Introduction
This tutorial explains how to protect your game server from DDoS attacks by setting up a very basic firewall and rate limiting. Please note that even with these settings, your server will not be immune to DDoS attacks. However, a secure firewall can minimize the attack surface, and rate limiting rules can help prevent your server from being overloaded.
Prerequisites:
- Server with Ubuntu (This tutorial was tested with Ubuntu 22.04 but should work with other versions as well.)
Step 1 – Firewall
For security reasons, you should have a firewall that blocks all incoming traffic by default. You can then add exceptions to allow access to the protocols/ports required to log in to the server (SSH) and connect to the game (TCP/UDP). If you want to strengthen your firewall even further, you can also specify IP addresses that should be the only ones allowed access. Requests coming from any other IP address will be automatically dropped. This tutorial explains how to block all incoming traffic and:
- Allow everyone to access the game port.
- Only selected IPs have access to the game port.
The default firewall in Ubuntu is ufw. This tutorial uses iptables. Make sure you are using only one firewall. Using multiple different firewalls is not recommended as the rules of those firewalls may conflict with each other and lead to confusion.
To check if you already have any rules, you can use the following:
sudo iptables -Lاگر فایروال هنوز قوانینی ندارد، اکنون میتوانید آنها را اضافه کنید. وقتی خط مشی پیشفرض برای ترافیک ورودی را روی «DROP» تنظیم میکنید، بلافاصله تمام اتصالات پایان مییابد. به همین دلیل، ابتدا باید مطمئن شوید که اتصالات SSH را مجاز کرده اید تا همچنان بتوانید به سرور خود دسترسی داشته باشید.
اگر از پورت پیشفرض SSH استفاده نمیکنید، حتماً در دستورات زیر 22 را جایگزین کنید.
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
sudo ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT
اکنون که فایروال راه اندازی شده است، می توانید پورت بازی خود را باز کنید.فقط IP های انتخاب شده به پورت بازی دسترسی داشته باشند.اگر آیپی بازیکنانی که به بازی ملحق میشوند را میدانید و آیپیها تغییر نمیکنند، میتوانید فقط به آن IPها دسترسی داشته باشید:
sudo iptables -A INPUT -s <203.0.113.1>,<198.51.100.1> -p tcp --dport <your_game_port> -j ACCEPT
sudo iptables -A INPUT -s <203.0.113.1>,<198.51.100.1> -p udp --dport <your_game_port> -j ACCEPT Allow everyone to access the game port With this rule, everyone can access your game:
sudo iptables -A INPUT -p tcp --dport <your_game_port> -j ACCEPT sudo iptables -A INPUT -p udp --dport <your_game_port> -j ACCEPT
New rules should now be added. You can use sudo iptables -L to view them. The rules are not persistent by default and will disappear on the next reboot. To make them persistent, install:
sudo apt update && sudo apt install iptables-persistentحالا قوانین خود را ذخیره کنید:
sudo iptables-save | sudo tee /etc/iptables/rules.v4
sudo ip6tables-save | sudo tee /etc/iptables/rules.v6دفعه بعد که سرور خود را راه اندازی مجدد می کنید، قوانین ذخیره شده در فایل دوباره اعمال خواهند شد. هنگامی که قوانین جدید iptables را اضافه می کنید، باید دوباره دستور iptables-save را برای به روز رسانی فایل ها اجرا کنید.
sudo iptables -L --line-numbers # List all rules with numbers sudo iptables -D INPUT # Delete an INPUT rule by specifying the numberمرحله 2 – محدود کردن نرخ
Setting up a firewall as described in “Step 1” already helps to increase security. However, exposing the game port to the public exposes the potential attack surface. Iptables and Fail2Ban allow you to limit the number of requests allowed. It is explained how:
- Limit the number of requests per IP.
- Limit the number of requests from all IPs together.
Step 2.1 – Limit the number of requests per IP.
This step uses Fail2Ban to limit requests and iptables to log requests.
