•  
     

iptables para HLDS - CentOS 6.5 e 7.2

Essa config bloqueia entrada e saída, libera apenas a porta UDP 27015 com um pedido por segundo, você pode aumentar isso em hashlimit-upto

Código: Selecionar todos

#!/bin/sh
#### Your default SSH Port (Can also be used for FTP)
## SSH_IPS="000.000.0.0/16,000.000.000.0/24,000.000.000.0/32"
SSH_PORT="22"
#### Your GameServer Ports (This will take care of RCON Blocks and Invalid Packets.
GAMESERVERPORT="27015"
# DNS - mude para o DNS do seu HOST
DNS="200.98.20.0/24,200.221.11.0/24,200.98.119.253" 
VALVE_IPS="80.239.194.0/24,207.35.48.0/24,72.165.61.0/24,208.64.201.0/24,162.254.0.0/16,208.78.164.0/24,205.185.194.0/24,155.133.250.0/24,208.64.200.0/24,4.28.130.0/24,208.64.200.0/24,155.133.249.0/24,205.185.194.0/24,62.115.0.0/16,50.242.151.0/24,205.196.6.0/24,208.64.203.0/24,146.66.154.0/24"
## Cleanup Rules First!
##--------------------
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
##--------------------
## Policies
##--------------------
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
##--------------------
## Create Filters
##---------------------
iptables -N LOG_DROP_INPUT
iptables -N LOG_DROP_OUTPUT
iptables -N LOG_DROP_FORWARD
##---------------------
#### Allow Self
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#### Block Fragmented Packets
#### Keep in mind that if your Linux Server acts as a router that this can affect a few things badly, I'd suggest removing/commenting this out if this is the case.
iptables -A INPUT -f -j DROP
#### Block ICMP/Pinging
iptables -A INPUT -p icmp -j DROP
#### Accept Established Connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Explicitly drop invalid incoming traffic
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
#### Block Malformed/Null TCP Packets while forcing new connections to be SYN Packets
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
#### HLDS
#iptables -A INPUT -p udp --dport 27015 -m multiport --sports 1024:1899,1901:2061,2063:3088,3090:5352,5354:7129,7131:9986,9988:27014,27016:27689,27691:65535 -m state --state NEW -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 3 --hashlimit-mode srcip,dstport --hashlimit-name UDPDOSPROTECT --hashlimit-htable-expire 60000 --hashlimit-htable-max 999999999 -m length --length 28:150 -m ttl --ttl-lt 200 -j ACCEPT
iptables -A INPUT -p udp --dport 27015 -m multiport --sports 1024:1899,1901:2061,2063:3088,3090:5352,5354:7129,7131:27014,27016:65535 -m state --state NEW -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 3 --hashlimit-mode srcip,dstport --hashlimit-name UDPDOSPROTECT --hashlimit-htable-expire 60000 --hashlimit-htable-max 999999999 -m length --length 28:150 -m ttl --ttl-lt 200 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --sport 53:65535 --dport 53 -d $DNS -j ACCEPT
iptables -A OUTPUT -p udp -m udp --sport 53:65535 --dport 67 -d $DNS -j ACCEPT
iptables -A INPUT -p udp -m udp --sport 53:65535 --dport 68 -s $DNS -j ACCEPT
iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --sport 1024:65535 --dport 27017:27021 -d $VALVE_IPS -m length --length 28:150 -j ACCEPT
iptables -A INPUT -p udp -m udp --sport 27017:27021 --dport 26900 -d $VALVE_IPS -m length --length 28:150 -j ACCEPT
#### SSH com seus IPs
# iptables -A INPUT -s $SSH_IPS -p tcp --dport $SSH_PORT -m state --state NEW,ESTABLISHED -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 20 --hashlimit-mode srcip,dstport --hashlimit-name SSHPROTECT --hashlimit-htable-expire 60000 --hashlimit-htable-max 999999999 -j ACCEPT 
# iptables -A OUTPUT -s $SSH_IPS -p tcp --sport $SSH_PORT -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport $SSH_PORT -m state --state NEW,ESTABLISHED -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 20 --hashlimit-mode srcip,dstport --hashlimit-name SSHPROTECT --hashlimit-htable-expire 60000 --hashlimit-htable-max 999999999 -j ACCEPT 
iptables -A OUTPUT -p tcp --sport $SSH_PORT -m state --state ESTABLISHED -j ACCEPT
# DROP LOGS
iptables -A INPUT -j LOG_DROP_INPUT
iptables -A LOG_DROP_INPUT -m limit --limit 10/min -j LOG --log-prefix "iptables DROP INPUT: " --log-level 7
iptables -A LOG_DROP_INPUT -j DROP
iptables -A OUTPUT -j LOG_DROP_OUTPUT
iptables -A LOG_DROP_OUTPUT -m limit --limit 10/min -j LOG --log-prefix "iptables DROP OUT: " --log-level 7
iptables -A LOG_DROP_OUTPUT -j DROP
iptables -A OUTPUT -j LOG_DROP_FORWARD
iptables -A LOG_DROP_FORWARD -m limit --limit 10/min -j LOG --log-prefix "iptables DROP FORWARD: " --log-level 7
iptables -A LOG_DROP_FORWARD -j DROP
############ EXTRA STUFF TO HELP HIGH TRAFFIC (DDOS) ##################
############### Make sure this Script is executed at Startup! #########
#######################################################################
echo "20000" > /proc/sys/net/ipv4/tcp_max_syn_backlog
echo "1" > /proc/sys/net/ipv4/tcp_synack_retries
echo "30" > /proc/sys/net/ipv4/tcp_fin_timeout
echo "5" > /proc/sys/net/ipv4/tcp_keepalive_probes
echo "15" > /proc/sys/net/ipv4/tcp_keepalive_intvl
echo "20000" > /proc/sys/net/core/netdev_max_backlog
echo "20000" > /proc/sys/net/core/somaxconn
echo "99999999" > /proc/sys/net/nf_conntrack_max


