Firewall rule

[rainofpain1337]

Hi, I'm quite new to advanced firewall such as IPtables but I want to learn.
Could anyone here give me a quick example and short explanation for how to block these packets with the Managed VDS firewall interface.

I want to make the firewall be as specific as possible and ofc I will begin with setting length to match 40-52 but other than that I do not quite understand.
The goal is to block this packet without bricking any legitimate rcon query. Any help would be much appreciated.

22:57:46.675910 IP (tos 0x0, ttl 56, id 12089, len 40) 178.x.x.x.28249 > 31.x.x.x.27015: . [tcp sum ok] ack 1 win 256 (DF)
0x0000 4500 0028 2f39 4000 3806 04aa b276 4196 E..(/9@.8....vA.
0x0010 1fba fb26 6e59 6987 e3ac 5acd 38b3 c468 ...&nYi...Z.8..h
0x0020 5010 0100 8c70 0000 P....p..

22:57:46.680131 IP (tos 0x0, ttl 56, id 12090, len 52) 178.x.x.x.28250 > 31.x.x.x.27015: S [tcp sum ok] 3372746609:3372746609(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK> (DF)
0x0000 4500 0034 2f3a 4000 3806 049d b276 4196 E..4/:@.8....vA.
0x0010 1fba fb26 6e5a 6987 c908 0771 0000 0000 ...&nZi....q....
0x0020 8002 2000 97c7 0000 0204 05b4 0103 0308 ................
0x0030 0101 0402 ....

[soja]

If you want to harden rcon, the easiest thing to do would be to block access to TCP port 27015 for everyone except the specific people who need it(you, your web servers, etc).

To do this, first make a rule like this:

This says to accept any packets from the specified IPs. Packets that match this rule will not be evaluated by the rules below it. Make sure you put your own IPs here.

Second, make a rule like this:

This says to block any packets going to port 27015 if they have not already matched the rule above it.

The 2 rules MUST be in this order:


If your home IP address changes(most are dynamic) you will need to modify this rule.

[rainofpain1337]

If you want to harden rcon, the easiest thing to do would be to block access to TCP port 27015 for everyone except the specific people who need it(you, your web servers, etc).

To do this, first make a rule like this:

This says to accept any packets from the specified IPs. Packets that match this rule will not be evaluated by the rules below it. Make sure you put your own IPs here.

Second, make a rule like this:

This says to block any packets going to port 27015 if they have not already matched the rule above it.

The 2 rules MUST be in this order:


If your home IP address changes(most are dynamic) you will need to modify this rule.

Yeah that's what I've been doing so far, but it feels alittle ghetto for my taste. I would like to learn more of the advanced stuff of the firewall. Could you point me in the direction where I can read in-depth guides about all the functions available in the VDS firewall panel, bpf, u32 mainly the rest are self explanatory. Right now I'm testing simply cooling down packet flow via TCP but ideally I want to block all tcp packets that do not fit into the rcon socket!

[kraze]

The firewall page itself has quite a bit of information on it and should be enough to get you going. After that you'll need to start using outside resources. For u32 you can take a look at this http://www.stearns.org/doc/iptables-u32.current.html and for BPF you can take a look at this http://biot.com/capstats/bpf.html.

[Edge100x]

When it comes to rcon, requests from your admins will generally look the same as requests from others -- apart from the IP address, of course. So, there's not a whole lot you can filter on. The exception to this would be if you're seeing a flood of requests from an attacker who is using the same TTL, or source port, or source IP, or something along those lines.