This line in a script:
iptables -A jk2_ddos -m u32 ! --u32 "0x1c=0xffffffff" -j ACCEPT
will result in this error:
iptables v1.4.12: u32: option "--u32" cannot be inverted.
This seems not to work in iptables 1.4.12. In older versions it worked. I need something that does the same. The problem is i'am a tatal noob.
Does this line the same or is it nonsense?
iptables -A jk2_ddos -m u32 --u32 "0x1c=0xffffffff" -j REJECT
Thanks for your help
Edit: This is the complete script.
# create chain iptables -N jk2_ddos # accept real client/player traffic iptables -A jk2_ddos -m u32 ! --u32 "0x1c=0xffffffff" -j ACCEPT # match "getstatus" queries and remember their address iptables -A jk2_ddos -m u32 --u32 "0x20=0x67657473&&0x24=0x74617475&&0x25&0xff=0x73" -m recent --name getstatus --set # drop packet if "hits" per "seconds" is reached # # NOTE: if you run multiple servers on a single host, you will need to higher these limits # as otherwise you will block regular server queries, like Spider or QConnect # e.g. they will query all of your servers within a second to update the list iptables -A jk2_ddos -m recent --update --name getstatus --hitcount 10 --seconds 3 -j DROP # accept otherwise iptables -A jk2_ddos -j ACCEPT # finally insert the chain as the top most input filter # single server iptables -I INPUT 1 -p udp --dport 28070 -j jk2_ddos
User contributions licensed under CC BY-SA 3.0