Game Servers and DDoS
Game servers are frequent DDoS targets because they use UDP protocols, have predictable ports, and even brief outages frustrate players. This guide covers iptables-based protection strategies specific to game server traffic patterns.
Basic Rate Limiting
# Limit new connections per IP
iptables -A INPUT -p udp --dport 27015 -m conntrack --ctstate NEW \
-m recent --set --name GAMECONN
iptables -A INPUT -p udp --dport 27015 -m conntrack --ctstate NEW \
-m recent --update --seconds 10 --hitcount 20 --name GAMECONN -j DROP
# Limit ICMP (ping flood protection)
iptables -A INPUT -p icmp --icmp-type echo-request \
-m limit --limit 1/s --limit-burst 4 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j DROPUDP Flood Protection
# Limit UDP packet rate per source IP
iptables -A INPUT -p udp --dport 25565 \
-m hashlimit --hashlimit-above 100/sec \
--hashlimit-burst 150 \
--hashlimit-mode srcip \
--hashlimit-name udp_flood \
-j DROP
# Drop invalid packets
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
# Drop packets with bogus TCP flags
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROPSYN Flood Protection
# Enable SYN cookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Limit SYN packets
iptables -A INPUT -p tcp --syn \
-m limit --limit 25/s --limit-burst 50 -j ACCEPT
iptables -A INPUT -p tcp --syn -j DROP
# Kernel tuning for DDoS resilience
sysctl -w net.ipv4.tcp_max_syn_backlog=65535
sysctl -w net.core.somaxconn=65535
sysctl -w net.ipv4.tcp_synack_retries=2
sysctl -w net.ipv4.conf.all.rp_filter=1Per-Game Port Protection
# Minecraft (TCP 25565)
iptables -A INPUT -p tcp --dport 25565 \
-m connlimit --connlimit-above 3 --connlimit-mask 32 -j DROP
# Source Engine (UDP 27015)
iptables -A INPUT -p udp --dport 27015 \
-m hashlimit --hashlimit-above 50/sec \
--hashlimit-mode srcip --hashlimit-name source_udp -j DROP
# General game port range
iptables -A INPUT -p udp -m multiport --dports 25565:25665,27015:27115 \
-m hashlimit --hashlimit-above 100/sec \
--hashlimit-mode srcip --hashlimit-name game_ports -j DROPGeoIP Blocking (Optional)
# If your players are region-specific, block other regions
# Install xtables-geoip
sudo apt install -y xtables-addons-common libtext-csv-xs-perl
# Download GeoIP database and configure
# Block specific countries
iptables -A INPUT -p udp --dport 25565 \
-m geoip ! --src-cc US,CA,GB,DE -j DROPSaving Rules
# Install iptables-persistent
sudo apt install -y iptables-persistent
# Save current rules
iptables-save > /etc/iptables/rules.v4
# Rules are automatically restored on bootAdditional Protection
- Use a DDoS protection service (OVH Game DDoS, Path.net) for large attacks
- Hide your real server IP behind a proxy where possible
- Use fail2ban for repeated connection abuse
- Monitor network traffic with vnstat or iftop during attacks
- Have a plan to null-route traffic if attacks overwhelm your connection
- Consider Cloudflare Spectrum for TCP game protocols