Jump to content

Firewall for CS:GO server 1.0.0

Sign in to follow this  

1 Screenshot

About This File

Set's of iptables rules for securing your cs:go server.

#!/bin/bash
LANG=C; LC_ALL=C; export LANG LC_ALL
clear

################################################
#################CONFIGURATION##################
# Path to iptables
IPTABLES='/sbin/iptables'

# Server Ports (UDP)
GS_PORTS="
    27015:27020
    1337
    9987
    42020
    28015
"

# Services ports (TCP)
SRV_PORTS="
    21
    22
    6322
    80
    3306
    12679
    10011
    30033
    10044:10045
    29799:29899
    27015:27020
    28015
    1337
    2044:2050
    17017:17022
    42020
"

# RCON Whitelist
RCON_IPS="
    127.0.0.1

"
################################################
#################CONFIGURATION##################

# Clean IPTables
`$IPTABLES -F; $IPTABLES -X`

# Keep active connections alive.
`$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT`
`$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT`

# List policies first
`$IPTABLES -P INPUT DROP; iptables -P FORWARD DROP; iptables -P OUTPUT ACCEPT`

# Performance-wise let this back in early:
`$IPTABLES -A INPUT -m state --state ESTABLISHED -j ACCEPT`

# Allow gameservers
echo -e "\e[92mAllowing server ports (UDP) \e[0m"
for i in $GS_PORTS
do
    `$IPTABLES -A INPUT -m state --state NEW -m udp -p udp --dport $i -j ACCEPT`
    `$IPTABLES -A INPUT -p udp -m udp --dport $i -m string --algo bm --hex-string '|ffffffff54|' -m limit --limit 1/s --limit-burst 1 -j ACCEPT`
    `$IPTABLES -A INPUT -p udp -m udp --dport $i -m string --algo bm --hex-string '|ffffffff54|' -j DROP`
    `$IPTABLES -A INPUT -p udp -m udp --dport $i -m string --algo bm --hex-string '|ffffffff55|' -m limit --limit 1/s --limit-burst 1 -j ACCEPT`
    `$IPTABLES -A INPUT -p udp -m udp --dport $i -m string --algo bm --hex-string '|ffffffff55|' -j DROP`
    `$IPTABLES -A INPUT -p udp -m udp --dport $i -m string --algo bm --hex-string '|ffffffff56|' -m limit --limit 1/s --limit-burst 1 -j ACCEPT`
    `$IPTABLES -A INPUT -p udp -m udp --dport $i -m string --algo bm --hex-string '|ffffffff56|' -j DROP`
    `$IPTABLES -A INPUT -p udp -m udp --dport $i -m string --algo bm --hex-string '|ffffffff57|' -m limit --limit 1/s --limit-burst 1 -j ACCEPT`
    `$IPTABLES -A INPUT -p udp -m udp --dport $i -m string --algo bm --hex-string '|ffffffff57|' -j DROP`
    `$IPTABLES -A INPUT -p udp -m udp --dport $i -m length --length 60 -m recent --set --name GameSynF`
    `$IPTABLES -A INPUT -p udp -m udp --dport $i -m string --algo kmp --hex-string "|ff ff ff ff 56|" -m recent --set --name GameSynF -j DROP`
    
    echo Port: $i
done

# Allow service ports
echo -e "\n\e[92mAllowing service ports (TCP) \e[0m"
for i in $SRV_PORTS
do
    `$IPTABLES -A INPUT -m state --state NEW -m tcp -p tcp --dport $i -j ACCEPT`
    echo Port: $i
done

# Allow RCON only from certain IPs.
echo -e "\n\e[92mAllowing RCON IPS \e[0m"
for i in $RCON_IPS
do
    `$IPTABLES -A INPUT -m state --state NEW -m tcp -p tcp -s $i --dport 27015:27019 -j ACCEPT`
    echo IP: $i
done

# Always allow loopback
`$IPTABLES -A INPUT -i lo -j ACCEPT`

# Allow Local connections
`$IPTABLES -A INPUT -s 127.0.0.1 -j ACCEPT`

# Allow 3 way handshake
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Drop Query Spam
`$IPTABLES -N CHECK1`
`$IPTABLES -A INPUT -p udp -m length --length 829 -j CHECK1`
`$IPTABLES -A CHECK1 -p udp -m length --length 829:65535 -m limit --limit 128/second -j ACCEPT`
`$IPTABLES -A CHECK1 -j DROP` 

# Drop Fragmented packets
`$IPTABLES -A INPUT -f -j DROP`

# Drop Malformed packets
`$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j DROP`

# Drop null packets
`$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP`

# Drop invalid packets
`$IPTABLES -A INPUT -m state --state INVALID -j DROP`
`$IPTABLES -A FORWARD -m state --state INVALID -j DROP`
`$IPTABLES -A OUTPUT -m state --state INVALID -j DROP`
`$IPTABLES -A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP`
`$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP`
`$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP`
`$IPTABLES -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP`
`$IPTABLES -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP`
`$IPTABLES -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP`
`$IPTABLES -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP`

# Drop spoofed packets
`$IPTABLES -A INPUT -s 0.0.0.0/8 -j DROP`
`$IPTABLES -A INPUT -d 0.0.0.0/8 -j DROP`
`$IPTABLES -A INPUT -d 239.255.255.0/24 -j DROP`
`$IPTABLES -A INPUT -d 255.255.255.255 -j DROP`
`$IPTABLES -A INPUT -s 224.0.0.0/4 -j DROP`
`$IPTABLES -A INPUT -d 224.0.0.0/4 -j DROP`
`$IPTABLES -A INPUT -s 240.0.0.0/5 -j DROP`
`$IPTABLES -A INPUT -d 240.0.0.0/5 -j DROP`
`$IPTABLES -A INPUT -s 10.0.0.0/8 -j DROP`
`$IPTABLES -A INPUT -s 169.254.0.0/16 -j DROP`
`$IPTABLES -A INPUT -s 172.16.0.0/12 -j DROP`
`$IPTABLES -A INPUT -s 192.168.0.0/24 -j DROP`


# Misc
`$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT`
`$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP`

# Save for reboot
iptables-save > /etc/firewall.conf
echo "#!/bin/sh" > /etc/network/if-up.d/iptables
echo "iptables-restore < /etc/firewall.conf" >> /etc/network/if-up.d/iptables
chmod +x /etc/network/if-up.d/iptables

echo -e "\n\e[92mFirewall Installed & Active! \e[0m"

# End script
exit 0  

Write this on a *.sh file, chmod +x then sh *.sh

Or download the file, make it executable and install.

Enjoy!

This will block also IP rate limit sustained and IP rate limit under distributed packet load



User Feedback

Recommended Comments

There are no comments to display.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×