> DROP
> iptables -A INPUT -p udp -m udp --dport 27015: 29000 -m length --length 39
> -j DROP
> iptables -A INPUT -p udp -m udp --dport 27015: 29000 -m length --length 48
> -j DROP
> iptables -A INPUT -p udp -m udp --dport 27015: 29000 -m length --length 105
> -j DROP
>
> Prevent Rcon Flood:
> iptables -A INPUT -p tcp -m tcp --dport 27015:29000 -m hashlimit
> --hashlimit-upto 2/sec --hashlimit-burst 1 --hashlimit-mode
> srcip,dstip,dstport --hashlimit-name TF_PACKET_LIMIT -j ACCEPT
>
> Generic UDP Flood:
> iptables -A whitelist -s 72.165.61.128/26 -j ACCEPT iptables -A whitelist -s
> 72.165.61.153/26 -j ACCEPT iptables -A whitelist -s 216.207.205.99/26 -j
> ACCEPT iptables -A whitelist -s 216.207.205.98/26 -j ACCEPT
> iptables -N UDPFILTER
> iptables -A INPUT -p udp -j UDPFILTER
> iptables -A UDPFILTER -j whitelist
> iptables -A UDPFILTER -m state --state ESTABLISHED -j ACCEPT iptables -A
> UDPFILTER -m state --state NEW -m hashlimit --hashlimit-mode dstip,dstport
> --hashlimit-name udplimit --hashlimit 300/second -j ACCEPT iptables -A
> UDPFILTER -j DROP
>
> Reject dead Masterserver: (Server is starting faster)
> iptables -A OUTPUT -d 68.142.88.34/32 -p tcp -m tcp --dport 27038 -j REJECT
> --reject-with icmp-port-unreachable
>
>
> Something more?
>
>
>
> _______________________________________________
> To unsubscribe, edit your list preferences, or view the list archives, please 
> visit:
> http://list.valvesoftware.com/mailman/listinfo/hlds_linux
>    


_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds_linux

Reply via email to