Last active
July 15, 2022 23:13
-
-
Save PokeGuys/7b7a98cb08e0560a482cc9a41a3348dc to your computer and use it in GitHub Desktop.
SYN Flood filter, Accept PROXY protocol. Rewrite source IP to real client IP in TCP.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| global | |
| log /dev/log local0 | |
| log /dev/log local1 notice | |
| chroot /var/lib/haproxy | |
| stats socket /run/haproxy/admin.sock mode 660 level admin | |
| stats timeout 30s | |
| daemon | |
| defaults | |
| log global | |
| mode tcp | |
| option tcplog | |
| option dontlognull | |
| timeout connect 5000 | |
| timeout client 50000 | |
| timeout server 50000 | |
| frontend login | |
| bind *:3100 accept-proxy | |
| stick-table type ip size 100k expire 60s store conn_cur | |
| tcp-request connection reject if { src_conn_cur ge 5 } | |
| tcp-request connection track-sc1 src | |
| default_backend login | |
| frontend gs | |
| bind *:3101 accept-proxy | |
| stick-table type ip size 100k expire 60s store conn_cur | |
| tcp-request connection reject if { src_conn_cur ge 5 } | |
| tcp-request connection track-sc1 src | |
| default_backend gs | |
| backend login | |
| mode tcp | |
| balance roundrobin | |
| source 0.0.0.0 usesrc clientip | |
| server login game_servers:3100 | |
| backend gs | |
| mode tcp | |
| balance roundrobin | |
| source 0.0.0.0 usesrc clientip | |
| server login game_servers:3101 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Compile haproxy | |
| sudo apt-get install haproxy -y | |
| sudo wget -q https://gist.githubusercontent.com/pokeguys/7b7a98cb08e0560a482cc9a41a3348dc/raw/c91a41e8bca6245bebe39cdfed2ba0a95cb0b67d/haproxy.cfg -O /etc/haproxy/haproxy.cfg | |
| echo "Server IP?" | |
| read ip | |
| sudo sed -i -e "s/game_servers/${ip}/g" /etc/haproxy/haproxy.cfg | |
| sudo haproxy -f /etc/haproxy/haproxy.cfg |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Update iptables & max connections | |
| sudo sysctl -w net.ipv4.tcp_max_syn_backlog=6144 | |
| sudo sysctl -w net/ipv4/tcp_syncookies=1 | |
| sudo sysctl -w net/ipv4/tcp_timestamps=1 | |
| sudo sysctl -w net.ipv4.tcp_synack_retries=2 | |
| sudo sysctl -w net.ipv4.tcp_syn_retries=3 | |
| sudo iptables -A INPUT -m state --state INVALID -j DROP | |
| sudo iptables -t raw -I PREROUTING -p tcp -m tcp --syn -j CT --notrack | |
| sudo iptables -I INPUT -p tcp -m tcp -m conntrack --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460 | |
| sudo iptables -A INPUT -m conntrack --ctstate INVALID -j DROP | |
| sudo iptables -t mangle -N DIVERT | |
| sudo iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT | |
| sudo iptables -t mangle -A DIVERT -j MARK --set-mark 111 | |
| sudo iptables -t mangle -A DIVERT -j ACCEPT | |
| sudo ip rule add fwmark 111 lookup 100 | |
| sudo ip route add local 0.0.0.0/0 dev lo table 100 | |
| sudo sysctl -w net/netfilter/nf_conntrack_tcp_loose=0 | |
| sudo sh -c "echo 25000000 > /sys/module/nf_conntrack/parameters/hashsize" | |
| sudo sysctl -w net/netfilter/nf_conntrack_max=20000000 | |
| sudo sysctl -p |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment