tinwritescode · July 12, 2022 11:30
diff --git a/samp-iptables.sh b/samp-iptables.sh
 # create a new chain
 iptables -N SAMPQUERY

 # check that incomming packet is a samp query packet and divert to the new chain
 # this inserts the rule as the first in the chain, but should probably be a bit further down (e.g. after checking lo interface)
 iptables -I INPUT -p udp \! -f -m udp --dport 7777 -m conntrack --ctstate NEW,ESTABLISHED -m u32 --u32 "0x0>>0x16&0x3c@0x8=0x53414d50" -j SAMPQUERY

 # only allow connection from ephemeral source ports
 # connection attempts from ports outside this range are likely rogue clients
 iptables -A SAMPQUERY -p udp --sport 49152:65535 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
 iptables -A SAMPQUERY -j REJECT --reject-with icmp-port-unreachable
	# create a new chain
	iptables -N SAMPQUERY

	# check that incomming packet is a samp query packet and divert to the new chain
	# this inserts the rule as the first in the chain, but should probably be a bit further down (e.g. after checking lo interface)
	iptables -I INPUT -p udp \! -f -m udp --dport 7777 -m conntrack --ctstate NEW,ESTABLISHED -m u32 --u32 "0x0>>0x16&0x3c@0x8=0x53414d50" -j SAMPQUERY

	# only allow connection from ephemeral source ports
	# connection attempts from ports outside this range are likely rogue clients
	iptables -A SAMPQUERY -p udp --sport 49152:65535 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
	iptables -A SAMPQUERY -j REJECT --reject-with icmp-port-unreachable