Welcome to Open Carnage

A resource for Halo Custom Edition and MCC modding, with unique means of rewarding content creation and support. Have a wander to see why we're worth the time! - EST. 2012

AntiMomentum

Halo CE servers - DDoS Firewall

15 posts in this topic
25 minutes ago, Broomish said:

 

I am wondering that because I have deviated from the recommended docker approach that is why I am having the server list issue.

 

 

 

 

Here is some more details about my server setup but it is probably irrelevant.

I added 2 unix users: admin and haloce

I added admin to sudo group and blocked ssh for the root user

As the admin user I run: sudo ./firewall.sh

As the haloce user I run (in a different ssh session): wineconsole haloceded.exe -port 2302 -path my_path

Once that starts, as the admin user I run: sudo ./tc.sh

 

So the "logic" of this approach is a get to run the halo server as an unprivileged user. 


Try it without ./tc.sh, see if it shows in the list, and if it does then do ./tc.sh

If that doesn't work let me know and I'll recreate the issue to work it out

Edited by AntiMomentum
Enclusion likes this

Share this post


Link to post
Share on other sites

Tiddy-bits:

On 2/23/2021 at 0:04 PM, Broomish said:

I just tried this. Even without running ./tc.sh it still does not show in the list.

 

Thanks again for your help :) 


No problem! Glad you brought it up, it's likely others will run into this issue since it had to do with my firewall rules for a non-docker halo server. So totally my fault!

But I have rules that should work, just keep in mind I just wrote them today so they are untested against attacks. It should be fine though since it's mostly what my tested firewall already is.

So basically rather than firewall.sh you would use winewall.sh. However you need to make a change first!

https://github.com/antimomentum/haloce/blob/master/winewall.sh

if you go ahead and look at at winewall you'll see three commented out lines:

# ipset add MDNS 50.116.53.5
# ipset add MDNS 66.228.42.5
# ipset add MDNS 50.116.58.5

 


These are the dns servers that were automatically configured for the Linode (via Linode's Network Helper feature, this can be turned off for static configs tho). The DNS servers your server uses can be found by doing:
cat /etc/resolv.conf

There you will see some lines like:
nameserver 66.228.42.5
nameserver 50.116.58.5
nameserver 50.116.53.5

 those IPs are what you want to add into the MDNS table for winewall (take out the comments of course). These nameservers can change every time the system reboots. At some point soon I'll provide instructions to make them static but for now this will have to do. Just keep that in mind anytime you reboot or spin up a new linode server.

Also don't forget to add in your SSH lines, they go right above the same lines as before :)

./tc.sh executed from admin user should work too after the halo server loads

Please let me know if it works or not for you!

**EDIT** Just realized I didn't have:
apt install ipset -y

in the winewall/firewall scripts, the github is updated now

 

Edited by AntiMomentum
Broomish, Enclusion and Tucker933 like this

Share this post


Link to post
Share on other sites

Awesome, the winewall is working for me, people can join my server!

 

As you say, we will have to see how it holds up to an actual attack. I have nothing to report there yet but I will keep you updated!

 

Thank you :D 

Share this post


Link to post
Share on other sites
20 hours ago, Broomish said:

Awesome, the winewall is working for me, people can join my server!

 

As you say, we will have to see how it holds up to an actual attack. I have nothing to report there yet but I will keep you updated!

 

Thank you :D 


No, thank you getting me to fix this. I will be extensively testing my server without Docker now for a while. I've been having issues with server list loading delay after some uptime and without Docker it was immediately fixed. Assuming there are no longer issues with this, and the winewall performs well, this might actually end up being the main solution.

And yes, I'd really appreciate reports! On the Analytics tab for the server you'll see a Network graph and CPU graph among other things. For attacks the max public INBOUND traffic, rough duration of the attack(s), and max cpu usage are important for reports. Along with the cpu usage when your server has 16 players.

 Ipv6 and DISK IO stuff aren't needed. And of course if all the players leave/quit/lag out during an attack, or if player count remains "normal"

For attack duration the graph only updates everything in intervals of 5 minutes so a close approximation is fine, and less important than the max inbound/max cpu usage info anyways.

Example:
Number of cpus: 2

16 player cpu usage was about 20%

max cpu was 60%
max inbound traffic was 600Mb/s
attack lasted about 20 mins
 player count was normal during the attack

(if winewall doesn't effectively stop the attack you'd see incoming/outgoing traffic from players, the incoming attack network traffic, and then little to no OUTGOING traffic at all after the attack knocks them out )
(You can toggle options in the Network graph to only show inbound, outbound, ect)
Side tip: cpu usage shown in that graph is just a total number. So a 2 cpu server can have a max 200% cpu usage. (Shared CPUs are virtually capped at 80%, or 160% total for 2)

Edited by AntiMomentum
Broomish likes this

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.