IPTables help [SOLVED]

Discussion in 'Systems Administration' started by File14, Mar 16, 2016.

  1. Hello everyone!

    Is there anyone that knows much about iptables and that stuff? Can you please take a look at these then, are they correct and in the correct order?

    I want to drop the NEW incoming connections if it reaches over 3 new IPs per second. Also do I need all these ports open?

    • Code (Text):
      *filter
      :INPUT DROP [20:5388]
      :FORWARD ACCEPT [0:0]
      :OUTPUT ACCEPT [8227:1579610]
      :f2b-sshd - [0:0]
      -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
      -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
      -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
      -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
      -A INPUT -i lo -j ACCEPT
      -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
      -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
      -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
      -A INPUT -p tcp -m tcp --dport 465 -j ACCEPT
      -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
      -A INPUT -p tcp -m tcp --dport 995 -j ACCEPT
      -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
      -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
      -A INPUT -p tcp -m tcp --dport 25565 -j ACCEPT
      -A INPUT -p tcp -m tcp --dport 25565 -m state --state NEW -m limit --limit 3/sec -j ACCEPT
      -A INPUT -p tcp -m tcp --dport 25565 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 3 --connlimit-mask 32 --connlimit-saddr -j REJECT --reject-with icmp-port-unreachable
      -A INPUT -m state --state RELATED,ESTABLISHED -m limit --limit 151/sec --limit-burst 160 -j ACCEPT
      -A INPUT -p tcp -m tcp --dport 25565 -m state --state NEW -j DROP
      COMMIT
    Thanks!
     
  2. Minecraft uses UDP, not TCP. UDP doesn't keep a connection like TCP does, so I don't think it's possible to track the number of connections that way. There a plugins that limit how fast players can join a server. I use NoCheatPlus, but theres probably also simpler plugins there does nothing but that.

    As for the open ports, look them up ind /etc/services and see what they are.
     
  3. https://www.spigotmc.org/threads/neccessary-to-open-udp-port-25565.571/
    http://gaming.stackexchange.com/que...rotocol-do-i-use-for-port-forwarding-on-2wire
     
  4. You're right :) I was told it used UDP a long time ago, and never bothered to look further into it.
     
    • Funny Funny x 1
  5. [​IMG]
     
    • Agree Agree x 1