Tutorial TeamSpeak3 IPTABLES (99.9% DDOS PROTECTION)

NatureNMoon

Moderator
Moderator
Joined
Jul 8, 2016
Messages
34
Points
56
Hi everyone,

I would really like to let know that this script will block almost all (D)Dos attacks and will keep your TeamSpeak3 servers alive!

PLEASE DO NOT FORGET TO READ THE DETAILED DESCRIPTIONS IN IPTABLES SCRIPT!

1- All UDP ports will be under TeamSpeak3 DDoS Protection Zone (You can create a lot of TeamSpeak3 servers by using different UDP ports, all of team will be safe!)
2- All TCP ports will be banned except 22,10011,30033,41144 (you can read the descriptions and add more tcp ports which you will use. For instance, 80,443,3306 etc..)
3- Except TCP and UDP protocols, all the protocols will be banned (Because you do not need the other protocols like ICMP, IGMP etc.. for your TeamSpeak3 servers, the best way is to block all of the protocols which you will not use)

And, here is the IPTABLES;

Code:
# NatureNMoon - TS3 Mitigation on IPTABLES
# DESCRIPTIONS BELOW;
# If you do not have iptables, install it Centos: "yum install iptables" and Ubuntu/Debian: "apt-get install iptables"
# 51.68.181.92 is weblist.teamspeak.com - this ip address has to be excepted
# You should create ipset (if you do not have ipset please install it (Centos: yum install ipset || Ubuntu/Debian apt-get install ipset
# you can create ipset by using this code "ipset create ts3_allowed hash:ip hashsize 2097152 maxelem 40000000 timeout 259200"
# Your ssh must be 22 TCP
# 10011 : Query port (You can change this port when you change it in this iptables script below)
# 30033 : File Transfer port (You can change this port when you change it in this iptables script below)
# If you ask why I choose *raw chain, raw chain is the most important chain in IPTABLES, you can think this chain as a "root" in linux and this chain can block 1.000.000 Packet Per Second (depends on the power of your servers(CPU,RAM,NIC, NETWORK BANDWIDTH))

*raw
:PREROUTING ACCEPT [0:0] // default raw prerouting rules - action (accept)
:R4P3 - [0:0] // Default traffic chain
:TS3 - [0:0] // TS3 PROTECTION CHAIN
:PROTOCOL_MANAGER - [0:0] // This chain will block all the traffics except UDP and TCP
:OUTPUT ACCEPT [559:74102] // No need to change or add something for this chain.


-A PREROUTING -j R4P3 // send all packets to main R4P3 chain to block the traffic well"
-A R4P3 ! -s 51.68.181.92/32 -d YourServerExternalIPAddress -i YourInterfaceHere -m set ! --match-set ts3_allowed src -j TS3 // Please change "YourInterfaceHere" as eth0 or whatever it is in your server and change this "YourServerExternalIPAddress" as your server external ip address

## TS3 RULES

-A TS3 -p tcp --dports 22,10011,30033,41144 -j RETURN  // This rule will let 22,10011,30033 and 41144 tcp ports enter into your network.
-A TS3 -p udp --sport 53 -m length --length 750:65535 -j DROP // Mitigation for DNS Amplification attacks
-A TS3 -p udp ! --sport 53 -m length --length 62 -m hashlimit --hashlimit-upto 5/sec --hashlimit-burst 10 --hashlimit-mode dstip --hashlimit-name ts3_ratelimit --hashlimit-htable-max 2000000 -m string --string "TS3INIT" --algo kmp -j SET --add-set ts3_allowed src // Accept 5 users each second if the users' packet contains "TS3INIT" payload and its length is 62 byte then add them to ts3_allowed ipset
-A TS3 -m set ! --match-set ts3_allowed src -j DROP // Block all the traffics if their source ip is not in ts3_allowed(normal users) and destionation ports tcp are not 22,10011,30033 and 41144
-A TS3 -j PROTOCOL_MANAGER // send all the packets to the PROTOCOL MANAGER chain

## PROTOCOL MANAGER RULES

-A PROTOCOL_MANAGER -p tcp -j RETURN // Allow UDP Traffic
-A PROTOCOL_MANAGER -p udp -j RETURN // Allow TCP Traffic
-A PROTOCOL_MANAGER -j DROP // Except UDP and TCP protocols, block all the protocols

COMMIT
# The IPTABLES script has been created to keep the TeamSpeak3 Servers alive by NatuerNMoon in R4P3
If you need help, please DO NOT hesitate to keep in touch with me.

