I’m hosting a game server in the country that doesn’t have DDoS protection.
So what I have done is I have kept 100 load balancers in front of main server just to hide main server ip.
Also I’m using this cvars.
set sv_listingHostOverride "PROXY_SERVER_IP"
set sv_listingIpOverride "PROXY_SERVER_IP"
And so when I try to connect cfx.re/join/blablabla, it works and it hides main server ip.
So players get connected randomly on 100 servers.
Somehow my main server IP is getting leaked.
Is it due to the iptables rule that I’m using on 100 servers ?
Here are the iptables rules.
echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
sysctl -p
iptables -t nat -A PREROUTING -p tcp --dport 1010 -j DNAT --to-destination MAIN_GAME_SERVER_IP6:1010
iptables -t nat -A PREROUTING -p udp --dport 1010 -j DNAT --to-destination MAIN_GAME_SERVER_IP:1010
iptables -t nat -A PREROUTING -p udp --dport 1011 -j DNAT --to-destination MAIN_GAME_SERVER_IP:1011
iptables -t nat -A POSTROUTING -j MASQUERADE
Interesting thing is, none of the 100 server gets DDoS attacks.
Attacker somehow is able to find the main server IP address.
In the firewall of main server, only these load balancer’s IPs are allowed. So nobody can scan the main server using port scanning.
In the load balancer server, only few ip ranges allowed.
None of the load balancer servers get attacks.
How the attacker is able to find the main server IP address?
Thanks!
Pretty much no matter what you set up to hide the IP there will always be ways around it to get the actual IP.
1 Like
Yes I’m aware of that but how it is possible ?
Do you know the possibilities ?
I’m sure there are programs out there as the main IP has to be known so the client knows where it’s going.
But in my case, traffic is going through the 100 load balancers. So client never knows the real IP.
Well at some point the client needs the real IP or it wouldn’t know where to go. Just because you have xyz doesn’t mean it prevents anything.
If that was the case then you wouldn’t be here.
Bro client doesn’t need real ip because all the communication is done over the load balancer server.
Client sends request → Load balancer server → Main server
Main server-> Load balancer → Client
So I guess client never talk to the main server.
That makes zero sense. First, using load balancers as a proxy. Second, the client needs the information else the client won’t know what to do. Just because it’s not client>server doesn’t mean the client doesn’t get server information. If I want to connect to 1.1.1.1 and I go through a proxy at 2.2.2.2 all that is doing is saying 2.2.2.2 = 1.1.1.1. The client will be able to get the actual IP.
But if you use netstat or netlimiter, you would never see the main server IP. Because traffic is going through the loadbalancer server.
Lmao “netstat”. That literally shows the initial connection. There are ways to go deeper into the connection which is how you end up with the actual IP.
1 Like
Oh I see. I didn’t know about this.
Any idea which software should I use to perform this?
Nope. I don’t actively go through proxied IPs to get the real IP. There also wouldn’t be a reason you should either. Any proxy setup to mask an IP will have a way around and some will be harder than others.
1 Like
I will try using Wireshark or some other networking tool to understand this.
Hey there does this mean that you putting your main server behind a proxy server?
1 Like
nta
June 15, 2021, 5:58am
17
Host override is not for setting an IP! IP override is also not for setting an IP for clients!
You might be looking for sv_endpoints instead?
See Proxy Setup - if you’re not handling port 443 you won’t get hostoverride doing anything.
Cool man I wanted to do that for a long time but there’s no any proper doc about it, Could you share the way u did it?