Execute o iptables.sh: ./iptables.sh
Depois salve: service iptables save

Instale o rsyslog
Edite o arquivo rsyslog.conf em /etc

Adicione:

Código: Selecionar todos

:msg,startswith,"iptables" -/var/log/iptables.log
& ~


Se não funcionar adicione:

Código: Selecionar todos

:msg,contains,"iptables" -/var/log/iptables.log
& ~


Exemplo do rsyslog.conf para CentOS 6.5:

Código: Selecionar todos


# rsyslog v5 configuration file
# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
#### MODULES ####
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog   # provides kernel logging support (previously done by rklogd)
#$ModLoad immark  # provides --MARK-- message capability
# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514
# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514
#### GLOBAL DIRECTIVES ####
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on
# Include all config files in /etc/rsyslog.d/
# $IncludeConfig /etc/rsyslog.d/*.conf
#### RULES ####
### Regras Anderson ###
# $klogParseKernelTimestamp on
# $klogKeepKernelTimestamp off
#:msg, startswith, "iptables: "  /var/log/iptables.log
#& ~
# :msg, regex, "^\[ *[0-9]*\.[0-9]*\] iptables: " -/var/log/iptables.log
# & ~
# kern.debug                        /var/log/firewall.log
:msg,startswith,"iptables" -/var/log/iptables.log
& ~
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
# *.info;mail.none;authpriv.none;cron.none                /var/log/messages
# The authpriv file has restricted access.
# authpriv.*                                              /var/log/secure
# Log all the mail messages in one place.
# mail.*                                                  -/var/log/maillog
# Log cron stuff
# cron.*                                                  /var/log/cron
# Everybody gets emergency messages
# *.emerg                                                 *
# Save news errors of level crit and higher in a special file.
# uucp,news.crit                                          /var/log/spooler
# Save boot messages also to boot.log
# local7.*                                                /var/log/boot.log
# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$WorkDirectory /var/lib/rsyslog # where to place spool files
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList   # run asynchronously
#$ActionResumeRetryCount -1    # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
# ### end of the forwarding rule ###


Veja os logs na pasta /var/log/iptables.log