Is there any easy lag-free way to block IP ranges?

Post Reply
redblade7
Member
Posts: 316
Joined: Sun Feb 15, 2015 07:14
IRC: redneonglow redblade7
In-game: redblade7 redblade7_owner

Is there any easy lag-free way to block IP ranges?

by redblade7 » Post

Hi,

I need a way to block IP ranges, to block griefers who have several IDs consisting of different IPs in the same two ranges, as well as people who have made threats to hack my server.

The only way I know of that would do this would be iptables, but inspecting every single packet against hundreds or thousands of IPs in the block causes 20-40+ lag on my servers, making the game near unplayable for most.

I'd imagine I could spend hours placing 255 sets of IPs into ipban.txt or xban2 one at a time. But there has to be a better way, perhaps a Linux program separate from iptables that won't cause so much lag. Is there?
-redblade7, admin of: THE CREATIVE GARDENS (creative), THE VALLEYS (sandbox), and THE DIGITAL FARMS (farming/hunger/shops)

User avatar
rubenwardy
Moderator
Posts: 6969
Joined: Tue Jun 12, 2012 18:11
GitHub: rubenwardy
IRC: rubenwardy
In-game: rubenwardy
Location: Bristol, United Kingdom
Contact:

Re: Is there any easy lag-free way to block IP ranges?

by rubenwardy » Post

you could create a mod to check the IP against the range on_joinplayer
Renewed Tab (my browser add-on) | Donate | Mods | Minetest Modding Book

Hello profile reader

redblade7
Member
Posts: 316
Joined: Sun Feb 15, 2015 07:14
IRC: redneonglow redblade7
In-game: redblade7 redblade7_owner

Re: Is there any easy lag-free way to block IP ranges?

by redblade7 » Post

rubenwardy wrote:you could create a mod to check the IP against the range on_joinplayer
I don't know how to create mods, and I don't know what on_joinplayer is. Does anything exist, even something that has nothing to do with Minetest? (Preferably something that has nothing to do with Minetest.)
-redblade7, admin of: THE CREATIVE GARDENS (creative), THE VALLEYS (sandbox), and THE DIGITAL FARMS (farming/hunger/shops)

User avatar
Vapalus
Member
Posts: 112
Joined: Wed Nov 15, 2017 17:16

Re: Is there any easy lag-free way to block IP ranges?

by Vapalus » Post

Since you are talking about iptables and supposedly have linux:
ip route add blackhole 192.168.178.5/29 is the way to go there...
192.168.178.5 is the IP, /29 is the bitmask to use for the range.
https://www.aelius.com/njh/subnet_sheet.html
A man much wiser than me once said: "go away, you are bothering me"

redblade7
Member
Posts: 316
Joined: Sun Feb 15, 2015 07:14
IRC: redneonglow redblade7
In-game: redblade7 redblade7_owner

Re: Is there any easy lag-free way to block IP ranges?

by redblade7 » Post

Vapalus wrote:Since you are talking about iptables and supposedly have linux:
ip route add blackhole 192.168.178.5/29 is the way to go there...
192.168.178.5 is the IP, /29 is the bitmask to use for the range.
https://www.aelius.com/njh/subnet_sheet.html
Will that avoid the lag issues I just described when doing it via iptables?
-redblade7, admin of: THE CREATIVE GARDENS (creative), THE VALLEYS (sandbox), and THE DIGITAL FARMS (farming/hunger/shops)

User avatar
Vapalus
Member
Posts: 112
Joined: Wed Nov 15, 2017 17:16

Re: Is there any easy lag-free way to block IP ranges?

by Vapalus » Post

I had a big server with, let's say, 5.000 - 10.000 players once, on a pretty normal hardware, with all the stuff that comes with it; DoS, cheaters, hacking attempts, and the blackhole did a pretty fine job.
It's down to the OS level and doesn't even react to IPs from the given range.

https://vincent.bernat.im/en/blog/2017- ... okup-linux

It's talking about 50 ns here, but I guess that's processor related.
A man much wiser than me once said: "go away, you are bothering me"

redblade7
Member
Posts: 316
Joined: Sun Feb 15, 2015 07:14
IRC: redneonglow redblade7
In-game: redblade7 redblade7_owner

Re: Is there any easy lag-free way to block IP ranges?

by redblade7 » Post

"ip route add blackhole" on large ranges seems to introduce a bit of lag and slowness (probably about 2-10 at most) but not to the extent of being unplayable (the 20-40 I was getting with iptables). Thank you!
-redblade7, admin of: THE CREATIVE GARDENS (creative), THE VALLEYS (sandbox), and THE DIGITAL FARMS (farming/hunger/shops)

sofar
Developer
Posts: 2146
Joined: Fri Jan 16, 2015 07:31
GitHub: sofar
IRC: sofar
In-game: sofar

Re: Is there any easy lag-free way to block IP ranges?

by sofar » Post

The most efficient way on Linux is to use `ipset` as it can be used to define network ranges, and then block them using `iptables` if they match the `ipset`.