I will edit this post due to adding some extra rules for you, you can think this like developing the software. That's why, do not forget to watch this post forever :)

//last update 11th JULY 2019 by NatureNMoon


Best Regards;
Daniel Q. (NatureNMoon)
Cyber Security Expert
 
Last edited:

gamesbond

Member
Joined
Jul 21, 2015
Messages
102
Points
53
Hey man,
I have a musicbot in the server and i stream from this link http://ice07.fluidstream.net:8080/KissKiss.mp3

Is there any possibilities to pur in whitelist this ip? What i need to change?

I tryed to use
-A R4P3 ! -s 51.68.181.92/32 -d YourServerExternalIPAddress -i YourInterfaceHere -m set ! --match-set ts3_allowed src -j TS3 // Please change "YourInterfaceHere" as eth0 or whatever it is in your server and change this "YourServerExternalIPAddress" as your server external ip address

Changing the ip but te firewall block out the connection :)
 

NatureNMoon

Moderator
Moderator
Joined
Jul 8, 2016
Messages
34
Points
56
Hey man,
I have a musicbot in the server and i stream from this link http://ice07.fluidstream.net:8080/KissKiss.mp3

Is there any possibilities to pur in whitelist this ip? What i need to change?

I tryed to use
-A R4P3 ! -s 51.68.181.92/32 -d YourServerExternalIPAddress -i YourInterfaceHere -m set ! --match-set ts3_allowed src -j TS3 // Please change "YourInterfaceHere" as eth0 or whatever it is in your server and change this "YourServerExternalIPAddress" as your server external ip address

Changing the ip but te firewall block out the connection :)
1- Create a ipset for example "ipset create gamesbond_whitelist hash:net"
2- Change that rule as;
Code:
-A R4P3 -m set ! --match-set gamesbond_whitelist src -d YourServerExternalIPAddress -i YourInterfaceHere -m set ! --match-set ts3_allowed src -j TS3 // Please change "YourInterfaceHere" as eth0 or whatever it is in your server and change this "YourServerExternalIPAddress" as your server external ip address
3- ipset --add gamesbond_whitelist 51.68.181.92 and ipset --add gamesbond_whitelist 136.243.49.21
4- 51.68.181.92 is weblist.teamspeak.com and 136.243.49.21 is your music bot ip address
or
You can add the ip addresses to ts3_allowed list. That's why, you will not need any whitelist :) But you should know that ts3_allowed ipset has timeout "ipset create ts3_allowed hash:ip hashsize 2097152 maxelem 40000000 timeout 259200" meaning The IP addresses will be removed automatically 259200 secs(3 days) later :). That's why, if you ask me what you should do, create your own whitelist and use it, do not add timeout :)

Best Regards;
Daniel Q.
Cyber Security Expert
 
Last edited:

gamesbond

Member
Joined
Jul 21, 2015
Messages
102
Points
53
-A R4P3 -m set ! --match-set gamesbond_whitelist src -d YourServerExternalIPAddress -i YourInterfaceHere -m set ! --match-set ts3_allowed src -j TS3
Why put gamesbond and ts3allowed
I retry tomorrow
Maybe i'm failing something cause the server drop the request
 

NatureNMoon

Moderator
Moderator
Joined
Jul 8, 2016
Messages
34
Points
56
Why put gamesbond and ts3allowed
I retry tomorrow
Maybe i'm failing something cause the server drop the request
The ip addresses in ts3_allowed and gamesbond_whitelist will not be affected by iptables, meaning the iptables will not block the ip addresses in those ipsets
 

mkll11one

Active Member
Joined
Apr 26, 2016
Messages
206
Points
74
Age
26
Location
Denmark, Copenhagen
Hi @NatureNMoon

Will it work, if I have "docker" on the iptables, or do I need to changes somewhere, for get the iptables rules to work?

As an example, the "docker" is under *nat (and your script is *raw)
 

NatureNMoon

Moderator
Moderator
Joined
Jul 8, 2016
Messages
34
Points
56
Hi @NatureNMoon

Will it work, if I have "docker" on the iptables, or do I need to changes somewhere, for get the iptables rules to work?

