DDOS Protection - LeandroTheDev/arch_linux GitHub Wiki

Source Games

Configurated source games tcp and udp ddos protections

Game Basic UDP

#!/bin/sh

# Create a custom chain only once (if it doesn't already exist
iptables -N UDP_FLOOD 2>/dev/null

# Redirects traffic from each port to the UDP_FLOOD chain
iptables -A INPUT -p udp --dport 27015 -j UDP_FLOOD
iptables -A INPUT -p udp --dport 27016 -j UDP_FLOOD

# Anti UDP Bandwidth Flood
iptables -A UDP_FLOOD -p udp -m length --length 1200:65535 -j DROP
iptables -A UDP_FLOOD -f -p udp -j DROP

# Filters within the UDP_FLOOD chain
# Server 1
iptables -A UDP_FLOOD -p udp --dport 27015 -m recent --name server1ddos --rcheck --seconds 5 --hitcount 150 -j DROP
iptables -A UDP_FLOOD -p udp --dport 27015 -m recent --name server1ddos --set -j RETURN

# Server 2
iptables -A UDP_FLOOD -p udp --dport 27016 -m recent --name server2ddos --rcheck --seconds 5 --hitcount 150 -j DROP
iptables -A UDP_FLOOD -p udp --dport 27016 -m recent --name server2ddos --set -j RETURN

# General throttling (all other UDP packets pass here)
iptables -A UDP_FLOOD -m limit --limit 5/second --limit-burst 250 -j RETURN

# Blocks everything that goes through and is not accepted
iptables -A UDP_FLOOD -j DROP

Game Basic TCP

#!/bin/sh

# Create a custom chain only once (if it doesn't already exist
iptables -N TCP_FLOOD 2>/dev/null

# Redirects traffic from each port to the TCP_FLOOD chain
iptables -A INPUT -p tcp --dport 27015 -j TCP_FLOOD
iptables -A INPUT -p tcp --dport 27016 -j TCP_FLOOD

# Filters within the TCP_FLOOD chain
# Server 1
iptables -A TCP_FLOOD -p tcp --dport 27015 -m connbytes --connbytes 1000000: --connbytes-mode bytes --connbytes-dir both -j DROP
iptables -A TCP_FLOOD -p tcp --dport 27015 -m recent --name server1ddos_tcp --rcheck --seconds 5 --hitcount 15 -j DROP
iptables -A TCP_FLOOD -p tcp --dport 27015 -m recent --name server1ddos_tcp --set -j RETURN

# Server 2
iptables -A TCP_FLOOD -p tcp --dport 27016 -m connbytes --connbytes 1000000: --connbytes-mode bytes --connbytes-dir both -j DROP
iptables -A TCP_FLOOD -p tcp --dport 27016 -m recent --name server2ddos_tcp --rcheck --seconds 5 --hitcount 15 -j DROP
iptables -A TCP_FLOOD -p tcp --dport 27016 -m recent --name server2ddos_tcp --set -j RETURN

# General throttling (all other UDP packets pass here)
iptables -A TCP_FLOOD -m limit --limit 5/second --limit-burst 30 -j RETURN

# Blocks everything that goes through and is not accepted
iptables -A TCP_FLOOD -j DROP