MY VPS FIREWALL - OVH VPS

FuZz3 · Aug 30, 2016

Hi guys i wanted your opinion on my firewall i had a huge ddos attack and i googled a firewall, and i added a couple rules to it!
This firewall runs websites, sinusbot, teamspeak 3
It has allot of ddos methods blocked but i tried with loic and i saw my packets coming in on the vps!
I used iftop to see the packets BTW!

Code:

iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -A INPUT -p udp --dport 9987 -j ACCEPT
iptables -A INPUT -p udp --sport 9987 -j ACCEPT
iptables -A INPUT -p udp --dport 9988 -j ACCEPT
iptables -A INPUT -p udp --sport 9988 -j ACCEPT
iptables -A INPUT -p tcp --dport 30033 -j ACCEPT
iptables -A INPUT -p tcp --sport 30033 -j ACCEPT
iptables -A INPUT -p tcp --dport 10011 -j ACCEPT
iptables -A INPUT -p tcp --sport 10011 -j ACCEPT
iptables -A INPUT -p tcp --dport 41144 -j ACCEPT
iptables -A INPUT -p tcp --sport 41144 -j ACCEPT
iptables -A INPUT -p tcp --dport 2010 -j ACCEPT
iptables -A INPUT -p tcp --sport 2010 -j ACCEPT
iptables -A INPUT -p tcp --dport 2011 -j ACCEPT
iptables -A INPUT -p tcp --sport 2011 -j ACCEPT
iptables -A INPUT -p tcp --dport 2008 -j ACCEPT
iptables -A INPUT -p tcp --sport 2008 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --sport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 8087 -j ACCEPT
iptables -A INPUT -p tcp --sport 8087 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --sport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --sport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --sport 22 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --sport 53 -j ACCEPT
iptables -A OUTPUT -p udp -d weblist.teamspeak.com --dport 2010 -j ACCEPT
iptables -A OUTPUT -p tcp -d accounting.teamspeak.com --dport 2008 -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -I INPUT -s 109.51.48.210 -j DROP
iptables -A INPUT -p icmp --icmp-type echo-request -j REJECT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags PSH,ACK PSH -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,PSH,URG -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
iptables -A INPUT -f -j DROP
iptables -A INPUT -p udp -m udp --sport 19 -j DROP
iptables -A INPUT -p udp -m udp --sport 123 -j DROP
iptables -A INPUT -p udp -m udp --sport 161 -j DROP
iptables -A INPUT -p udp -m udp --sport 1433 -j DROP
iptables -A INPUT -p udp -m udp --sport 1900 -j DROP
iptables -A INPUT -p udp -m udp --sport 27015 -j DROP
iptables -A INPUT -p udp -m udp --sport 27950 -j DROP
iptables -A INPUT -p udp -m udp --sport 27952 -j DROP
iptables -A INPUT -p udp -m udp --sport 27960 -j DROP
iptables -A INPUT -p udp -m udp --sport 27965 -j DROP
iptables -A INPUT -p icmp -j DROP
iptables -A INPUT -p udp -m udp --sport 19329 -j DROP
iptables -A INPUT -p udp -m udp --sport 53 -j DROP
iptables -A INPUT -p tcp -m tcp --sport 53 -j DROP
iptables -A INPUT -p tcp -m tcp --sport 19329 -j DROP
iptables -A INPUT -p tcp -m tcp --sport 5353 -j DROP
iptables -A INPUT -p udp -m udp --sport 5353 -j DROP
iptables -A INPUT -p udp -m udp --sport 7143 -j DROP
iptables -A INPUT -p tcp -m tcp --sport 7143 -j DROP
iptables -A INPUT -p tcp -m tcp --sport 123 -j DROP
iptables -A INPUT -p udp -m udp --sport 123 -j DROP
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p icmp -j DROP
iptables -N syn-flood
iptables -A syn-flood -m limit --limit 10/sec --limit-burst 15 -j RETURN
iptables -A syn-flood -j LOG --log-prefix "SYN flood: "
iptables -A syn-flood -j DROP
iptables-save > /etc/iptables/rules.v4
iptables-save > $HOME/firewall.txt

BTW guys if u know how to perfect my firewall pls tell me !

freets3.ovh · Aug 30, 2016

Only ddos game OVH for block a real ddos.

adonradon · Aug 30, 2016

freets3.ovh said:
Only ddos game OVH for block a real ddos.

not only ovh is blocking attack but also my datacenter too.

adonradon · Aug 30, 2016

FuZz3 said:

Hi guys i wanted your opinion on my firewall i had a huge ddos attack and i googled a firewall, and i added a couple rules to it!
This firewall runs websites, sinusbot, teamspeak 3
It has allot of ddos methods blocked but i tried with loic and i saw my packets coming in on the vps!
I used iftop to see the packets BTW!

