脚本中的这一行:
iptables -A jk2_ddos -m u32 ! --u32 "0x1c=0xffffffff" -j ACCEPT
将导致此错误:
iptables v1.4.12: u32: option "--u32" cannot be inverted.
这似乎在 iptables 1.4.12 中不起作用。在旧版本中它可以工作。我需要一些可以做同样事情的东西。问题是我是个菜鸟。
这句话是真的还是无稽之谈?
iptables -A jk2_ddos -m u32 --u32 "0x1c=0xffffffff" -j REJECT
感谢您的帮助
编辑:这是完整的脚本。
# create chain
iptables -N jk2_ddos
# accept real client/player traffic
iptables -A jk2_ddos -m u32 ! --u32 "0x1c=0xffffffff" -j ACCEPT
# match "getstatus" queries and remember their address
iptables -A jk2_ddos -m u32 --u32 "0x20=0x67657473&&0x24=0x74617475&&0x25&0xff=0x73" -m recent --name getstatus --set
# drop packet if "hits" per "seconds" is reached
#
# NOTE: if you run multiple servers on a single host, you will need to higher these limits
# as otherwise you will block regular server queries, like Spider or QConnect
# e.g. they will query all of your servers within a second to update the list
iptables -A jk2_ddos -m recent --update --name getstatus --hitcount 10 --seconds 3 -j DROP
# accept otherwise
iptables -A jk2_ddos -j ACCEPT
# finally insert the chain as the top most input filter
# single server
iptables -I INPUT 1 -p udp --dport 28070 -j jk2_ddos