Introduction
This tutorial explains how to protect your game server from DDoS attacks by setting up a very basic firewall and rate limiting. Please note that even with these settings, your server will not be immune to DDoS attacks. However, a secure firewall can minimize the attack surface, and rate limiting rules can help prevent your server from being overloaded.
Prerequisites:
- Server with Ubuntu (This tutorial was tested with Ubuntu 22.04 but should work with other versions as well.)
Step 1 – Firewall
For security reasons, you should have a firewall that blocks all incoming traffic by default. You can then add exceptions to allow access to the protocols/ports required to log in to the server (SSH) and connect to the game (TCP/UDP). If you want to strengthen your firewall even further, you can also specify IP addresses that should be the only ones allowed access. Requests coming from any other IP address will be automatically dropped. This tutorial explains how to block all incoming traffic and:
- Allow everyone to access the game port.
- Only selected IPs have access to the game port.
The default firewall in Ubuntu is ufw. This tutorial uses iptables. Make sure you are using only one firewall. Using multiple different firewalls is not recommended as the rules of those firewalls may conflict with each other and lead to confusion.
To check if you already have any rules, you can use the following:
sudo iptables -LIf your firewall doesn't have any rules yet, you can add them now. When you set the default policy for inbound traffic to "DROP," all connections will be terminated immediately. For this reason, you should first make sure you allow SSH connections so that you can still access your server.
If you are not using the default SSH port, be sure to replace 22 in the commands below.
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT sudo ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT
Now that the firewall is set up, you can open your game port. Only selected IPs will have access to the game port. If you know the IPs of the players joining the game and the IPs don't change, you can only have access to those IPs:
sudo iptables -A INPUT -s <203.0.113.1>,<198.51.100.1> -p TCP --dport <your_game_port> -j ACCEPT
sudo iptables -A INPUT -s <203.0.113.1>,<198.51.100.1> -p UDP --dport <your_game_port> -j ACCEPT Allow everyone to access the game port With this rule, everyone can access your game:
sudo iptables -A INPUT -p TCP --dport <your_game_port> -j ACCEPT sudo iptables -A INPUT -p UDP --dport <your_game_port> -j ACCEPT
New rules should now be added. You can use sudo iptables -L to view them. The rules are not persistent by default and will disappear on the next reboot. To make them persistent, install:
sudo apt update && sudo apt install iptables-persistentNow save your rules:
sudo iptables-save | sudo tee /etc/iptables/rules.v4 sudo ip6tables-save | sudo tee /etc/iptables/rules.v6The next time you restart your server, the rules saved in the file will be reapplied. When you add new iptables rules, you need to run the iptables-save command again to update the files.
sudo iptables -L --line-numbers # List all rules with numbers sudo iptables -D INPUT # Delete an INPUT rule by specifying the numberStep 2 – Rate Limiting
Setting up a firewall as described in “Step 1” already helps to increase security. However, exposing the game port to the public exposes the potential attack surface. Iptables and Fail2Ban allow you to limit the number of requests allowed. It is explained how:
- Limit the number of requests per IP.
- Limit the number of requests from all IPs together.
Step 2.1 – Limit the number of requests per IP.
This step uses Fail2Ban to limit requests and iptables to log requests.
Before you begin, you need to make sure that both iptables and Fail2Ban are available. You can use systemctl status fail2ban to check if Fail2Ban is running. Installation on Ubuntu:
apt install fail2ban systemctl enable --now fail2banTell iptables to log access attempts
sudo iptables -I INPUT -p tcp --dport -m conntrack --ctstate NEW -j LOG --log-level 6 --log-prefix "GameServerAccess: ""Now Iptables will stop all attempts to access the TCP port. logs to the /var/log/syslog file. When you view the file, you will see that all attempts to access the game port are prefixed with GameServerAccess. Make the rule persistent:
sudo iptables-save | sudo tee /etc/iptables/rules.v4Add a filter in the /var/log/syslog file, only entries with the prefix GameServerAccess: are relevant. Create the following file to tell Fail2Ban to filter those entries:
sudo nano /etc/fail2ban/filter.d/gameserveraccess.confAdd content:
[Definition] failregex = GameServerAccess: .* SRC= ignoreregex =Tell Fail2Ban to limit the number of requests per IP and set a ban time for IPs that exceed the limit. The logpath tells Fail2Ban where to get the IPs from. The filter we created tells Fail2Ban to only monitor IPs registered with the GameServerAccess prefix.
sudo nano /etc/fail2ban/jail.localAdd content:
[game-server] enabled = true filter = gameserveraccess logpath = /var/log/syslog maxretry = 7 findtime = 30 bantime = 120The above settings allow each IP to send 7 requests in 30 seconds. If an IP exceeds this limit, it will be blocked for 120 seconds. If you want to set a different limit, you can replace the values 7, 30, and 120 accordingly.
Once everything is set up, restart Fail2Ban:
sudo systemctl restart fail2banStep 2.2 – Limit the number of requests from all IPs together
With iptables you can use the limit module to limit the total number of new connections within a specific time period. When you use the limit module, the –limit and –limit-burst options set a time period and a limit parameter.
Delete the old firewall rule. If you already opened the game port to everyone in “Step 1,” you can delete the rule now. With the rate limiting rules below, you no longer need this rule.
sudo iptables -L --line-numbers # Get the line number of "ACCEPT anywhere tcp dpt: "sudo iptables -D INPUT # Delete the rule that accepts all incoming requests to your game portRun the following commands to add new rules to set a limit parameter of 100 and a cycle time of half a minute (30 seconds). If you want to set different limits, you can replace the values 100 and 2/min accordingly.
sudo iptables -A INPUT -p tcp --dport -m conntrack --ctstate NEW -m limit --limit 2/min --limit-burst 100 -j ACCEPT sudo iptables -A INPUT -p tcp --dport -m conntrack --ctstate NEW -j DROPsudo iptables-save | sudo tee /etc/iptables/rules.v4The next time you restart your server, the rules saved in the file will be reapplied.
Step 3 – Blocking Rules
Once the rate limit from “Step 2” is reached, no one can access the TCP port your_game_port. However, as long as the requests are within the limit, all requests are granted access. This includes legitimate and illegitimate requests. The following rule drops new connections without the SYN flag:
sudo iptables -I INPUT -p tcp ! --syn -m conntrack --ctstate NEW -j DROPWhen everything is done, you need to save your rules again:
sudo iptables-save | sudo tee /etc/iptables/rules.v4Result
Please note that these settings are not sufficient to completely prevent DDoS attacks and there is always room to improve security with further DDoS mitigation settings. However, with the settings provided in this tutorial, you now have a first line of defense against DDoS attacks and something to build on.
