Learn how to boost security with FiveM OVH DDoS with iptables. Our OVH Support team is here to help you with your questions and concerns.

FiveM OVH DDoS | Setting Up IPtables

Running a FiveM server can be a great experience, but it comes with its fair share of challenges, especially when it comes to security.

Today, we will look at how an iptables setup can block different attacks and boost server performance during difficult times. However, our experts would like to point out that iptables alone are not enough to stop DDoS attacks.

Also, be cautious when implementing these rules on the server. It is also a good idea to use these rules with OVH’s infrastructure for optimal results.

Protecting Against UDP Attacks


iptables -t raw -A PREROUTING -p udp -m hashlimit --hashlimit-name periplimit --hashlimit-mode srcip,dstport --hashlimit-srcmask 32 --hashlimit-upto 50/sec --hashlimit-burst 5 --hashlimit-htable-expire 300000 -j ACCEPT
iptables -t raw -A PREROUTING -p udp -j DROP


These rules will stop UDP attacks, including floods, connection floods, and OVH bypasses. The hashlimit module helps regulate the incoming UDP traffic and offers an additional layer of protection.

Allowing SSH and UDP Traffic


iptables -t raw -A PREROUTING -p tcp --dport 22 -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp --dport 22 -j ACCEPT
iptables -t mangle -A PREROUTING -p udp -j ACCEPT


Here, we whitelist SSH traffic on port 22, a crucial step for secure server management. Additionally, we ensure that UDP traffic is accepted, as it was filtered in the raw chain.

Filtering SYN Packets to Prevent TCP Floods


iptables -t mangle -A PREROUTING -p tcp --syn -m state --state NEW -m hashlimit --hashlimit-name periplimit --hashlimit-mode srcip,dstport --hashlimit-srcmask 32 --hashlimit-upto 300/sec --hashlimit-burst 1 --hashlimit-htable-expire 300000 -j ACCEPT


This rule focuses on rate-limiting and filtering new state SYN packets, providing a defense against TCP floods. We can adjust the parameters if needed, and consider the alternative rule provided if the initial one doesn’t yield the desired results.

Handling Related and Established Connections


iptables -t mangle -A PREROUTING -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT


Ensuring the acceptance of related and established connections is crucial for maintaining the functionality of ongoing sessions.

Default Rule: Drop Everything Else

iptables -t mangle -P PREROUTING DROP

This rule acts as the last line of defense, dropping any traffic that doesn’t match the specified rules.

Additional Recommendations and Updates

• Always test these rules on a separate server before implementing them on your main FiveM server to avoid unintended disruptions.
• For potential UDP issues, consider experimenting with the following theorized rate-limit rule:

  
iptables -t raw -A PREROUTING -p udp -m hashlimit --hashlimit-name periplimit --hashlimit-mode srcip,dstport --hashlimit-srcmask 32 --hashlimit-upto 300/sec --hashlimit-burst 2 --hashlimit-htable-expire 300000 -j ACCEPT
iptables -t raw -A PREROUTING -p udp -j DROP


Dealing with OVH Firewall Bug:


iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP
iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP


To address a bug in the OVH Firewall, we have to block malformed ACK connections using these iptables rules.

Enhancing the security and performance of our FiveM server requires a proactive approach. By using these iptables rules and with updates and improvements, we can create a strong defense against various attacks.

[Need assistance with a different issue? Our team is available 24/7.]

Conclusion

At the end of the day, our Support Experts introduced us to boosting security with FiveM OVH DDoS with iptables.