Jump to content

CS:GO Plugins | Addons | Mods

Sign in to follow this  

Sub Category  

1 file

  1. Firewall for CS:GO server

    Set's of iptables rules for securing your cs:go server.
    #!/bin/bash LANG=C; LC_ALL=C; export LANG LC_ALL clear ################################################ #################CONFIGURATION################## # Path to iptables IPTABLES='/sbin/iptables' # Server Ports (UDP) GS_PORTS=" 27015:27020 1337 9987 42020 28015 " # Services ports (TCP) SRV_PORTS=" 21 22 6322 80 3306 12679 10011 30033 10044:10045 29799:29899 27015:27020 28015 1337 2044:2050 17017:17022 42020 " # RCON Whitelist RCON_IPS=" 127.0.0.1 " ################################################ #################CONFIGURATION################## # Clean IPTables `$IPTABLES -F; $IPTABLES -X` # Keep active connections alive. `$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT` `$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT` # List policies first `$IPTABLES -P INPUT DROP; iptables -P FORWARD DROP; iptables -P OUTPUT ACCEPT` # Performance-wise let this back in early: `$IPTABLES -A INPUT -m state --state ESTABLISHED -j ACCEPT` # Allow gameservers echo -e "\e[92mAllowing server ports (UDP) \e[0m" for i in $GS_PORTS do `$IPTABLES -A INPUT -m state --state NEW -m udp -p udp --dport $i -j ACCEPT` `$IPTABLES -A INPUT -p udp -m udp --dport $i -m string --algo bm --hex-string '|ffffffff54|' -m limit --limit 1/s --limit-burst 1 -j ACCEPT` `$IPTABLES -A INPUT -p udp -m udp --dport $i -m string --algo bm --hex-string '|ffffffff54|' -j DROP` `$IPTABLES -A INPUT -p udp -m udp --dport $i -m string --algo bm --hex-string '|ffffffff55|' -m limit --limit 1/s --limit-burst 1 -j ACCEPT` `$IPTABLES -A INPUT -p udp -m udp --dport $i -m string --algo bm --hex-string '|ffffffff55|' -j DROP` `$IPTABLES -A INPUT -p udp -m udp --dport $i -m string --algo bm --hex-string '|ffffffff56|' -m limit --limit 1/s --limit-burst 1 -j ACCEPT` `$IPTABLES -A INPUT -p udp -m udp --dport $i -m string --algo bm --hex-string '|ffffffff56|' -j DROP` `$IPTABLES -A INPUT -p udp -m udp --dport $i -m string --algo bm --hex-string '|ffffffff57|' -m limit --limit 1/s --limit-burst 1 -j ACCEPT` `$IPTABLES -A INPUT -p udp -m udp --dport $i -m string --algo bm --hex-string '|ffffffff57|' -j DROP` `$IPTABLES -A INPUT -p udp -m udp --dport $i -m length --length 60 -m recent --set --name GameSynF` `$IPTABLES -A INPUT -p udp -m udp --dport $i -m string --algo kmp --hex-string "|ff ff ff ff 56|" -m recent --set --name GameSynF -j DROP` echo Port: $i done # Allow service ports echo -e "\n\e[92mAllowing service ports (TCP) \e[0m" for i in $SRV_PORTS do `$IPTABLES -A INPUT -m state --state NEW -m tcp -p tcp --dport $i -j ACCEPT` echo Port: $i done # Allow RCON only from certain IPs. echo -e "\n\e[92mAllowing RCON IPS \e[0m" for i in $RCON_IPS do `$IPTABLES -A INPUT -m state --state NEW -m tcp -p tcp -s $i --dport 27015:27019 -j ACCEPT` echo IP: $i done # Always allow loopback `$IPTABLES -A INPUT -i lo -j ACCEPT` # Allow Local connections `$IPTABLES -A INPUT -s 127.0.0.1 -j ACCEPT` # Allow 3 way handshake iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Drop Query Spam `$IPTABLES -N CHECK1` `$IPTABLES -A INPUT -p udp -m length --length 829 -j CHECK1` `$IPTABLES -A CHECK1 -p udp -m length --length 829:65535 -m limit --limit 128/second -j ACCEPT` `$IPTABLES -A CHECK1 -j DROP` # Drop Fragmented packets `$IPTABLES -A INPUT -f -j DROP` # Drop Malformed packets `$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j DROP` # Drop null packets `$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP` # Drop invalid packets `$IPTABLES -A INPUT -m state --state INVALID -j DROP` `$IPTABLES -A FORWARD -m state --state INVALID -j DROP` `$IPTABLES -A OUTPUT -m state --state INVALID -j DROP` `$IPTABLES -A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP` `$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP` `$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP` `$IPTABLES -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP` `$IPTABLES -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP` `$IPTABLES -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP` `$IPTABLES -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP` # Drop spoofed packets `$IPTABLES -A INPUT -s 0.0.0.0/8 -j DROP` `$IPTABLES -A INPUT -d 0.0.0.0/8 -j DROP` `$IPTABLES -A INPUT -d 239.255.255.0/24 -j DROP` `$IPTABLES -A INPUT -d 255.255.255.255 -j DROP` `$IPTABLES -A INPUT -s 224.0.0.0/4 -j DROP` `$IPTABLES -A INPUT -d 224.0.0.0/4 -j DROP` `$IPTABLES -A INPUT -s 240.0.0.0/5 -j DROP` `$IPTABLES -A INPUT -d 240.0.0.0/5 -j DROP` `$IPTABLES -A INPUT -s 10.0.0.0/8 -j DROP` `$IPTABLES -A INPUT -s 169.254.0.0/16 -j DROP` `$IPTABLES -A INPUT -s 172.16.0.0/12 -j DROP` `$IPTABLES -A INPUT -s 192.168.0.0/24 -j DROP` # Misc `$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT` `$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP` # Save for reboot iptables-save > /etc/firewall.conf echo "#!/bin/sh" > /etc/network/if-up.d/iptables echo "iptables-restore < /etc/firewall.conf" >> /etc/network/if-up.d/iptables chmod +x /etc/network/if-up.d/iptables echo -e "\n\e[92mFirewall Installed & Active! \e[0m" # End script exit 0 Write this on a *.sh file, chmod +x then sh *.sh
    Or download the file, make it executable and install.
    Enjoy!
    This will block also IP rate limit sustained and IP rate limit under distributed packet load

    2 downloads

    0 comments

    Updated

Sign in to follow this  

  • Donate

    Please donate to support this community. We appreciate all donations!



    18% of donation goal reached.
    Donate Sidebar by DevFuse
×
×
  • Create New...