Зафильтровать UDP флуд на игровой сервер

[notnullnet]

Могу и так.

Код: Выделить всё

# oct/13/2016 15:05:22 by RouterOS 6.38rc12
#
/ip firewall filter
add action=fasttrack-connection chain=forward comment="default configuration" \
    !connection-bytes !connection-limit !connection-mark \
    !connection-nat-state !connection-rate connection-state=\
    established,related !connection-type !content !dscp !dst-address \
    !dst-address-list !dst-address-type !dst-limit !dst-port !fragment \
    !hotspot !icmp-options !in-bridge-port !in-interface !ingress-priority \
    !ipsec-policy !ipv4-options !layer7-protocol !limit !nth !out-bridge-port \
    !out-interface !p2p !packet-mark !packet-size !per-connection-classifier \
    !port !priority !protocol !psd !random !routing-mark !routing-table \
    !src-address !src-address-list !src-address-type !src-mac-address \
    !src-port !tcp-flags !tcp-mss !time !ttl
add action=drop chain=input comment="drop invalid" !connection-bytes \
    !connection-limit !connection-mark !connection-nat-state !connection-rate \
    connection-state=invalid !connection-type !content !dscp !dst-address \
    !dst-address-list !dst-address-type !dst-limit !dst-port !fragment \
    !hotspot !icmp-options !in-bridge-port !in-bridge-port-list !in-interface \
    !in-interface-list !ingress-priority !ipsec-policy !ipv4-options \
    !layer7-protocol !limit !nth !out-bridge-port !out-bridge-port-list \
    !out-interface !out-interface-list !p2p !packet-mark !packet-size \
    !per-connection-classifier !port !priority !protocol !psd !random \
    !routing-mark !routing-table !src-address !src-address-list \
    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
    !ttl
add action=drop chain=forward !connection-bytes !connection-limit \
    !connection-mark !connection-nat-state !connection-rate connection-state=\
    invalid !connection-type !content !dscp !dst-address !dst-address-list \
    !dst-address-type !dst-limit !dst-port !fragment !hotspot !icmp-options \
    !in-bridge-port !in-bridge-port-list !in-interface !in-interface-list \
    !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit \
    !nth !out-bridge-port !out-bridge-port-list !out-interface \
    !out-interface-list !p2p !packet-mark !packet-size \
    !per-connection-classifier !port !priority !protocol !psd !random \
    !routing-mark !routing-table !src-address !src-address-list \
    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
    !ttl
add action=jump chain=forward comment="drop DDoS" !connection-bytes \
    !connection-limit !connection-mark !connection-nat-state !connection-rate \
    connection-state=new !connection-type !content !dscp !dst-address \
    !dst-address-list !dst-address-type !dst-limit !dst-port !fragment \
    !hotspot !icmp-options !in-bridge-port !in-bridge-port-list !in-interface \
    !in-interface-list !ingress-priority !ipsec-policy !ipv4-options \
    jump-target=block-ddos !layer7-protocol !limit !nth !out-bridge-port \
    !out-bridge-port-list !out-interface !out-interface-list !p2p \
    !packet-mark !packet-size !per-connection-classifier !port !priority \
    !protocol !psd !random !routing-mark !routing-table !src-address \
    !src-address-list !src-address-type !src-mac-address !src-port !tcp-flags \
    !tcp-mss !time !ttl
add action=drop chain=forward !connection-bytes !connection-limit \
    !connection-mark !connection-nat-state !connection-rate connection-state=\
    new !connection-type !content !dscp !dst-address dst-address-list=ddosed \
    !dst-address-type !dst-limit !dst-port !fragment !hotspot !icmp-options \
    !in-bridge-port !in-bridge-port-list !in-interface !in-interface-list \
    !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit \
    !nth !out-bridge-port !out-bridge-port-list !out-interface \
    !out-interface-list !p2p !packet-mark !packet-size \
    !per-connection-classifier !port !priority !protocol !psd !random \
    !routing-mark !routing-table !src-address src-address-list=ddoser \
