question about a firewall script and weather it will work

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
VG
DD-WRT Novice


Joined: 15 Apr 2012
Posts: 6

PostPosted: Sun Apr 15, 2012 4:55    Post subject: question about a firewall script and weather it will work Reply with quote
Hi, first off, I'm a bit of a noob with all this. I've been running DD-WRT for a while, but in it's basic forms. Never really changed anything until recently. I've also recently started to play with linux a bit.

Anyway, I have a game server I run using Valve source based games, SRCDS. It seems every troll player we run across these days has some sort of flood or DOS script that causes Source servers to lag out. I've been combating it by resetting the modem with a new mac address and changing IP's, but that's just reacting to the problem.

I found a script that is supposed to help negate the DOS type of attack on linux based servers. I prefer to run windows based as it has better console controls for srcds. Since DD-WRT is linux based I was wondering if this script will work directly through the router and stop the attacks there. Here's the script.....

1 #!/bin/bash
2
3 #Path to iptables
4 IPTABLES='/sbin/iptables'
5
6 # Default rule for established connections
7 `$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT`
8 `$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT`
9
10 # Put IPs you want to allow bypassing all these rules here
11 `$IPTABLES -A INPUT -s my_ip_here -j ACCEPT`
12
13 # Local connections
14 `$IPTABLES -A INPUT -s 127.0.0.1 -j ACCEPT`
15
16 # Ports Game - SRCDS + SourceTV + Query
17 PORTS='
18 27015 27020
19 27025 27030
20 '
21
22 # Drop DOS exploit packages for SRCDS games
23 for i in $PORTS
24 do
25 `$IPTABLES -A INPUT -p udp -m udp --dport $i -m string --algo bm --hex-string '|ffffffff54|' -m limit --limit 1/s --limit-burst 1 -j ACCEPT`
26 `$IPTABLES -A INPUT -p udp -m udp --dport $i -m string --algo bm --hex-string '|ffffffff54|' -j DROP`
27 `$IPTABLES -A INPUT -p udp -m udp --dport $i -m string --algo bm --hex-string '|ffffffff55|' -m limit --limit 1/s --limit-burst 1 -j ACCEPT`
28 `$IPTABLES -A INPUT -p udp -m udp --dport $i -m string --algo bm --hex-string '|ffffffff55|' -j DROP`
29 `$IPTABLES -A INPUT -p udp -m udp --dport $i -m string --algo bm --hex-string '|ffffffff56|' -m limit --limit 1/s --limit-burst 1 -j ACCEPT`
30 `$IPTABLES -A INPUT -p udp -m udp --dport $i -m string --algo bm --hex-string '|ffffffff56|' -j DROP`
31 `$IPTABLES -A INPUT -p udp -m udp --dport $i -m string --algo bm --hex-string '|ffffffff57|' -m limit --limit 1/s --limit-burst 1 -j ACCEPT`
32 `$IPTABLES -A INPUT -p udp -m udp --dport $i -m string --algo bm --hex-string '|ffffffff57|' -j DROP`
33 done


I actually not realizing it entered it in this way as the copy and past didn't work right....

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33



#!/bin/bash

#Path to iptables
IPTABLES='/sbin/iptables'

# Default rule for established connections
`$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT`
`$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT`

# Put IPs you want to allow bypassing all these rules here
`$IPTABLES -A INPUT -s my_ip_here -j ACCEPT`

# Local connections
`$IPTABLES -A INPUT -s 127.0.0.1 -j ACCEPT`

# Ports Game - SRCDS + SourceTV + Query
PORTS='
27015 27020
27025 27030
'

# Drop DOS exploit packages for SRCDS games
for i in $PORTS
do
`$IPTABLES -A INPUT -p udp -m udp --dport $i -m string --algo bm --hex-string '|ffffffff54|' -m limit --limit 1/s --limit-burst 1 -j ACCEPT`
`$IPTABLES -A INPUT -p udp -m udp --dport $i -m string --algo bm --hex-string '|ffffffff54|' -j DROP`
`$IPTABLES -A INPUT -p udp -m udp --dport $i -m string --algo bm --hex-string '|ffffffff55|' -m limit --limit 1/s --limit-burst 1 -j ACCEPT`
`$IPTABLES -A INPUT -p udp -m udp --dport $i -m string --algo bm --hex-string '|ffffffff55|' -j DROP`
`$IPTABLES -A INPUT -p udp -m udp --dport $i -m string --algo bm --hex-string '|ffffffff56|' -m limit --limit 1/s --limit-burst 1 -j ACCEPT`
`$IPTABLES -A INPUT -p udp -m udp --dport $i -m string --algo bm --hex-string '|ffffffff56|' -j DROP`
`$IPTABLES -A INPUT -p udp -m udp --dport $i -m string --algo bm --hex-string '|ffffffff57|' -m limit --limit 1/s --limit-burst 1 -j ACCEPT`
`$IPTABLES -A INPUT -p udp -m udp --dport $i -m string --algo bm --hex-string '|ffffffff57|' -j DROP`
done


Now I didn't get any errors when I ran it through the commands tab, but I have no idea if it's working or not. I was hoping someone could advise me on A. weather it will work and B. what would be the correct way to enter it into the command console if it will work. Also, I didn't save it in the command console, I just ran it.

Thanks for any advise.
Sponsor
VG
DD-WRT Novice


Joined: 15 Apr 2012
Posts: 6

PostPosted: Sun Apr 15, 2012 4:57    Post subject: Reply with quote
BTW, links to where I got this from....

http://pastie.org/private/81b8r0x6ckfciqwfm9q
http://www.vanillatf2.org/2011/01/fighting-dos-attacks/
slobodan
DD-WRT Guru


Joined: 03 Nov 2011
Posts: 1555
Location: Zwolle

PostPosted: Sun Apr 15, 2012 11:28    Post subject: Reply with quote
I would suggest to enter the iptables commands one by one, manually, and look for error messages. iptables from DD-WRT does not support everything, or at least you have to load some modules to allow it to support what you desire.

Also, if it has to be run everytime as your firewall service is restarted, save it in your firewall script.

_________________
2 times APU2 Opnsense 21.1 with Sensei

2 times RT-AC56U running DD-WRT 45493 (one as Gateway, the other as AP, both bridged with LAN cable)

3 times Asus RT-N16 shelved

E4200 V1 running freshtomato 2020.8 (bridged with LAN cable)

3 times Linksys WRT610N V2 converted to E3000 and 1 original E3000 running freshtomato 2020.8 (bridged with LAN cable)


phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10141

PostPosted: Mon Apr 16, 2012 3:17    Post subject: Reply with quote
Short answer, no it won't work.

Stopping your router from sending it to your server won't stop your ISP from sending it to your router, so your connection to your ISP will still be flooded just as much. If they're DoS'ing you then only your ISP can stop it but it's very unlikely that your ISP will care about someone DoS'ing your game server, especially if it's on a residential line which will likely cause your ISP to want you to pay for a business line.

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum