What happened to OC? - CLOSED Carnage?!
AntiMomentum

Halo CE servers - DDoS Firewall

18 posts in this topic
25 minutes ago, Broomish said:

 

I am wondering that because I have deviated from the recommended docker approach that is why I am having the server list issue.

 

 

 

 

Here is some more details about my server setup but it is probably irrelevant.

I added 2 unix users: admin and haloce

I added admin to sudo group and blocked ssh for the root user

As the admin user I run: sudo ./firewall.sh

As the haloce user I run (in a different ssh session): wineconsole haloceded.exe -port 2302 -path my_path

Once that starts, as the admin user I run: sudo ./tc.sh

 

So the "logic" of this approach is a get to run the halo server as an unprivileged user. 


Try it without ./tc.sh, see if it shows in the list, and if it does then do ./tc.sh

If that doesn't work let me know and I'll recreate the issue to work it out

Edited by AntiMomentum
Enclusion likes this

Share this post


Link to post
Share on other sites

Tiddy-bits:

On 2/23/2021 at 0:04 PM, Broomish said:

I just tried this. Even without running ./tc.sh it still does not show in the list.

 

Thanks again for your help :) 


No problem! Glad you brought it up, it's likely others will run into this issue since it had to do with my firewall rules for a non-docker halo server. So totally my fault!

But I have rules that should work, just keep in mind I just wrote them today so they are untested against attacks. It should be fine though since it's mostly what my tested firewall already is.

So basically rather than firewall.sh you would use winewall.sh. However you need to make a change first!

https://github.com/antimomentum/haloce/blob/master/winewall.sh

if you go ahead and look at at winewall you'll see three commented out lines:

# ipset add MDNS 50.116.53.5
# ipset add MDNS 66.228.42.5
# ipset add MDNS 50.116.58.5

 


These are the dns servers that were automatically configured for the Linode (via Linode's Network Helper feature, this can be turned off for static configs tho). The DNS servers your server uses can be found by doing:
cat /etc/resolv.conf

There you will see some lines like:
nameserver 66.228.42.5
nameserver 50.116.58.5
nameserver 50.116.53.5

 those IPs are what you want to add into the MDNS table for winewall (take out the comments of course). These nameservers can change every time the system reboots. At some point soon I'll provide instructions to make them static but for now this will have to do. Just keep that in mind anytime you reboot or spin up a new linode server.

Also don't forget to add in your SSH lines, they go right above the same lines as before :)

./tc.sh executed from admin user should work too after the halo server loads

Please let me know if it works or not for you!

**EDIT** Just realized I didn't have:
apt install ipset -y

in the winewall/firewall scripts, the github is updated now

 

Edited by AntiMomentum
Takka, Enclusion and Broomish like this

Share this post


Link to post
Share on other sites

Awesome, the winewall is working for me, people can join my server!

 

As you say, we will have to see how it holds up to an actual attack. I have nothing to report there yet but I will keep you updated!

 

Thank you :D 

Enclusion, AntiMomentum and Takka like this

Share this post


Link to post
Share on other sites
20 hours ago, Broomish said:

Awesome, the winewall is working for me, people can join my server!

 

As you say, we will have to see how it holds up to an actual attack. I have nothing to report there yet but I will keep you updated!

 

Thank you :D 


No, thank you getting me to fix this. I will be extensively testing my server without Docker now for a while. I've been having issues with server list loading delay after some uptime and without Docker it was immediately fixed. Assuming there are no longer issues with this, and the winewall performs well, this might actually end up being the main solution.

And yes, I'd really appreciate reports! On the Analytics tab for the server you'll see a Network graph and CPU graph among other things. For attacks the max public INBOUND traffic, rough duration of the attack(s), and max cpu usage are important for reports. Along with the cpu usage when your server has 16 players.

 Ipv6 and DISK IO stuff aren't needed. And of course if all the players leave/quit/lag out during an attack, or if player count remains "normal"

For attack duration the graph only updates everything in intervals of 5 minutes so a close approximation is fine, and less important than the max inbound/max cpu usage info anyways.

Example:
Number of cpus: 2

16 player cpu usage was about 20%

max cpu was 60%
max inbound traffic was 600Mb/s
attack lasted about 20 mins
 player count was normal during the attack

(if winewall doesn't effectively stop the attack you'd see incoming/outgoing traffic from players, the incoming attack network traffic, and then little to no OUTGOING traffic at all after the attack knocks them out )
(You can toggle options in the Network graph to only show inbound, outbound, ect)
Side tip: cpu usage shown in that graph is just a total number. So a 2 cpu server can have a max 200% cpu usage. (Shared CPUs are virtually capped at 80%, or 160% total for 2)

Edited by AntiMomentum
Broomish likes this

Share this post


Link to post
Share on other sites
22 hours ago, alexhacker1000 said:

Hi guys, someone can tell me how makes this work in windows?

 

Thank you!!!


I haven't tried this but if your windows machine doesn't have Hyper-V I don't think it can work. If it does have hyper-v you should be able to enable linux in windows Programs and Features (the features).

If you have Hyper-V but don't see any Linux features trying updating Windows and checking the features again after you reboot and finish the updates.

If you are able to to enable Linux in Features open Powershell and try this command: iptables -L

Also if its already a virtual windows machine (like a windows cloud server that isn't "bare metal") then it won't work since you can't do a virtual machine inside another virtual machine.

Edited by AntiMomentum

Share this post


Link to post
Share on other sites

I am new to this, I need help!


Let's say I have my "halo ce server" and I want to put this "Halo CE servers - DDoS Firewall"

 

The question is, what do I have to do? Where do I start?

 


there is no video or something showing how to install this "Halo CE servers - DDoS Firewall" from scratch?

 

Edited by alexhacker1000

Share this post


Link to post
Share on other sites
  • Recently Browsing   0 members

    No registered users viewing this page.