Code:

iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -A INPUT -p udp --dport 9987 -j ACCEPT
iptables -A INPUT -p udp --sport 9987 -j ACCEPT
iptables -A INPUT -p udp --dport 9988 -j ACCEPT
iptables -A INPUT -p udp --sport 9988 -j ACCEPT
iptables -A INPUT -p tcp --dport 30033 -j ACCEPT
iptables -A INPUT -p tcp --sport 30033 -j ACCEPT
iptables -A INPUT -p tcp --dport 10011 -j ACCEPT
iptables -A INPUT -p tcp --sport 10011 -j ACCEPT
iptables -A INPUT -p tcp --dport 41144 -j ACCEPT
iptables -A INPUT -p tcp --sport 41144 -j ACCEPT
iptables -A INPUT -p tcp --dport 2010 -j ACCEPT
iptables -A INPUT -p tcp --sport 2010 -j ACCEPT
iptables -A INPUT -p tcp --dport 2011 -j ACCEPT
iptables -A INPUT -p tcp --sport 2011 -j ACCEPT
iptables -A INPUT -p tcp --dport 2008 -j ACCEPT
iptables -A INPUT -p tcp --sport 2008 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --sport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 8087 -j ACCEPT
iptables -A INPUT -p tcp --sport 8087 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --sport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --sport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --sport 22 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --sport 53 -j ACCEPT
iptables -A OUTPUT -p udp -d weblist.teamspeak.com --dport 2010 -j ACCEPT
iptables -A OUTPUT -p tcp -d accounting.teamspeak.com --dport 2008 -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -I INPUT -s 109.51.48.210 -j DROP
iptables -A INPUT -p icmp --icmp-type echo-request -j REJECT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags PSH,ACK PSH -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,PSH,URG -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
iptables -A INPUT -f -j DROP
iptables -A INPUT -p udp -m udp --sport 19 -j DROP
iptables -A INPUT -p udp -m udp --sport 123 -j DROP
iptables -A INPUT -p udp -m udp --sport 161 -j DROP
iptables -A INPUT -p udp -m udp --sport 1433 -j DROP
iptables -A INPUT -p udp -m udp --sport 1900 -j DROP
iptables -A INPUT -p udp -m udp --sport 27015 -j DROP
iptables -A INPUT -p udp -m udp --sport 27950 -j DROP
iptables -A INPUT -p udp -m udp --sport 27952 -j DROP
iptables -A INPUT -p udp -m udp --sport 27960 -j DROP
iptables -A INPUT -p udp -m udp --sport 27965 -j DROP
iptables -A INPUT -p icmp -j DROP
iptables -A INPUT -p udp -m udp --sport 19329 -j DROP
iptables -A INPUT -p udp -m udp --sport 53 -j DROP
iptables -A INPUT -p tcp -m tcp --sport 53 -j DROP
iptables -A INPUT -p tcp -m tcp --sport 19329 -j DROP
iptables -A INPUT -p tcp -m tcp --sport 5353 -j DROP
iptables -A INPUT -p udp -m udp --sport 5353 -j DROP
iptables -A INPUT -p udp -m udp --sport 7143 -j DROP
iptables -A INPUT -p tcp -m tcp --sport 7143 -j DROP
iptables -A INPUT -p tcp -m tcp --sport 123 -j DROP
iptables -A INPUT -p udp -m udp --sport 123 -j DROP
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p icmp -j DROP
iptables -N syn-flood
iptables -A syn-flood -m limit --limit 10/sec --limit-burst 15 -j RETURN
iptables -A syn-flood -j LOG --log-prefix "SYN flood: "
iptables -A syn-flood -j DROP
iptables-save > /etc/iptables/rules.v4
iptables-save > $HOME/firewall.txt

BTW guys if u know how to perfect my firewall pls tell me !

Please use "RETURN", If u want to do security ur server, u shouldn't use ACCEPT

FuZz3 · Aug 30, 2016

adonradon said:
Please use "RETURN", If u want to do security ur server, u shouldn't use ACCEPT

Like all rules of iptables that end with accept replace to return?