    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
    !ttl
add action=return chain=block-ddos !connection-bytes !connection-limit \
    !connection-mark !connection-nat-state !connection-rate !connection-state \
    !connection-type !content !dscp !dst-address !dst-address-list \
    !dst-address-type dst-limit=50,50,src-and-dst-addresses/10s !dst-port \
    !fragment !hotspot !icmp-options !in-bridge-port !in-bridge-port-list \
    !in-interface !in-interface-list !ingress-priority !ipsec-policy \
    !ipv4-options !layer7-protocol !limit !nth !out-bridge-port \
    !out-bridge-port-list !out-interface !out-interface-list !p2p \
    !packet-mark !packet-size !per-connection-classifier !port !priority \
    !protocol !psd !random !routing-mark !routing-table !src-address \
    !src-address-list !src-address-type !src-mac-address !src-port !tcp-flags \
    !tcp-mss !time !ttl
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=\
    10m chain=block-ddos !connection-bytes !connection-limit !connection-mark \
    !connection-nat-state !connection-rate !connection-state !connection-type \
    !content !dscp !dst-address !dst-address-list !dst-address-type \
    !dst-limit !dst-port !fragment !hotspot !icmp-options !in-bridge-port \
    !in-bridge-port-list !in-interface !in-interface-list !ingress-priority \
    !ipsec-policy !ipv4-options !layer7-protocol !limit !nth !out-bridge-port \
    !out-bridge-port-list !out-interface !out-interface-list !p2p \
    !packet-mark !packet-size !per-connection-classifier !port !priority \
    !protocol !psd !random !routing-mark !routing-table !src-address \
    !src-address-list !src-address-type !src-mac-address !src-port !tcp-flags \
    !tcp-mss !time !ttl
add action=add-src-to-address-list address-list=ddoser address-list-timeout=\
    10m chain=block-ddos !connection-bytes !connection-limit !connection-mark \
    !connection-nat-state !connection-rate !connection-state !connection-type \
    !content !dscp !dst-address !dst-address-list !dst-address-type \
    !dst-limit !dst-port !fragment !hotspot !icmp-options !in-bridge-port \
    !in-bridge-port-list !in-interface !in-interface-list !ingress-priority \
    !ipsec-policy !ipv4-options !layer7-protocol !limit !nth !out-bridge-port \
    !out-bridge-port-list !out-interface !out-interface-list !p2p \
    !packet-mark !packet-size !per-connection-classifier !port !priority \
    !protocol !psd !random !routing-mark !routing-table !src-address \
    !src-address-list !src-address-type !src-mac-address !src-port !tcp-flags \
    !tcp-mss !time !ttl
/ip firewall nat
add action=src-nat chain=srcnat comment="First local 88.2" !connection-bytes \
    !connection-limit !connection-mark !connection-rate !connection-type \
    !content !dscp !dst-address !dst-address-list !dst-address-type \
    !dst-limit !dst-port !fragment !hotspot !icmp-options !in-bridge-port \
    !in-bridge-port-list !in-interface !in-interface-list !ingress-priority \
    !ipsec-policy !ipv4-options !layer7-protocol !limit !nth !out-bridge-port \
    !out-bridge-port-list out-interface=ether1-gateway !out-interface-list \
    !packet-mark !packet-size !per-connection-classifier !port !priority \
    !protocol !psd !random !routing-mark !routing-table src-address=\
    192.168.88.2 !src-address-list !src-address-type !src-mac-address \
    !src-port !tcp-mss !time to-addresses=194.54.80.165 !to-ports !ttl
add action=dst-nat chain=dstnat !connection-bytes !connection-limit \
    !connection-mark !connection-rate !connection-type !content !dscp \
    dst-address=194.54.80.165 !dst-address-list !dst-address-type !dst-limit \
    !dst-port !fragment !hotspot !icmp-options !in-bridge-port \
    !in-bridge-port-list in-interface=ether1-gateway !in-interface-list \
    !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit \
    !nth !out-bridge-port !out-bridge-port-list !out-interface \
    !out-interface-list !packet-mark !packet-size !per-connection-classifier \
