hey!
For those who are users of OVH and are having issues with protecting their fivem server this is for you!
this is my own personal iptable setup that blocks a lot of attacks for a fivem server I used to own.
Please remember that iptables dont mitigate ddos attacks they simply help the server while a ddos attack is occurring so dont put this on an unprotected server and think you’ll be aight, I highly recommend this to be used with ovh’s and ovh’s only.
If your gonna ask I used ubuntu 20.04 but that doesnt matter.
heres my setup enjoy!
#protects against UDP attacks (floods , connection floods, ovh bypasses, etc)
iptables -t raw -A PREROUTING -p udp -m hashlimit --hashlimit-name periplimit --hashlimit-mode srcip,dstport --hashlimit-srcmask 32 --hashlimit-upto 50/sec --hashlimit-burst 5 --hashlimit-htable-expire 300000 -j ACCEPT
iptables -t raw -A PREROUTING -p udp -j DROP
#accept ssh (whitelisting is recommended)
iptables -t raw -A PREROUTING -p tcp --dport 22 -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp --dport 22 -j ACCEPT
#accept UDP because it’s filtered in the raw chain
iptables -t mangle -A PREROUTING -p udp -j ACCEPT
#rate limit / filter NEW state syn packets to protect against tcp floods
iptables -t mangle -A PREROUTING -p tcp --syn -m state --state NEW -m hashlimit --hashlimit-name periplimit --hashlimit-mode srcip,dstport --hashlimit-srcmask 32 --hashlimit-upto 300/sec --hashlimit-burst 1 --hashlimit-htable-expire 300000 -j ACCEPT
#uncomment if the above rule doesn’t work and replace it with this rule, however if this rule does not work play around with it until it does as intended
#iptables -t mangle -A PREROUTING -p tcp --syn -m state --state NEW -m hashlimit --hashlimit-name periplimit --hashlimit-mode srcip,dstport --hashlimit-srcmask 32 --hashlimit-upto 1/sec --hashlimit-burst 1 --hashlimit-htable-expire 300000 -j ACCEPT
#accept related,established connections
iptables -t mangle -A PREROUTING -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
#drop everything that doesn’t match these rules
iptables -t mangle -P PREROUTING DROP
-Mike
update: these rules arent meant to solve your ddos attack issues they are meant to help your server perform better whilst under ddos attack.
#this is a theorized rate limit that could work. it worked for me but i dont know how it will perform for you so use it on a test server to make sure it doesn’t block any connections for you before putting it on ur main fivem server.
iptables -t raw -A PREROUTING -p udp -m hashlimit --hashlimit-name periplimit --hashlimit-mode srcip,dstport --hashlimit-srcmask 32 --hashlimit-upto 300/sec --hashlimit-burst 2 --hashlimit-htable-expire 300000 -j ACCEPT
iptables -t raw -A PREROUTING -p udp -j DROP
if ur server is having issues with udp this could help solve the issue. remember to play around with the rate limits if it doesn’t do its job that u want it to.