BERNARDO · Aug 30, 2016

@FuZz3 IPTables is from the top to the bottom. So when you accept everything at the beginning then all the drop rules wont work

If you want help from me, join on my teamspeak : REMOVED BY MOD QRAKTZYL and visit my website to see my self made protection REMOVED BY MOD QRAKTZYL

With best regards,
Bernardo

MOD QRAKTZYL EDIT :
Please do not refer to any other security website/forum. You can discuss about it here without any problem !

ikfes · Aug 30, 2016

Your iptables are inconsitent..
You have
iptables -t mangle -X
instead of normal filtering, then why don't you use prerouting?

Here is what I use.. My friend made these for me.
Noteworthy is that I use teamspeak.red "license" instead of the crack provided by this site. Not sure if it affects or not.

Code:

# Flush rules
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -t raw -F PREROUTING
iptables -t raw -F OUTPUT
# List policies first
iptables -P INPUT DROP; iptables -P FORWARD DROP; iptables -P OUTPUT ACCEPT;
# Disable connection tracking on voice server ports
iptables -A PREROUTING -t raw -p udp --dport 9987 -j NOTRACK
iptables -A OUTPUT -t raw -p udp --sport 9987 -j NOTRACK
# Allow TCP inbound
iptables -A INPUT -p tcp -m state --state NEW -m multiport --dports 21,22 -j ACCEPT
# Drop invalid UDP
iptables -A PREROUTING -t raw -p udp --dport 9987 -m length --length 0:32 -j DROP
iptables -A PREROUTING -t raw -p udp --dport 9987 -m length --length 2521:65535 -j DROP
iptables -A PREROUTING -t raw -p udp --dport 9987 -m length --length 98 -j DROP
# Drop TS3 booter methods
iptables -A PREROUTING -t raw -p udp --dport 9987 -m string --hex-string '|fa163eb402096ac8|' --algo kmp -j DROP
iptables -A PREROUTING -t raw -p udp --dport 9987 -m string --hex-string '|71f63813d5422309|' --algo kmp -j DROP
# Allow incoming packets related to outgoing ones.
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow UDP inbound
iptables -A INPUT -p udp --dport 9987 -j ACCEPT
# Allow ICMP
iptables -A INPUT -p icmp -j ACCEPT
# Log all dropped packets to /var/log/messages
iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
iptables -A LOGGING -j DROP

Whats good about these rules, is that there is no tracking at all so these do not eat your CPU no matter how big the attack is..

Also I block all traffic from sourceports: UDP 19 (Chargen), UDP 53 (SSDP), UDP 123 (NTP) on OVH control panel IP-Firewall. and this mitigates over half of the L4 UDP floods on OVH network level without even reaching the server. Whatever reaches the server, gets blocked by iptables without eating up the CPU.

This runs on Debian 7

FuZz3 · Aug 31, 2016

Hmm looks good but i dont really see rules to block attacks, mine blocks a bunch of methods!

ikfes · Aug 31, 2016

FuZz3 said:
Hmm looks good but i dont really see rules to block attacks, mine blocks a bunch of methods!

It drops invalid UDP on all ports, drops packets with specific hex, and pretty much everything thats not coming to destination port 9987. This is just a base ruleset. As I get attacks on TS3 port, I'll analyze with tcpdump and add more rules on this list.

ikfes · Aug 31, 2016

These should be blocked on OVH IP-firewall instead of on local iptables of ur machine.

iptables -A INPUT -p udp -m udp --sport 19 -j DROP
iptables -A INPUT -p udp -m udp --sport 123 -j DROP
iptables -A INPUT -p udp -m udp --sport 161 -j DROP
iptables -A INPUT -p udp -m udp --sport 1433 -j DROP
iptables -A INPUT -p udp -m udp --sport 1900 -j DROP
iptables -A INPUT -p udp -m udp --sport 27015 -j DROP
iptables -A INPUT -p udp -m udp --sport 27950 -j DROP
iptables -A INPUT -p udp -m udp --sport 27952 -j DROP
iptables -A INPUT -p udp -m udp --sport 27960 -j DROP
iptables -A INPUT -p udp -m udp --sport 27965 -j DROP
iptables -A INPUT -p icmp -j DROP
iptables -A INPUT -p udp -m udp --sport 19329 -j DROP
iptables -A INPUT -p udp -m udp --sport 53 -j DROP
iptables -A INPUT -p tcp -m tcp --sport 53 -j DROP
iptables -A INPUT -p tcp -m tcp --sport 19329 -j DROP
iptables -A INPUT -p tcp -m tcp --sport 5353 -j DROP
iptables -A INPUT -p udp -m udp --sport 5353 -j DROP
iptables -A INPUT -p udp -m udp --sport 7143 -j DROP
iptables -A INPUT -p tcp -m tcp --sport 7143 -j DROP
iptables -A INPUT -p tcp -m tcp --sport 123 -j DROP
iptables -A INPUT -p udp -m udp --sport 123 -j DROP

adonradon · Aug 31, 2016

FuZz3 said:
Like all rules of iptables that end with accept replace to return?

If u use ACCEPT, for example: someone attacks to u, u can't block because u write to ACCEPT like 22 tcp (SSH PORT). u replace ACCEPT to RETURN. of course...

adonradon · Aug 31, 2016

ikfes said:
These should be blocked on OVH IP-firewall instead of on local iptables of ur machine.

iptables -A INPUT -p udp -m udp --sport 19 -j DROP
iptables -A INPUT -p udp -m udp --sport 123 -j DROP
iptables -A INPUT -p udp -m udp --sport 161 -j DROP
iptables -A INPUT -p udp -m udp --sport 1433 -j DROP
iptables -A INPUT -p udp -m udp --sport 1900 -j DROP
iptables -A INPUT -p udp -m udp --sport 27015 -j DROP
iptables -A INPUT -p udp -m udp --sport 27950 -j DROP
iptables -A INPUT -p udp -m udp --sport 27952 -j DROP
iptables -A INPUT -p udp -m udp --sport 27960 -j DROP
iptables -A INPUT -p udp -m udp --sport 27965 -j DROP
iptables -A INPUT -p icmp -j DROP
iptables -A INPUT -p udp -m udp --sport 19329 -j DROP
iptables -A INPUT -p udp -m udp --sport 53 -j DROP
iptables -A INPUT -p tcp -m tcp --sport 53 -j DROP
iptables -A INPUT -p tcp -m tcp --sport 19329 -j DROP
iptables -A INPUT -p tcp -m tcp --sport 5353 -j DROP
iptables -A INPUT -p udp -m udp --sport 5353 -j DROP
iptables -A INPUT -p udp -m udp --sport 7143 -j DROP
iptables -A INPUT -p tcp -m tcp --sport 7143 -j DROP
iptables -A INPUT -p tcp -m tcp --sport 123 -j DROP
iptables -A INPUT -p udp -m udp --sport 123 -j DROP

If u want to block ICMP protocol, u should use /etc/sysctl.conf
net.ipv4.icmp_echo_ignore_all=1 or echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
This is better than IPTABLES icmp drop
when I checked ur rules I saw that sport 53 drop, If u block sport 53 udp, u never ever do DNS resolve be careful about this, For example weblist.teamspeak.com (u can't resolve that)
this is better for dns amp attack blocking.
iptables -A INPUT ! -s 8.8.8.8 -p udp --sport 53 -j DROP

ikfes · Aug 31, 2016

adonradon said:
If u want to block ICMP protocol, u should use /etc/sysctl.conf
net.ipv4.icmp_echo_ignore_all=1 or echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
This is better than IPTABLES icmp drop

Correct, but if the DDoS is done via ICMP methods, its still wrong. If it gets to the machine the bandwidth is already wasted. Therefore block in OVH Network level if you block at all.

adonradon said:
when I checked ur rules I saw that sport 53 drop, If u block sport 53 udp, u never ever do DNS resolve be careful about this, For example weblist.teamspeak.com (u can't resolve that)
this is better for dns amp attack blocking.
iptables -A INPUT ! -s 8.8.8.8 -p udp --sport 53 -j DROP

Thats not my iptables. I suppose the reason he blocks sport 53 is due SSDP/DNS reflection attacks which always come from port 53. As for DNS resolving, this is why you have to allow incoming packets related to outgoing ones. This too, though should be blocked and allowed conditionally on OVH ip-firewall.

Ramses · Oct 1, 2016

ULDIN · Nov 20, 2016

how to use ??

MY VPS FIREWALL - OVH VPS

FuZz3

Member

freets3.ovh

Active Member

adonradon

Member

adonradon

Member

FuZz3

Member

BERNARDO

Member

ikfes

Member

FuZz3

Member

ikfes

Member

ikfes

Member

adonradon

Member

adonradon

Member

ikfes

Member

Ramses

Active Member

ULDIN

Well-Known Member