As an example, the "docker" is under *nat (and your script is *raw)
You can add the ports which you would like to use. The rules which you need below;

Code:
-A TS3 -p tcp --dports 22,10011,30033,41144 -j RETURN // add tcp port number which you will use for docker
-A TS3 -p udp --dports 22,23 -j RETURN // add udp port number which you will use for docker
Your iptables will be like this;

Code:
# NatureNMoon - TS3 Mitigation on IPTABLES
# DESCRIPTIONS BELOW;
# If you do not have iptables, install it Centos: "yum install iptables" and Ubuntu/Debian: "apt-get install iptables"
# 51.68.181.92 is weblist.teamspeak.com - this ip address has to be excepted
# You should create ipset (if you do not have ipset please install it (Centos: yum install ipset || Ubuntu/Debian apt-get install ipset
# you can create ipset by using this code "ipset create ts3_allowed hash:ip hashsize 2097152 maxelem 40000000 timeout 259200"
# Your ssh must be 22 TCP
# 10011 : Query port (You can change this port when you change it in this iptables script below)
# 30033 : File Transfer port (You can change this port when you change it in this iptables script below)
# If you ask why I choose *raw chain, raw chain is the most important chain in IPTABLES, you can think this chain as a "root" in linux and this chain can block 1.000.000 Packet Per Second (depends on the power of your servers(CPU,RAM..))

*raw
:PREROUTING ACCEPT [0:0] // default raw prerouting rules - action (accept)
:R4P3 - [0:0] // Default traffic chain
:TS3 - [0:0] // TS3 PROTECTION CHAIN
:PROTOCOL_MANAGER - [0:0] // This chain will block all the traffics except UDP and TCP
:OUTPUT ACCEPT [559:74102] // No need to change or add something for this chain.


-A PREROUTING -j R4P3 // send all packets to main R4P3 chain to block the traffic well"
-A R4P3 ! -s 51.68.181.92/32 -d YourServerExternalIPAddress -i YourInterfaceHere -m set ! --match-set ts3_allowed src -j TS3 // Please change "YourInterfaceHere" as eth0 or whatever it is in your server and change this "YourServerExternalIPAddress" as your server external ip address

## TS3 RULES

-A TS3 -p tcp --dports 22,10011,30033,41144 -j RETURN // add tcp port number which you will use for docker (for example, 22,10011,30033,41144 or whatever you want to add more)
-A TS3 -p udp --dports 22,23 -j RETURN // add udp port number which you will use for docker(for example 22,23,80,443 whatever you want to add more)
-A TS3 -p udp --sport 53 -m length --length 750:65535 -j DROP // Mitigation for DNS Amplification attacks
-A TS3 -p udp ! --sport 53 -m length --length 62 -m hashlimit --hashlimit-upto 5/sec --hashlimit-burst 10 --hashlimit-mode dstip --hashlimit-name ts3_ratelimit --hashlimit-htable-max 2000000 -m string --string "TS3INIT" --algo kmp -j SET --add-set ts3_allowed src // Accept 5 users each second if the users' packet contains "TS3INIT" payload and its length is 62 byte then add them to ts3_allowed ipset
-A TS3 -m set ! --match-set ts3_allowed src -j DROP // Block all the traffics if their source ip is not in ts3_allowed(normal users) and destionation ports tcp are not 22,10011,30033 and 41144
-A TS3 -j PROTOCOL_MANAGER // send all the packets to the PROTOCOL MANAGER chain

## PROTOCOL MANAGER RULES

-A PROTOCOL_MANAGER -p tcp -j RETURN // Allow UDP Traffic
-A PROTOCOL_MANAGER -p udp -j RETURN // Allow TCP Traffic
-A PROTOCOL_MANAGER -j DROP // Except UDP and TCP protocols, block all the protocols

COMMIT
# The IPTABLES script has been created to keep the TeamSpeak3 Servers alive by NatuerNMoon in R4P3
Also, you can add your *nat rules at the bottom of my iptables rules. Then, you can just restart the iptables service.

To be sure, you can check the rules by using "iptables -L -n -v -t raw" and "iptables -L -n -v -t nat"

Best Regards;
Daniel Q.
Cyber Security Expert
 

mkll11one

Active Member
Joined
Apr 26, 2016
Messages
206
Points
74
Age
26
Location
Denmark, Copenhagen
You can add the ports which you would like to use. The rules which you need below;

Code:
-A TS3 -p tcp --dports 22,10011,30033,41144 -j RETURN // add tcp port number which you will use for docker
-A TS3 -p udp --dports 22,23 -j RETURN // add udp port number which you will use for docker
Best Regards;
Daniel Q.
Cyber Security Expert
Got it works! ;)
 
Last edited:

mkll11one

Active Member
Joined
Apr 26, 2016
Messages
206
Points
74
Age
26
Location
Denmark, Copenhagen
Seems I got some problems with ICMP/Using docker.