    !port !priority !protocol !psd !random !routing-mark !routing-table \
    !src-address !src-address-list !src-address-type !src-mac-address \
    !src-port !tcp-mss !time to-addresses=192.168.88.2 !to-ports !ttl
add action=src-nat chain=srcnat comment="Second local 88.3" !connection-bytes \
    !connection-limit !connection-mark !connection-rate !connection-type \
    !content !dscp !dst-address !dst-address-list !dst-address-type \
    !dst-limit !dst-port !fragment !hotspot !icmp-options !in-bridge-port \
    !in-bridge-port-list !in-interface !in-interface-list !ingress-priority \
    !ipsec-policy !ipv4-options !layer7-protocol !limit !nth !out-bridge-port \
    !out-bridge-port-list out-interface=ether1-gateway !out-interface-list \
    !packet-mark !packet-size !per-connection-classifier !port !priority \
    !protocol !psd !random !routing-mark !routing-table src-address=\
    192.168.88.3 !src-address-list !src-address-type !src-mac-address \
    !src-port !tcp-mss !time to-addresses=194.54.80.166 !to-ports !ttl
add action=dst-nat chain=dstnat !connection-bytes !connection-limit \
    !connection-mark !connection-rate !connection-type !content !dscp \
    dst-address=194.54.80.166 !dst-address-list !dst-address-type !dst-limit \
    !dst-port !fragment !hotspot !icmp-options !in-bridge-port \
    !in-bridge-port-list in-interface=ether1-gateway !in-interface-list \
    !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit \
    !nth !out-bridge-port !out-bridge-port-list !out-interface \
    !out-interface-list !packet-mark !packet-size !per-connection-classifier \
    !port !priority !protocol !psd !random !routing-mark !routing-table \
    !src-address !src-address-list !src-address-type !src-mac-address \
    !src-port !tcp-mss !time to-addresses=192.168.88.3 !to-ports !ttl
/ip firewall raw
add action=accept chain=prerouting !content !dscp !dst-address \
    !dst-address-list !dst-address-type !dst-limit dst-port=1723 !fragment \
    !hotspot !icmp-options !in-interface !in-interface-list !ingress-priority \
    !ipsec-policy !ipv4-options !limit !nth !out-interface \
    !out-interface-list !packet-size !per-connection-classifier !port \
    !priority protocol=tcp !psd !random !src-address !src-address-list \
    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
    !ttl
add action=accept chain=prerouting !content !dscp !dst-address \
    !dst-address-list !dst-address-type !dst-limit !dst-port !fragment \
    !hotspot !icmp-options !in-interface !in-interface-list !ingress-priority \
    !ipsec-policy !ipv4-options !limit !nth !out-interface \
    !out-interface-list !packet-size !per-connection-classifier !port \
    !priority protocol=gre !psd !random !src-address !src-address-list \
    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
    !ttl
add action=accept chain=prerouting !content !dscp !dst-address \
    !dst-address-list !dst-address-type !dst-limit dst-port=232,323 !fragment \
    !hotspot !icmp-options !in-interface !in-interface-list !ingress-priority \
    !ipsec-policy !ipv4-options !limit !nth !out-interface \
    !out-interface-list !packet-size !per-connection-classifier !port \
    !priority protocol=udp !psd !random !src-address !src-address-list \
    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
    !ttl
add action=accept chain=prerouting !content !dscp !dst-address \
    !dst-address-list !dst-address-type !dst-limit !dst-port !fragment \
    !hotspot !icmp-options !in-interface !in-interface-list !ingress-priority \
    !ipsec-policy !ipv4-options !limit !nth !out-interface \
    !out-interface-list !packet-size !per-connection-classifier !port \
    !priority !protocol !psd !random src-address=192.168.0.0/24 \
    !src-address-list !src-address-type !src-mac-address !src-port !tcp-flags \
    !tcp-mss !time !ttl
add action=accept chain=prerouting !content !dscp !dst-address \
    !dst-address-list !dst-address-type !dst-limit !dst-port !fragment \
    !hotspot !icmp-options !in-interface !in-interface-list !ingress-priority \
