spacemud/samp-iptables.sh

## samp-iptables.sh
# create a new chain
iptables -N SAMPQUERY

# check that incomming packet is a samp query packet and divert to the new chain
# this inserts the rule as the first in the chain, but should probably be a bit further down (e.g. after checking lo interface)
iptables -I INPUT -p udp \! -f -m udp --dport 7777 -m conntrack --ctstate NEW,ESTABLISHED -m u32 --u32 "0x0>>0x16&0x3c@0x8=0x53414d50" -j SAMPQUERY

# only allow connection from ephemeral source ports
# connection attempts from ports outside this range are likely rogue clients
iptables -A SAMPQUERY -p udp --sport 49152:65535 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A SAMPQUERY -j REJECT --reject-with icmp-port-unreachable
	# create a new chain
	iptables -N SAMPQUERY

	# check that incomming packet is a samp query packet and divert to the new chain
	# this inserts the rule as the first in the chain, but should probably be a bit further down (e.g. after checking lo interface)
	iptables -I INPUT -p udp \! -f -m udp --dport 7777 -m conntrack --ctstate NEW,ESTABLISHED -m u32 --u32 "0x0>>0x16&0x3c@0x8=0x53414d50" -j SAMPQUERY

	# only allow connection from ephemeral source ports
	# connection attempts from ports outside this range are likely rogue clients
	iptables -A SAMPQUERY -p udp --sport 49152:65535 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
	iptables -A SAMPQUERY -j REJECT --reject-with icmp-port-unreachable