Is there any easy lag-free way to block IP ranges?

redblade7
Member
 
Posts: 212
Joined: Sun Feb 15, 2015 07:14
IRC: redneonglow redblade7
In-game: redblade7 redblade7_owner

Is there any easy lag-free way to block IP ranges?

by redblade7 » Wed Feb 21, 2018 15:21

Hi,

I need a way to block IP ranges, to block griefers who have several IDs consisting of different IPs in the same two ranges, as well as people who have made threats to hack my server.

The only way I know of that would do this would be iptables, but inspecting every single packet against hundreds or thousands of IPs in the block causes 20-40+ lag on my servers, making the game near unplayable for most.

I'd imagine I could spend hours placing 255 sets of IPs into ipban.txt or xban2 one at a time. But there has to be a better way, perhaps a Linux program separate from iptables that won't cause so much lag. Is there?
-redblade7, admin of: THE CREATIVE GARDENS (creative), THE VALLEYS (sandbox), and THE DIGITAL FARMS (farming/hunger/shops)
 

User avatar
rubenwardy
Moderator
 
Posts: 5500
Joined: Tue Jun 12, 2012 18:11
Location: United Kingdom
GitHub: rubenwardy
IRC: rubenwardy
In-game: rubenwardy
 

redblade7
Member
 
Posts: 212
Joined: Sun Feb 15, 2015 07:14
IRC: redneonglow redblade7
In-game: redblade7 redblade7_owner

Re: Is there any easy lag-free way to block IP ranges?

by redblade7 » Wed Feb 21, 2018 17:26

rubenwardy wrote:you could create a mod to check the IP against the range on_joinplayer


I don't know how to create mods, and I don't know what on_joinplayer is. Does anything exist, even something that has nothing to do with Minetest? (Preferably something that has nothing to do with Minetest.)
-redblade7, admin of: THE CREATIVE GARDENS (creative), THE VALLEYS (sandbox), and THE DIGITAL FARMS (farming/hunger/shops)
 

User avatar
Vapalus
Member
 
Posts: 112
Joined: Wed Nov 15, 2017 17:16

Re: Is there any easy lag-free way to block IP ranges?

by Vapalus » Thu Feb 22, 2018 08:44

Since you are talking about iptables and supposedly have linux:
ip route add blackhole 192.168.178.5/29 is the way to go there...
192.168.178.5 is the IP, /29 is the bitmask to use for the range.
https://www.aelius.com/njh/subnet_sheet.html
A man much wiser than me once said: "go away, you are bothering me"
 

redblade7
Member
 
Posts: 212
Joined: Sun Feb 15, 2015 07:14
IRC: redneonglow redblade7
In-game: redblade7 redblade7_owner

Re: Is there any easy lag-free way to block IP ranges?

by redblade7 » Thu Feb 22, 2018 09:16

Vapalus wrote:Since you are talking about iptables and supposedly have linux:
ip route add blackhole 192.168.178.5/29 is the way to go there...
192.168.178.5 is the IP, /29 is the bitmask to use for the range.
https://www.aelius.com/njh/subnet_sheet.html


Will that avoid the lag issues I just described when doing it via iptables?
-redblade7, admin of: THE CREATIVE GARDENS (creative), THE VALLEYS (sandbox), and THE DIGITAL FARMS (farming/hunger/shops)
 

User avatar
Vapalus
Member
 
Posts: 112
Joined: Wed Nov 15, 2017 17:16

Re: Is there any easy lag-free way to block IP ranges?

by Vapalus » Thu Feb 22, 2018 10:20

I had a big server with, let's say, 5.000 - 10.000 players once, on a pretty normal hardware, with all the stuff that comes with it; DoS, cheaters, hacking attempts, and the blackhole did a pretty fine job.
It's down to the OS level and doesn't even react to IPs from the given range.

https://vincent.bernat.im/en/blog/2017- ... okup-linux

It's talking about 50 ns here, but I guess that's processor related.
A man much wiser than me once said: "go away, you are bothering me"
 

redblade7
Member
 
Posts: 212
Joined: Sun Feb 15, 2015 07:14
IRC: redneonglow redblade7
In-game: redblade7 redblade7_owner

Re: Is there any easy lag-free way to block IP ranges?

by redblade7 » Wed Feb 28, 2018 00:36

"ip route add blackhole" on large ranges seems to introduce a bit of lag and slowness (probably about 2-10 at most) but not to the extent of being unplayable (the 20-40 I was getting with iptables). Thank you!
-redblade7, admin of: THE CREATIVE GARDENS (creative), THE VALLEYS (sandbox), and THE DIGITAL FARMS (farming/hunger/shops)
 

sofar
Developer
 
Posts: 1747
Joined: Fri Jan 16, 2015 07:31
GitHub: sofar
IRC: sofar
In-game: sofar

Re: Is there any easy lag-free way to block IP ranges?

by sofar » Wed Feb 28, 2018 01:16

The most efficient way on Linux is to use `ipset` as it can be used to define network ranges, and then block them using `iptables` if they match the `ipset`.

There are many guides that cover the topic, here's one that I think does a good job: https://wiki.archlinux.org/index.php/Ipset
 

redblade7
Member
 
Posts: 212
Joined: Sun Feb 15, 2015 07:14
IRC: redneonglow redblade7
In-game: redblade7 redblade7_owner

Re: Is there any easy lag-free way to block IP ranges?

by redblade7 » Wed Feb 28, 2018 01:40

sofar wrote:The most efficient way on Linux is to use `ipset` as it can be used to define network ranges, and then block them using `iptables` if they match the `ipset`.

There are many guides that cover the topic, here's one that I think does a good job: https://wiki.archlinux.org/index.php/Ipset


How is that different from adding the ranges to an iptables config file manually (which was making the game unplayable)?
-redblade7, admin of: THE CREATIVE GARDENS (creative), THE VALLEYS (sandbox), and THE DIGITAL FARMS (farming/hunger/shops)
 

zing269
Member
 
Posts: 69
Joined: Sat Apr 30, 2016 19:10

Re: Is there any easy lag-free way to block IP ranges?

by zing269 » Wed Feb 28, 2018 03:24

redblade7 wrote:How is that different from adding the ranges to an iptables config file manually (which was making the game unplayable)?


It seems that there can be a significant improvement in the performance of iptables when the ipset utility is used.
https://developers.redhat.com/blog/2017/04/11/benchmarking-nftables/
 

sofar
Developer
 
Posts: 1747
Joined: Fri Jan 16, 2015 07:31
GitHub: sofar
IRC: sofar
In-game: sofar

Re: Is there any easy lag-free way to block IP ranges?

by sofar » Wed Feb 28, 2018 04:22

zing269 wrote:
redblade7 wrote:How is that different from adding the ranges to an iptables config file manually (which was making the game unplayable)?


It seems that there can be a significant improvement in the performance of iptables when the ipset utility is used.
https://developers.redhat.com/blog/2017/04/11/benchmarking-nftables/


Iptables is a highly complex system. Each rule has significant execution time, although I doubt that on any decent hardware you'd even notice a few rules (do you run on a really low end machine?). However, ipset is a really specific addition that avoids most of the iptables performance issues and offers enough functionality to replace things like blocklists for IP ranges easily. You only then need *one* iptables rule, so the performance hit is a lot smaller than with everything in lots of iptables rules.
 

User avatar
Vapalus
Member
 
Posts: 112
Joined: Wed Nov 15, 2017 17:16

Re: Is there any easy lag-free way to block IP ranges?

by Vapalus » Wed Feb 28, 2018 13:47

The fact that he has a feelable speed decrease on blackhole must mean he's running it on a RasPi, or something like that.
A man much wiser than me once said: "go away, you are bothering me"
 

redblade7
Member
 
Posts: 212
Joined: Sun Feb 15, 2015 07:14
IRC: redneonglow redblade7
In-game: redblade7 redblade7_owner

Re: Is there any easy lag-free way to block IP ranges?

by redblade7 » Thu Mar 08, 2018 16:48

Vapalus wrote:The fact that he has a feelable speed decrease on blackhole must mean he's running it on a RasPi, or something like that.


I'm running it on a VPS, provider is Linode. I have hundreds of thousands of IPs blackholed though.
-redblade7, admin of: THE CREATIVE GARDENS (creative), THE VALLEYS (sandbox), and THE DIGITAL FARMS (farming/hunger/shops)
 

hajo
Member
 
Posts: 595
Joined: Thu Oct 13, 2016 10:45
Location: DE

Re: Is there any easy lag-free way to block IP ranges?

by hajo » Thu Mar 08, 2018 18:02

redblade7 wrote:I need a way to block IP ranges, .. iptables, .. causes 20-40+ lag

I don't think iptables is slow like that.