How can I flush anything, so I can install "TeamSpeak" via docker? ^
[Update: 15:18 12-07-2019]
 

NatureNMoon

Moderator
Moderator
Joined
Jul 8, 2016
Messages
34
Points
56
Seems I got some problems with ICMP/Using docker.

How can I flush anything, so I can install "TeamSpeak" via docker? ^
[Update: 15:18 12-07-2019]
You can change this rule "-A PREROUTING -j R4P3" as "-A PREROUTING -j ACCEPT" .After changing this rule, you can try it again and then you can active the rules again.
By the way, after checking the rule, do not forget to restart your iptables service.
 

FromLondon

Honk Honk
VIP
Joined
May 20, 2016
Messages
205
Points
78
Age
24
Location
Russia
Hello,
Do am i right understand filtering logic like:
*User connecting*
Client sending udp packet starting with "TS3INIT"
*This client connection is OK* ?

What related to "Accept 5 users each second if the users" and "burst to 10". Imagine we restarting the server. There is will be only 5-10 users per second who can reconnect to server, right ?
What if attacking simulate TS3 packets ?
 

Asphyxia

Server Monkey
Administrator
Joined
Apr 25, 2015
Messages
1,196
Points
252
Age
26
Location
North America
What if attacking simulate TS3 packets ?
In various other threads, I have highlighted how security is very much cat and mouse. Someone could always send bot traffic to flood but that could be fought in other ways.

While enforcing "packet contains TS3INIT payload and its length is 62 byte" could be bypassed, the attack would have to be more sophisticated than not having the rules.

Hence why adding security is referred to as hardening and not bulletproofing. You keep doing it (hardening) which includes patching, upgrades, and adopting modern security protocols e.g. no more HTTP - only HTTPS, no more FTP - only SSH (SFTP) and SCP for backups, no more Telnet - SSH has overtaken Telnet... the point is that greater security is a continuous improvement process and not a state.

If attacking and simulating the packets, a tcpdump or tshark could be performed to capture (packets) then share the traffic for analysis and further blocking rules could be crafted.
 
Last edited:

FromLondon

Honk Honk
VIP
Joined
May 20, 2016
Messages
205
Points
78
Age
24
Location
Russia
In various other threads, I have highlighted how security is very much cat and mouse. Someone could always send bot traffic to flood but that could be fought in other ways.

While enforcing "packet contains TS3INIT payload and its length is 62 byte" could be bypassed, the attack would have to be more sophisticated than not having the rules.

Hence why adding security is referred to as hardening and not bulletproofing.

If attacking and simulating the packets, a tcpdump or tshark could be performed to capture (packets) then share the traffic for analysis and further blocking rules could be crafted.
I think with case of using that rules and placing only TS servers on server would be good with in bound with strong anti ddos-provider, but who know... There is need tests with hosting protection and without it
 

dosh

New Member
Joined
Nov 19, 2018
Messages
34
Points
10
Age
29
I stopped reading after "I would really like to let know that this script will block almost all (D)Dos attacks and will keep your TeamSpeak3 servers alive!"

Sorry what?
So you can do this script in a shit host with 10mbps and send me the IP and that iptables script will block everything? Thats amazing. I don't get why OVH and others din't come up with this..
Maybe you should edit your post remove the DDOS for DOS and make sure you say "might block some DOS Attacks".
 

Asphyxia

Server Monkey
Administrator
Joined
Apr 25, 2015
Messages
1,196
Points
252
Age
26
Location
North America
There is need tests with hosting protection and without it
I completely agree with you, testing should always be done with all security implementations.

Maybe you should edit your post remove the DDOS for DOS and make sure you say "might block some DOS Attacks".
You can use Netfilter for mitigation of common DDoS attacks, I mean look no further than over here https://people.netfilter.org/hawk/presentations/devconf2014/iptables-ddos-mitigation_JesperBrouer.pdf - he mentioned "almost all" which is the equivalent of "may block most", what are you picking apart his wording for...

So you can do this script in a shit host with 10mbps and send me the IP and that iptables script will block everything?
I do not believe he ever mentioned this nor should anyone imply this. I am unsure how you are coming up with that thought process? While I agree DDoS protection services have their sensible uses, overlooking such simple protection using Netfilter could be more costly. His rules are a hell of a lot better than: https://forum.teamspeak.com/threads/108259-iptables-rules
 

Top