/etc/ipt
[cpp]*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:ch - [0:0]
# loopback
-A INPUT -i lo -j ACCEPT
# login packet
-A INPUT -p tcp -m tcp --dport 7171 --tcp-flags FIN,SYN,RST,PSH,ACK,URG PSH,ACK -m length --length 191 -j ch
# logout packet
-A INPUT -p tcp -m tcp --dport 7172 --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,ACK -m recent --set --name login --rsource
# drop banned clients
-A INPUT -m recent --rcheck --seconds 600 --name ban --rsource -j DROP
# accept established
-A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
# ban over 24 connections
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 24 --connlimit-mask 32 -m recent --set --name ban --rsource -j DROP
# IP-specific bans, 1 line per IP
#-A INPUT -s 186.211.32.3 -j DROP
# HTTP
-A INPUT -p tcp -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
# loginserver and gameserver
-A INPUT -p tcp -m tcp --dport 7171 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit ! --connlimit-above 2 --connlimit-mask 32 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 7172 --tcp-flags FIN,SYN,RST,ACK SYN -m recent --rcheck --seconds 30 --name login --rsource -j ACCEPT
# DNS
-A INPUT -p udp -m state --state ESTABLISHED -m udp --sport 53 -j ACCEPT
# NTP
#-A INPUT -p udp -m state --state ESTABLISHED -m udp --sport 123 -j ACCEPT
# SSH
-A INPUT -p tcp --dport 22 -j ACCEPT
# ban UDP, not very useful!
-A INPUT -p udp -m recent --set --name ban --rsource -j DROP
# accept login
-A ch -m recent --set --name login --rsource -j ACCEPT
COMMIT[/cpp]iptables-restore /etc/ipt