There are many guides that cover the topic, here's one that I think does a good job: https://wiki.archlinux.org/index.php/Ipset

redblade7
Member
Posts: 316
Joined: Sun Feb 15, 2015 07:14
IRC: redneonglow redblade7
In-game: redblade7 redblade7_owner

Re: Is there any easy lag-free way to block IP ranges?

by redblade7 » Post

sofar wrote:The most efficient way on Linux is to use `ipset` as it can be used to define network ranges, and then block them using `iptables` if they match the `ipset`.

There are many guides that cover the topic, here's one that I think does a good job: https://wiki.archlinux.org/index.php/Ipset
How is that different from adding the ranges to an iptables config file manually (which was making the game unplayable)?
-redblade7, admin of: THE CREATIVE GARDENS (creative), THE VALLEYS (sandbox), and THE DIGITAL FARMS (farming/hunger/shops)

zing269
Member
Posts: 109
Joined: Sat Apr 30, 2016 19:10

Re: Is there any easy lag-free way to block IP ranges?

by zing269 » Post

redblade7 wrote:How is that different from adding the ranges to an iptables config file manually (which was making the game unplayable)?
It seems that there can be a significant improvement in the performance of iptables when the ipset utility is used.
https://developers.redhat.com/blog/2017 ... -nftables/

sofar
Developer
Posts: 2146
Joined: Fri Jan 16, 2015 07:31
GitHub: sofar
IRC: sofar
In-game: sofar

Re: Is there any easy lag-free way to block IP ranges?

by sofar » Post

zing269 wrote:
redblade7 wrote:How is that different from adding the ranges to an iptables config file manually (which was making the game unplayable)?
It seems that there can be a significant improvement in the performance of iptables when the ipset utility is used.
https://developers.redhat.com/blog/2017 ... -nftables/
Iptables is a highly complex system. Each rule has significant execution time, although I doubt that on any decent hardware you'd even notice a few rules (do you run on a really low end machine?). However, ipset is a really specific addition that avoids most of the iptables performance issues and offers enough functionality to replace things like blocklists for IP ranges easily. You only then need *one* iptables rule, so the performance hit is a lot smaller than with everything in lots of iptables rules.

User avatar
Vapalus
Member
Posts: 112
Joined: Wed Nov 15, 2017 17:16

Re: Is there any easy lag-free way to block IP ranges?

by Vapalus » Post

The fact that he has a feelable speed decrease on blackhole must mean he's running it on a RasPi, or something like that.
A man much wiser than me once said: "go away, you are bothering me"

redblade7
Member
Posts: 316
Joined: Sun Feb 15, 2015 07:14
IRC: redneonglow redblade7
In-game: redblade7 redblade7_owner

Re: Is there any easy lag-free way to block IP ranges?

by redblade7 » Post

Vapalus wrote:The fact that he has a feelable speed decrease on blackhole must mean he's running it on a RasPi, or something like that.
I'm running it on a VPS, provider is Linode. I have hundreds of thousands of IPs blackholed though.
-redblade7, admin of: THE CREATIVE GARDENS (creative), THE VALLEYS (sandbox), and THE DIGITAL FARMS (farming/hunger/shops)

hajo
Member
Posts: 606
Joined: Thu Oct 13, 2016 10:45
Location: DE
Contact:

Re: Is there any easy lag-free way to block IP ranges?

by hajo » Post

redblade7 wrote:I need a way to block IP ranges, .. iptables, .. causes 20-40+ lag
I don't think iptables is slow like that.

Someone did a performance-test, and found
>The breaking point for Xeon is at about 30,000 new requests per second
>netfilter/iptables does not scale well if one wants to use large number of rules in a single chain.

So maybe your firewall-setup is just inefficent.

See this post on stackexchange :
>I have added about 3500 IP addresses to iptables
>>setup an ipset instead

User avatar
Vapalus
Member
Posts: 112
Joined: Wed Nov 15, 2017 17:16

Re: Is there any easy lag-free way to block IP ranges?

by Vapalus » Post

redblade7 wrote:I'm running it on a VPS, provider is Linode. I have hundreds of thousands of IPs blackholed though.
I've been running stuff on a VPS, too, and never had any issues with using either iptables or blackhole.
The speed in which the OS does the paket handling is so extremely fast (50 nanoseconds!) that I have to doubt if your system is clean.

If the light flies for 50 ns, it goes as far as 15 meters. A normal human should not be able to see, smell, hear or measure a difference of that timespan. What you are talking about, 5 ms, is like 100 times more than that.