    !ipsec-policy !ipv4-options !limit !nth !out-interface \
    !out-interface-list !packet-size !per-connection-classifier !port \
    !priority !protocol !psd !random src-address=192.168.88.0/24 \
    !src-address-list !src-address-type !src-mac-address !src-port !tcp-flags \
    !tcp-mss !time !ttl
add action=accept chain=prerouting !content !dscp !dst-address \
    !dst-address-list !dst-address-type !dst-limit !dst-port !fragment \
    !hotspot !icmp-options !in-interface !in-interface-list !ingress-priority \
    !ipsec-policy !ipv4-options !limit !nth !out-interface \
    !out-interface-list !packet-size !per-connection-classifier !port \
    !priority !protocol !psd !random src-address=8.8.8.8 !src-address-list \
    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
    !ttl
add action=accept chain=prerouting !content !dscp !dst-address \
    !dst-address-list !dst-address-type !dst-limit !dst-port !fragment \
    !hotspot !icmp-options !in-interface !in-interface-list !ingress-priority \
    !ipsec-policy !ipv4-options !limit !nth !out-interface \
    !out-interface-list !packet-size !per-connection-classifier !port \
    !priority !protocol !psd !random src-address=212.86.107.40 \
    !src-address-list !src-address-type !src-mac-address !src-port !tcp-flags \
    !tcp-mss !time !ttl
add action=jump chain=prerouting comment="drop syn flood" !content !dscp \
    !dst-address !dst-address-list !dst-address-type !dst-limit !dst-port \
    !fragment !hotspot !icmp-options !in-interface !in-interface-list \
    !ingress-priority !ipsec-policy !ipv4-options jump-target=RawSynDrop \
    !limit !nth !out-interface !out-interface-list !packet-size \
    !per-connection-classifier !port !priority protocol=tcp !psd !random \
    !src-address !src-address-list !src-address-type !src-mac-address \
    !src-port tcp-flags="" !tcp-mss !time !ttl
add action=accept chain=RawSynDrop !content !dscp !dst-address \
    !dst-address-list !dst-address-type !dst-limit !dst-port !fragment \
    !hotspot !icmp-options !in-interface !in-interface-list !ingress-priority \
    !ipsec-policy !ipv4-options limit=1k/5s,200:packet !nth !out-interface \
    !out-interface-list !packet-size !per-connection-classifier !port \
    !priority protocol=tcp !psd !random !src-address !src-address-list \
    !src-address-type !src-mac-address !src-port tcp-flags="" !tcp-mss !time \
    !ttl
add action=drop chain=RawSynDrop !content !dscp !dst-address \
    !dst-address-list !dst-address-type !dst-limit !dst-port !fragment \
    !hotspot !icmp-options !in-interface !in-interface-list !ingress-priority \
    !ipsec-policy !ipv4-options !limit !nth !out-interface \
    !out-interface-list !packet-size !per-connection-classifier !port \
    !priority protocol=tcp !psd !random !src-address !src-address-list \
    !src-address-type !src-mac-address !src-port tcp-flags="" !tcp-mss !time \
    !ttl
add action=drop chain=prerouting comment="drop anything" !content !dscp \
    !dst-address !dst-address-list !dst-address-type !dst-limit !dst-port \
    !fragment !hotspot !icmp-options !in-interface !in-interface-list \
    !ingress-priority !ipsec-policy !ipv4-options !limit !nth !out-interface \
    !out-interface-list !packet-size !per-connection-classifier !port \
    !priority !protocol !psd !random !src-address !src-address-list \
    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
    !ttl
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes

но мне кажется читать еще тяжелее

[Chupaka]

Ох, жесть какая! Это в какой версии? Проверил 6.33, 6.35, 6.36 и 6.37 - экспорт нормальный, только в 6.38rc нашёл такую ересь...

[notnullnet]

Откачусь наверн на предыдущую версию.
Вообщем моя текущая проблема: роутер держит 200к SYN и другого TCP флуда в секунду, дальше - идет пропуск и задержка пакетов из-за 100% CPU роутера
Все рабочие правила перенесены в RAW. В стандартном фильтре только fasttrack и Ваш эффективный анти дудос с списками для малого к-ва хостов.