Minetest Forums

[redblade7]

Hi,

I need a way to block IP ranges, to block griefers who have several IDs consisting of different IPs in the same two ranges, as well as people who have made threats to hack my server.

The only way I know of that would do this would be iptables, but inspecting every single packet against hundreds or thousands of IPs in the block causes 20-40+ lag on my servers, making the game near unplayable for most.

I'd imagine I could spend hours placing 255 sets of IPs into ipban.txt or xban2 one at a time. But there has to be a better way, perhaps a Linux program separate from iptables that won't cause so much lag. Is there?

[rubenwardy]

you could create a mod to check the IP against the range on_joinplayer

[redblade7]

you could create a mod to check the IP against the range on_joinplayer

I don't know how to create mods, and I don't know what on_joinplayer is. Does anything exist, even something that has nothing to do with Minetest? (Preferably something that has nothing to do with Minetest.)

[Vapalus]

Since you are talking about iptables and supposedly have linux:
ip route add blackhole 192.168.178.5/29 is the way to go there...
192.168.178.5 is the IP, /29 is the bitmask to use for the range.
https://www.aelius.com/njh/subnet_sheet.html

[redblade7]

Since you are talking about iptables and supposedly have linux:
ip route add blackhole 192.168.178.5/29 is the way to go there...
192.168.178.5 is the IP, /29 is the bitmask to use for the range.
https://www.aelius.com/njh/subnet_sheet.html

Will that avoid the lag issues I just described when doing it via iptables?

[Vapalus]

I had a big server with, let's say, 5.000 - 10.000 players once, on a pretty normal hardware, with all the stuff that comes with it; DoS, cheaters, hacking attempts, and the blackhole did a pretty fine job.
It's down to the OS level and doesn't even react to IPs from the given range.

https://vincent.bernat.im/en/blog/2017- ... okup-linux

It's talking about 50 ns here, but I guess that's processor related.

[redblade7]

"ip route add blackhole" on large ranges seems to introduce a bit of lag and slowness (probably about 2-10 at most) but not to the extent of being unplayable (the 20-40 I was getting with iptables). Thank you!

[sofar]

The most efficient way on Linux is to use `ipset` as it can be used to define network ranges, and then block them using `iptables` if they match the `ipset`.

There are many guides that cover the topic, here's one that I think does a good job: https://wiki.archlinux.org/index.php/Ipset

[redblade7]

The most efficient way on Linux is to use `ipset` as it can be used to define network ranges, and then block them using `iptables` if they match the `ipset`.

There are many guides that cover the topic, here's one that I think does a good job: https://wiki.archlinux.org/index.php/Ipset

How is that different from adding the ranges to an iptables config file manually (which was making the game unplayable)?

[zing269]

How is that different from adding the ranges to an iptables config file manually (which was making the game unplayable)?

It seems that there can be a significant improvement in the performance of iptables when the ipset utility is used.
https://developers.redhat.com/blog/2017/04/11/benchmarking-nftables/

[sofar]

How is that different from adding the ranges to an iptables config file manually (which was making the game unplayable)?

It seems that there can be a significant improvement in the performance of iptables when the ipset utility is used.
https://developers.redhat.com/blog/2017/04/11/benchmarking-nftables/

Iptables is a highly complex system. Each rule has significant execution time, although I doubt that on any decent hardware you'd even notice a few rules (do you run on a really low end machine?). However, ipset is a really specific addition that avoids most of the iptables performance issues and offers enough functionality to replace things like blocklists for IP ranges easily. You only then need *one* iptables rule, so the performance hit is a lot smaller than with everything in lots of iptables rules.

[Vapalus]

The fact that he has a feelable speed decrease on blackhole must mean he's running it on a RasPi, or something like that.

[redblade7]

The fact that he has a feelable speed decrease on blackhole must mean he's running it on a RasPi, or something like that.

I'm running it on a VPS, provider is Linode. I have hundreds of thousands of IPs blackholed though.

[hajo]

I need a way to block IP ranges, .. iptables, .. causes 20-40+ lag

I don't think iptables is slow like that.

Someone did a performance-test, and found
>The breaking point for Xeon is at about 30,000 new requests per second
>netfilter/iptables does not scale well if one wants to use large number of rules in a single chain.

So maybe your firewall-setup is just inefficent.

See this post on stackexchange :
>I have added about 3500 IP addresses to iptables
>>setup an ipset instead

[Vapalus]

I'm running it on a VPS, provider is Linode. I have hundreds of thousands of IPs blackholed though.

I've been running stuff on a VPS, too, and never had any issues with using either iptables or blackhole.
The speed in which the OS does the paket handling is so extremely fast (50 nanoseconds!) that I have to doubt if your system is clean.

If the light flies for 50 ns, it goes as far as 15 meters. A normal human should not be able to see, smell, hear or measure a difference of that timespan. What you are talking about, 5 ms, is like 100 times more than that.

How do you measure the lag difference?

[redblade7]

Turns out that in addition to the blackholing I was just long overdue for a /clearobjects on that server (last time I did was over 6 months ago). It had gotten so bad that I was getting weird packet errors when trying to connect today. I hate doing a /clearobjects because everyone loses all their tamed animals and loose carts that way, but more mobs = more lag. After doing that, everything works fine with blackhole. Thank you!

[redblade7]

Turns out that in addition to the blackholing I was just long overdue for a /clearobjects on that server (last time I did was over 6 months ago). It had gotten so bad that I was getting weird packet errors when trying to connect today. I hate doing a /clearobjects because everyone loses all their tamed animals and loose carts that way, but more mobs = more lag. After doing that, everything works fine with blackhole. Thank you!

That and I've been getting endless about of ABMs caused by the instability of the bees mod, which is on two of my servers. After updating the mod to a beta (though also abandoned) version I was having crashes on a daily basis, but I found several problems in the code and after adding missing variables and commenting out extra features that I didn't want to be bothered figuring out, it seems to work fine. Thank you!

[Hamlet]

Turns out that in addition to the blackholing I was just long overdue for a /clearobjects on that server (last time I did was over 6 months ago). It had gotten so bad that I was getting weird packet errors when trying to connect today. I hate doing a /clearobjects because everyone loses all their tamed animals and loose carts that way, but more mobs = more lag. After doing that, everything works fine with blackhole. Thank you!

Perhaps you've already done this, but I would suggest to reduce the Items' Entity Time To Live (item_entity_ttl); by default it is set to 900 (15mins)... I think that 300 (5mins) is more than enough for a player to recover what might have been dropped because of death or whatever the reason.

[redblade7]

Perhaps you've already done this, but I would suggest to reduce the Items' Entity Time To Live (item_entity_ttl); by default it is set to 900 (15mins)... I think that 300 (5mins) is more than enough for a player to recover what might have been dropped because of death or whatever the reason.

Yes, always had 300

[redblade7]

I just noticed that when I upgraded postgresql last, I had the config set up incorrectly, shared_buffers was set to 18MB instead of 18GB. I don't know what effect this typo would have had, but everything has been fine regardless.

[sorcerykid]

I know I'm chiming in a bit late, but I just wanted to mention that it's possible to block IP address ranges using Auth Redux. Authentication rulesets can be edited and reloaded even while the server is running to block login attempts from malicious clients.

Code: Select all

# block all IPs from 192.168 with third and fourth octets full range
when $addr is /192.168.?.?/a fail

# block all IPs from 128.0.0 with fourth octet range 0 to10 inclusive
when $addr is /128.0.0.10</a fail


If you have a large number of individual IP addresses, then they can also be checked in a flat text file.