How do you measure the lag difference?
A man much wiser than me once said: "go away, you are bothering me"

redblade7
Member
Posts: 316
Joined: Sun Feb 15, 2015 07:14
IRC: redneonglow redblade7
In-game: redblade7 redblade7_owner

Re: Is there any easy lag-free way to block IP ranges?

by redblade7 » Post

Turns out that in addition to the blackholing I was just long overdue for a /clearobjects on that server (last time I did was over 6 months ago). It had gotten so bad that I was getting weird packet errors when trying to connect today. I hate doing a /clearobjects because everyone loses all their tamed animals and loose carts that way, but more mobs = more lag. After doing that, everything works fine with blackhole. Thank you!
-redblade7, admin of: THE CREATIVE GARDENS (creative), THE VALLEYS (sandbox), and THE DIGITAL FARMS (farming/hunger/shops)

redblade7
Member
Posts: 316
Joined: Sun Feb 15, 2015 07:14
IRC: redneonglow redblade7
In-game: redblade7 redblade7_owner

Re: Is there any easy lag-free way to block IP ranges?

by redblade7 » Post

redblade7 wrote:Turns out that in addition to the blackholing I was just long overdue for a /clearobjects on that server (last time I did was over 6 months ago). It had gotten so bad that I was getting weird packet errors when trying to connect today. I hate doing a /clearobjects because everyone loses all their tamed animals and loose carts that way, but more mobs = more lag. After doing that, everything works fine with blackhole. Thank you!
That and I've been getting endless about of ABMs caused by the instability of the bees mod, which is on two of my servers. After updating the mod to a beta (though also abandoned) version I was having crashes on a daily basis, but I found several problems in the code and after adding missing variables and commenting out extra features that I didn't want to be bothered figuring out, it seems to work fine. Thank you!
-redblade7, admin of: THE CREATIVE GARDENS (creative), THE VALLEYS (sandbox), and THE DIGITAL FARMS (farming/hunger/shops)

User avatar
Hamlet
Member
Posts: 766
Joined: Sat Jul 29, 2017 21:09
IRC: H4mlet
In-game: Hamlet
Location: Lombardy, Italy

Re: Is there any easy lag-free way to block IP ranges?

by Hamlet » Post

redblade7 wrote:Turns out that in addition to the blackholing I was just long overdue for a /clearobjects on that server (last time I did was over 6 months ago). It had gotten so bad that I was getting weird packet errors when trying to connect today. I hate doing a /clearobjects because everyone loses all their tamed animals and loose carts that way, but more mobs = more lag. After doing that, everything works fine with blackhole. Thank you!
Perhaps you've already done this, but I would suggest to reduce the Items' Entity Time To Live (item_entity_ttl); by default it is set to 900 (15mins)... I think that 300 (5mins) is more than enough for a player to recover what might have been dropped because of death or whatever the reason.
My repositories: Codeberg.org | My ContentDB's page

redblade7
Member
Posts: 316
Joined: Sun Feb 15, 2015 07:14
IRC: redneonglow redblade7
In-game: redblade7 redblade7_owner

Re: Is there any easy lag-free way to block IP ranges?

by redblade7 » Post

Hamlet wrote:Perhaps you've already done this, but I would suggest to reduce the Items' Entity Time To Live (item_entity_ttl); by default it is set to 900 (15mins)... I think that 300 (5mins) is more than enough for a player to recover what might have been dropped because of death or whatever the reason.
Yes, always had 300
-redblade7, admin of: THE CREATIVE GARDENS (creative), THE VALLEYS (sandbox), and THE DIGITAL FARMS (farming/hunger/shops)

redblade7
Member
Posts: 316
Joined: Sun Feb 15, 2015 07:14
IRC: redneonglow redblade7
In-game: redblade7 redblade7_owner

Re: Is there any easy lag-free way to block IP ranges?

by redblade7 » Post

I just noticed that when I upgraded postgresql last, I had the config set up incorrectly, shared_buffers was set to 18MB instead of 18GB. I don't know what effect this typo would have had, but everything has been fine regardless.
-redblade7, admin of: THE CREATIVE GARDENS (creative), THE VALLEYS (sandbox), and THE DIGITAL FARMS (farming/hunger/shops)

User avatar
sorcerykid
Member
Posts: 1841
Joined: Fri Aug 26, 2016 15:36
GitHub: sorcerykid
In-game: Nemo
Location: Illinois, USA

Re: Is there any easy lag-free way to block IP ranges?

by sorcerykid » Post

This is a repost from March 29, 2019, due to the forum rollback.

I know I'm chiming in a bit late, but I just wanted to mention that it's possible to block IP address ranges using Auth Redux. Authentication rulesets can be edited and reloaded even while the server is running to block login attempts from malicious clients.

Code: Select all

# block all IPs from 192.168 with third and fourth octets full range
when $addr is /192.168.?.?/a fail

# block all IPs from 128.0.0 with fourth octet range 0 to10 inclusive
when $addr is /128.0.0.10</a fail
If you have a large number of individual IP addresses, then they can also be checked in a flat text file.

Post Reply

Who is online

Users browsing this forum: No registered users and 3 guests