DDoS-Protection FIVEM

hey!
For those who are users of OVH and are having issues with protecting their fivem server this is for you!
this is my own personal iptable setup that blocks a lot of attacks for a fivem server I used to own.
Please remember that iptables dont mitigate ddos attacks they simply help the server while a ddos attack is occurring so dont put this on an unprotected server and think you’ll be aight, I highly recommend this to be used with ovh’s and ovh’s only.
If your gonna ask I used ubuntu 20.04 but that doesnt matter.
heres my setup enjoy!

#protects against UDP attacks (floods , connection floods, ovh bypasses, etc)

iptables -t raw -A PREROUTING -p udp -m hashlimit --hashlimit-name periplimit --hashlimit-mode srcip,dstport --hashlimit-srcmask 32 --hashlimit-upto 50/sec --hashlimit-burst 5 --hashlimit-htable-expire 300000 -j ACCEPT

iptables -t raw -A PREROUTING -p udp -j DROP

#accept ssh (whitelisting is recommended)

iptables -t raw -A PREROUTING -p tcp --dport 22 -j ACCEPT

iptables -t mangle -A PREROUTING -p tcp --dport 22 -j ACCEPT

#accept UDP because it’s filtered in the raw chain

iptables -t mangle -A PREROUTING -p udp -j ACCEPT

#rate limit / filter NEW state syn packets to protect against tcp floods

iptables -t mangle -A PREROUTING -p tcp --syn -m state --state NEW -m hashlimit --hashlimit-name periplimit --hashlimit-mode srcip,dstport --hashlimit-srcmask 32 --hashlimit-upto 300/sec --hashlimit-burst 1 --hashlimit-htable-expire 300000 -j ACCEPT

#uncomment if the above rule doesn’t work and replace it with this rule, however if this rule does not work play around with it until it does as intended

#iptables -t mangle -A PREROUTING -p tcp --syn -m state --state NEW -m hashlimit --hashlimit-name periplimit --hashlimit-mode srcip,dstport --hashlimit-srcmask 32 --hashlimit-upto 1/sec --hashlimit-burst 1 --hashlimit-htable-expire 300000 -j ACCEPT

#accept related,established connections

iptables -t mangle -A PREROUTING -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

#drop everything that doesn’t match these rules

iptables -t mangle -P PREROUTING DROP

-Mike

update: these rules arent meant to solve your ddos attack issues they are meant to help your server perform better whilst under ddos attack.
#this is a theorized rate limit that could work. it worked for me but i dont know how it will perform for you so use it on a test server to make sure it doesn’t block any connections for you before putting it on ur main fivem server.

iptables -t raw -A PREROUTING -p udp -m hashlimit --hashlimit-name periplimit --hashlimit-mode srcip,dstport --hashlimit-srcmask 32 --hashlimit-upto 300/sec --hashlimit-burst 2 --hashlimit-htable-expire 300000 -j ACCEPT

iptables -t raw -A PREROUTING -p udp -j DROP

if ur server is having issues with udp this could help solve the issue. remember to play around with the rate limits if it doesn’t do its job that u want it to.

Thanks

you are trying to solve a problem with just a copy paste meanwhile there are entire dedicated companies to stop ddos attacks i highly doubt iptables solve that

yea but it still wouldn’t defend against any ddos attacks

bro, your blood presser can be seen thru your words just relax
i told you, what you have done here is nothing, sure it does something so it’s not actual nothing, but it still has no impact in mitigating a ddos attack, thus naming this thread “ddos protection” is just bad

fine im sorry. ill delete my comments. I just dont want people to think this is an instant ddos mitigation method which it isnt. sorry for rude comments. thank you for your opinion. i’ll see that better disclosure is provided in next post.

The only thing that worked for me (as mentioned above there are companies specialising in this) is to find an affordable Hoster with the right type and size of appliance.

Check out this thread as well for some more details: Cloudflare protection for FiveM - #9 by maxcamorra