Skip to content

Instantly share code, notes, and snippets.

@realkarmakun

realkarmakun/rules.txt

Last active May 16, 2020 21:02
Show Gist options
  • Save realkarmakun/994ecc450514426b0ab976d058c94866 to your computer and use it in GitHub Desktop.
Save realkarmakun/994ecc450514426b0ab976d058c94866 to your computer and use it in GitHub Desktop.
Download ZIP
Minecraft AntiDDos rules for UFW
Raw
rules.txt
# Protection from SYN flood
-A ufw-before-input -p tcp --syn -j ufw-before-syn-flood
-A ufw-before-syn-flood -m limit --limit 2/s --limit-burst 2 -j RETURN
-A ufw-before-syn-flood -j DROP
# Uncommon MSS Values
-A ufw-before-input -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
# Drop exseccive RST packages
-A ufw-before-input -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT
# Port Scanning protection
-A ufw-before-input -p tcp --tcp-flags ACK,FIN FIN -j DROP
-A ufw-before-input -p tcp --tcp-flags ACK,PSH PSH -j DROP
-A ufw-before-input -p tcp --tcp-flags ACK,URG URG -j DROP
-A ufw-before-input -p tcp --tcp-flags ALL ALL -j DROP
-A ufw-before-input -p tcp --tcp-flags ALL FIN -j DROP
-A ufw-before-input -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
-A ufw-before-input -p tcp --tcp-flags ALL NONE -j DROP
-A ufw-before-input -p tcp --tcp-flags ALL SYN,FIN -j DROP
-A ufw-before-input -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
-A ufw-before-input -p tcp --tcp-flags ALL URG,PSH,FIN -j DROP
-A ufw-before-input -p tcp --tcp-flags ALL URG,PSH,SYN,FIN -j DROP
-A ufw-before-input -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
-A ufw-before-input -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
-A ufw-before-input -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j DROP
-A ufw-before-input -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
-A ufw-before-input -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# Block some icmp flood
-A ufw-before-input -p icmp -m icmp --icmp-type address-mask-request -j DROP
-A ufw-before-input -p icmp -m icmp --icmp-type timestamp-request -j DROP
-A ufw-before-input -p icmp -m limit --limit 2/second --limit-burst 2 -j ACCEPT
-A ufw-before-input -p icmp -j DROP
# Minecraft port needs to be open
-I ufw-before-input -p tcp --dport 25565 -m state --state NEW -m limit --limit 30/s -j ACCEPT
Raw
ufw_minecraft.md

This is just some iptables rules that was transfered to a UFW because of how Docker massacared iptables

Everything is happening in /etc/ufw/before.rules

  • Put :ufw-before-syn-flood - [0:0] right after # End of required lines.
  • Then put rules from rules.txt right before COMMIT thing at the end of file (DO NOT delete COMMIT)
  • Change your rules accordingly
  • There is no multi-cast and Spank DDoS protection since I have no idea how well will it work with docker. Invalid packets and syn flood should be enough.
  • Do not forget to turn on tcp_syncookies in your system, that helpes a lot.

P.S. UFW handles a lot of things on its own, such as invalid packets in the input and established connections, so there is no need to add more

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment