iptables 1.4.12 invert and --u32


This line in a script:

iptables -A jk2_ddos -m u32 ! --u32 "0x1c=0xffffffff" -j ACCEPT

will result in this error:

iptables v1.4.12: u32: option "--u32" cannot be inverted. 

This seems not to work in iptables 1.4.12. In older versions it worked. I need something that does the same. The problem is i'am a tatal noob.

Does this line the same or is it nonsense?

iptables -A jk2_ddos -m u32 --u32 "0x1c=0xffffffff" -j REJECT

Thanks for your help

Edit: This is the complete script.

# create chain

iptables -N jk2_ddos

# accept real client/player traffic
iptables -A jk2_ddos -m u32 ! --u32 "0x1c=0xffffffff" -j ACCEPT

# match "getstatus" queries and remember their address
iptables -A jk2_ddos -m u32 --u32 "0x20=0x67657473&&0x24=0x74617475&&0x25&0xff=0x73" -m recent --name getstatus --set

# drop packet if "hits" per "seconds" is reached
# NOTE: if you run multiple servers on a single host, you will need to higher these limits
# as otherwise you will block regular server queries, like Spider or QConnect
# e.g. they will query all of your servers within a second to update the list
iptables -A jk2_ddos -m recent --update --name getstatus --hitcount 10 --seconds 3 -j DROP

# accept otherwise
iptables -A jk2_ddos -j ACCEPT

# finally insert the chain as the top most input filter

# single server
iptables -I INPUT 1 -p udp --dport 28070 -j jk2_ddos
asked on Server Fault Nov 8, 2013 by user212022 • edited Nov 8, 2013 by user212022

0 Answers

Nobody has answered this question yet.

User contributions licensed under CC BY-SA 3.0