Steam Community :: Guide :: Linux Server: Firewall

Store Page

Project Zomboid

All Discussions Screenshots Artwork Broadcasts Videos Workshop News Guides Reviews

Project Zomboid > Guides > Lu5ck's Guides

Not enough ratings

Linux Server: Firewall

By Lu5ck

Game server tend to get DDOS so what can you do other than hiding behind a DDOS protected network?

Award

Created by

Lu5ck
Offline

Category: Modding or Configuration, Multiplayer

Languages: English

Posted

Updated

4 Jan @ 1:42am

13 Jan @ 3:22am

117	Unique Visitors
6	Current Favorites

Guide Index

Overview

Introduction

Firewall

Further Hardening (Security)

Comments

Introduction

Distributed Denial-of-Service (DDOS) is a malicious attempt to disrupt traffic flow to the server. This is usually done by sending a lot of useless data from many different IPs in attempt to overwhelm your bandwidth.

Firewall

Firewall is capable of preventing unauthorized access but also capable of ignoring unwanted traffic and by ignoring traffic, we can reduce the attack surface thus minimize the impact of DDOS.

In this topic, we gonna use "firewalld" as example because it is simple so start by installing one

Debian-based Linux

apt install firewalld

RHEL-based Linux

dnf install firewalld

Enable on boot and start the firewall

systemctl enable firewalld systemctl start firewalld firewall-cmd --state

By default, eth0 is assigned to public zone therefore we need to do all our settings at public zone.

Make sure SSH is opened

firewall-cmd --zone=public --add-service=ssh --permanent

Harden SSH, block request per IP exceeding 3 tries for 60s

firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 1 -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP

We gonna open the game ports

firewall-cmd --zone=public --add-port=16261-16262/tcp --permanent firewall-cmd --zone=public --add-port=16261-16262/udp --permanent

Ingame PZ can refresh server every 5s so we block attempts exceeding 13 tries within 60s for 60s

firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 16261:16262 -i eth0 -m state --state NEW -m recent --set firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 1 -p tcp --dport 16261:16262 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 14 -j DROP firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p udp --dport 16261:16262 -i eth0 -m state --state NEW -m recent --set firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 1 -p udp --dport 16261:16262 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 14 -j DROP

We gonna set the zone to ignore every unauthorize connections instead of responding with a reject message

firewall-cmd --set-target=DROP --zone=public --permanent

Setting to drop will led to ignoring all ICMP thus we need to whitelist specific ICMP. First, we invert the blacklist into whitelist.

firewall-cmd --permanent --zone=public --add-icmp-block-inversion

Allow ping

firewall-cmd --permanent --add-icmp-block=echo-request

If ping more than 15 times within 10s, we ignore for 10s. Typical ping is one per second.

firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p icmp --icmp-type 8 -i eth0 -m recent --set firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 1 -p icmp --icmp-type 8 -i eth0 -m recent --update --seconds 10 --hitcount 16 -j DROP

Allow traceroute

firewall-cmd --permanent --add-icmp-block=time-exceeded firewall-cmd --permanent --add-icmp-block=port-unreachable

Allow MTU discovery

firewall-cmd --permanent --add-icmp-block=fragmentation-needed firewall-cmd --permanent --add-icmp-block=packet-too-big

If using IPv6

firewall-cmd --permanent --add-icmp-block=neighbour-solicitation firewall-cmd --permanent --add-icmp-block=neighbour-advertisement firewall-cmd --permanent --add-icmp-block=router-advertisement firewall-cmd --permanent --add-icmp-block=router-solicitation

Reload the setting

firewall-cmd --reload

Further Hardening (Security)

Kernel can be tweaked further to accept or reject specific network information. Likewise, increase the amount of incoming connections.

nano /etc/sysctl.conf

Add

# Ignores specific routing orders, avoid being led on to use malicious route by untrusted addresses net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv6.conf.all.accept_redirects = 0 net.ipv6.conf.default.accept_redirects = 0 # Only accept route orders from gateway, it should be enabled by default but just to be sure net.ipv4.conf.all.secure_redirects=1 # Stricter TCP handling net.ipv4.tcp_rfc1337=1 # Host IPv6 assigned statically does not need to depend on relay or preference or need prefix information or DHCP. net.ipv6.conf.all.router_solicitations=0 net.ipv6.conf.default.router_solicitations=0 net.ipv6.conf.all.accept_ra_rtr_pref=0 net.ipv6.conf.default.accept_ra_rtr_pref=0 net.ipv6.conf.all.accept_ra_pinfo=0 net.ipv6.conf.default.accept_ra_pinfo=0 net.ipv6.conf.all.autoconf=0 net.ipv6.conf.default.autoconf=0 net.ipv6.conf.all.max_addresses=1 net.ipv6.conf.default.max_addresses=1 # Don't let router or fake router determine IPv6 hop limits net.ipv6.conf.all.accept_ra_defrtr=0 net.ipv6.conf.default.accept_ra_defrtr=0

Do this to avoid rebooting

sysctl -p sysctl -w net.ipv4.route.flush=1 sysctl -w net.ipv6.route.flush=1

DNS over TLS

Just to make sure our DNS is secured and private.

nano /etc/systemd/resolved.conf

Modify to

DNS=1.1.1.1 1.0.0.1 FallbackDNS=8.8.8.8 8.8.4.4 Domains=~. DNSSEC=yes DNSOverTLS=yes

Restart the network service

systemctl restart NetworkManager

1 Comments

< >

rivers 7 Feb @ 12:12pm

this guide helped me to land a job as an admin

< >