Optimize OVH Protection

Leon

Member
Aug 22, 2015
32
8
43
Hello,

OVH Enterprise DDoS Protection blocks everything good.

But one flood called XTS3 floods TS3 with 1-2MB/S.

OVH dont block anything of them.

Anyone can help me to setup iptables to block like more than 500kb/s udp on port 9987 or anything else.

Thanks.
 

ixM7MDz

CipherSpeak Developer
Jan 29, 2016
60
11
46
I will give you a firewall rules

just you you need to past it on a file as firewall.sh
after you past it just type this on the ssh ( putty)
./firewall.sh

you need to have iptables on your vps
script :
Code:
# Flush rules
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -t raw -F PREROUTING
iptables -t raw -F OUTPUT
# List policies first
iptables -P INPUT DROP; iptables -P FORWARD DROP; iptables -P OUTPUT ACCEPT;
# Disable connection tracking on voice server ports
iptables -A PREROUTING -t raw -p udp --dport 9987 -j NOTRACK
iptables -A OUTPUT -t raw -p udp --sport 9987 -j NOTRACK
# Allow TCP inbound
iptables -A INPUT -p tcp -m state --state NEW -m multiport --dports 21,22 -j ACCEPT
# Drop invalid UDP
iptables -A PREROUTING -t raw -p udp --dport 9987 -m length --length 0:32 -j DROP
iptables -A PREROUTING -t raw -p udp --dport 9987 -m length --length 2521:65535 -j DROP
iptables -A PREROUTING -t raw -p udp --dport 9987 -m length --length 98 -j DROP
# Drop TS3 booter methods
iptables -A PREROUTING -t raw -p udp --dport 9987 -m string --hex-string '|fa163eb402096ac8|' --algo kmp -j DROP
iptables -A PREROUTING -t raw -p udp --dport 9987 -m string --hex-string '|71f63813d5422309|' --algo kmp -j DROP
# Allow incoming packets related to outgoing ones.
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow UDP inbound
iptables -A INPUT -p udp --dport 9987 -j ACCEPT
# Allow ICMP
iptables -A INPUT -p icmp -j ACCEPT
# Log all dropped packets to /var/log/messages
iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
iptables -A LOGGING -j DROP
 

ikfes

Member
Apr 15, 2016
62
8
55
I will give you a firewall rules

just you you need to past it on a file as firewall.sh
after you past it just type this on the ssh ( putty)
./firewall.sh

you need to have iptables on your vps
script :
Code:
# Flush rules
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -t raw -F PREROUTING
iptables -t raw -F OUTPUT
# List policies first
iptables -P INPUT DROP; iptables -P FORWARD DROP; iptables -P OUTPUT ACCEPT;
# Disable connection tracking on voice server ports
iptables -A PREROUTING -t raw -p udp --dport 9987 -j NOTRACK
iptables -A OUTPUT -t raw -p udp --sport 9987 -j NOTRACK
# Allow TCP inbound
iptables -A INPUT -p tcp -m state --state NEW -m multiport --dports 21,22 -j ACCEPT
# Drop invalid UDP
iptables -A PREROUTING -t raw -p udp --dport 9987 -m length --length 0:32 -j DROP
iptables -A PREROUTING -t raw -p udp --dport 9987 -m length --length 2521:65535 -j DROP
iptables -A PREROUTING -t raw -p udp --dport 9987 -m length --length 98 -j DROP
# Drop TS3 booter methods
iptables -A PREROUTING -t raw -p udp --dport 9987 -m string --hex-string '|fa163eb402096ac8|' --algo kmp -j DROP
iptables -A PREROUTING -t raw -p udp --dport 9987 -m string --hex-string '|71f63813d5422309|' --algo kmp -j DROP
# Allow incoming packets related to outgoing ones.
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow UDP inbound
iptables -A INPUT -p udp --dport 9987 -j ACCEPT
# Allow ICMP
iptables -A INPUT -p icmp -j ACCEPT
# Log all dropped packets to /var/log/messages
iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
iptables -A LOGGING -j DROP

That's my script and it misses the TCP 30033 port for fileserver. If you run it as it is above, your client's can't load usergroup/channelgroup icons or any images/banners you might upload to the server.

Either edit this:
iptables -A INPUT -p tcp -m state --state NEW -m multiport --dports 22,30033 -j ACCEPT (You don't need 21 if you use SFTP)
or add:
iptables -A INPUT -p tcp --dport 30033 -j ACCEPT
under the similar 9987 UDP rule.
 

MwZ

Active Member
Dec 27, 2016
47
6
83
When using a modern protection system, you can sleep just fine and nothing is necessary to be done in iptables... :p
 

MwZ

Active Member
Dec 27, 2016
47
6
83
@MwZ What is "modern protection system" more details please.
There are companies that provides you with a system that handles literally all these attacks, even if they use custom UDP payloads... Although, they aren't as cheap as OVH, it's simple as this. :)
 
Top