Before you begin, you need to make sure that both iptables and Fail2Ban are available. You can use systemctl status fail2ban to check if Fail2Ban is running. Installation on Ubuntu:
apt install fail2ban
systemctl enable --now fail2banبه iptables بگویید تلاش های دسترسی را ثبت کنند
sudo iptables -I INPUT -p tcp --dport <your_game_port> -m conntrack --ctstate NEW -j LOG --log-level 6 --log-prefix "GameServerAccess: "اکنون Iptables تمام تلاشها برای دسترسی به پورت TCP <your_game_port> را در فایل /var/log/syslog ثبت میکند. وقتی فایل را مشاهده می کنید، خواهید دید که تمام تلاش ها برای دسترسی به پورت بازی پیشوند GameServerAccess داده می شود. قاعده را پایدار کنید:
sudo iptables-save | sudo tee /etc/iptables/rules.v4یک فیلتر اضافه کنید در فایل /var/log/syslog، فقط ورودیهای با پیشوند GameServerAccess: مرتبط هستند. فایل زیر را ایجاد کنید تا به Fail2Ban بگویید آن ورودی ها را فیلتر کند:
sudo nano /etc/fail2ban/filter.d/gameserveraccess.confاضافه کردن محتوا:
[Definition]
failregex = GameServerAccess: .* SRC=<HOST>
ignoreregex =به Fail2Ban بگویید تعداد درخواستهای هر IP را محدود کند و برای IPهایی که از حد مجاز فراتر میروند، زمان ممنوعیت تعیین کنید. logpath به Fail2Ban می گوید که IP ها را از کجا دریافت کنید. فیلتری که ما ایجاد کردیم به Fail2Ban میگوید فقط IPهایی را که با پیشوند GameServerAccess ثبت شدهاند نظارت کند.
sudo nano /etc/fail2ban/jail.localAdd content:
[game-server]
enabled = true
filter = gameserveraccess
logpath = /var/log/syslog
maxretry = 7
findtime = 30
bantime = 120The above settings allow each IP to send 7 requests in 30 seconds. If an IP exceeds this limit, it will be blocked for 120 seconds. If you want to set a different limit, you can replace the values 7, 30, and 120 accordingly.
Once everything is set up, restart Fail2Ban:
sudo systemctl restart fail2banStep 2.2 – Limit the number of requests from all IPs together
With iptables you can use the limit module to limit the total number of new connections within a specific time period. When you use the limit module, the –limit and –limit-burst options set a time period and a limit parameter.
Delete the old firewall rule. If you already opened the game port to everyone in “Step 1,” you can delete the rule now. With the rate limiting rules below, you no longer need this rule.
sudo iptables -L --line-numbers # Get the line number of "ACCEPT anywhere tcp dpt:<your_game_port>"
sudo iptables -D INPUT <line-number> # Delete the rule that accepts all incoming requests to your game portRun the following commands to add new rules to set a limit parameter of 100 and a cycle time of half a minute (30 seconds). If you want to set different limits, you can replace the values 100 and 2/min accordingly.
sudo iptables -A INPUT -p tcp --dport <your_game_port> -m conntrack --ctstate NEW -m limit --limit 2/min --limit-burst 100 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport <your_game_port> -m conntrack --ctstate NEW -j DROPsudo iptables-save | sudo tee /etc/iptables/rules.v4The next time you restart your server, the rules saved in the file will be reapplied.
Step 3 – Blocking Rules
Once the rate limit from “Step 2” is reached, no one can access the TCP port your_game_port. However, as long as the requests are within the limit, all requests are granted access. This includes legitimate and illegitimate requests. The following rule drops new connections without the SYN flag:
sudo iptables -I INPUT -p tcp ! --syn -m conntrack --ctstate NEW -j DROPWhen everything is done, you need to save your rules again:
sudo iptables-save | sudo tee /etc/iptables/rules.v4Result
Please note that these settings are not sufficient to completely prevent DDoS attacks and there is always room to improve security with further DDoS mitigation settings. However, with the settings provided in this tutorial, you now have a first line of defense against DDoS attacks and something to build on.