Someone did a performance-test, and found
>The breaking point for Xeon is at about 30,000 new requests per second
>netfilter/iptables does not scale well if one wants to use large number of rules in a single chain.

So maybe your firewall-setup is just inefficent.

See this post on stackexchange :
>I have added about 3500 IP addresses to iptables
>>setup an ipset instead
 

User avatar
Vapalus
Member
 
Posts: 112
Joined: Wed Nov 15, 2017 17:16

Re: Is there any easy lag-free way to block IP ranges?

by Vapalus » Thu Mar 22, 2018 14:47

redblade7 wrote:I'm running it on a VPS, provider is Linode. I have hundreds of thousands of IPs blackholed though.


I've been running stuff on a VPS, too, and never had any issues with using either iptables or blackhole.
The speed in which the OS does the paket handling is so extremely fast (50 nanoseconds!) that I have to doubt if your system is clean.

If the light flies for 50 ns, it goes as far as 15 meters. A normal human should not be able to see, smell, hear or measure a difference of that timespan. What you are talking about, 5 ms, is like 100 times more than that.

How do you measure the lag difference?
A man much wiser than me once said: "go away, you are bothering me"
 

redblade7
Member
 
Posts: 212
Joined: Sun Feb 15, 2015 07:14
IRC: redneonglow redblade7
In-game: redblade7 redblade7_owner

Re: Is there any easy lag-free way to block IP ranges?

by redblade7 » Fri Mar 23, 2018 21:29

Turns out that in addition to the blackholing I was just long overdue for a /clearobjects on that server (last time I did was over 6 months ago). It had gotten so bad that I was getting weird packet errors when trying to connect today. I hate doing a /clearobjects because everyone loses all their tamed animals and loose carts that way, but more mobs = more lag. After doing that, everything works fine with blackhole. Thank you!
-redblade7, admin of: THE CREATIVE GARDENS (creative), THE VALLEYS (sandbox), and THE DIGITAL FARMS (farming/hunger/shops)
 

redblade7
Member
 
Posts: 212
Joined: Sun Feb 15, 2015 07:14
IRC: redneonglow redblade7
In-game: redblade7 redblade7_owner

Re: Is there any easy lag-free way to block IP ranges?

by redblade7 » Fri May 04, 2018 21:05

redblade7 wrote:Turns out that in addition to the blackholing I was just long overdue for a /clearobjects on that server (last time I did was over 6 months ago). It had gotten so bad that I was getting weird packet errors when trying to connect today. I hate doing a /clearobjects because everyone loses all their tamed animals and loose carts that way, but more mobs = more lag. After doing that, everything works fine with blackhole. Thank you!


That and I've been getting endless about of ABMs caused by the instability of the bees mod, which is on two of my servers. After updating the mod to a beta (though also abandoned) version I was having crashes on a daily basis, but I found several problems in the code and after adding missing variables and commenting out extra features that I didn't want to be bothered figuring out, it seems to work fine. Thank you!
-redblade7, admin of: THE CREATIVE GARDENS (creative), THE VALLEYS (sandbox), and THE DIGITAL FARMS (farming/hunger/shops)
 

User avatar
Hamlet
Member
 
Posts: 461
Joined: Sat Jul 29, 2017 21:09
Location: Italia
IRC: H4mlet

Re: Is there any easy lag-free way to block IP ranges?

by Hamlet » Fri May 04, 2018 21:32

redblade7 wrote:Turns out that in addition to the blackholing I was just long overdue for a /clearobjects on that server (last time I did was over 6 months ago). It had gotten so bad that I was getting weird packet errors when trying to connect today. I hate doing a /clearobjects because everyone loses all their tamed animals and loose carts that way, but more mobs = more lag. After doing that, everything works fine with blackhole. Thank you!


Perhaps you've already done this, but I would suggest to reduce the Items' Entity Time To Live (item_entity_ttl); by default it is set to 900 (15mins)... I think that 300 (5mins) is more than enough for a player to recover what might have been dropped because of death or whatever the reason.
 

redblade7
Member
 
Posts: 212
Joined: Sun Feb 15, 2015 07:14
IRC: redneonglow redblade7
In-game: redblade7 redblade7_owner

Re: Is there any easy lag-free way to block IP ranges?

by redblade7 » Fri May 04, 2018 22:34

Hamlet wrote:Perhaps you've already done this, but I would suggest to reduce the Items' Entity Time To Live (item_entity_ttl); by default it is set to 900 (15mins)... I think that 300 (5mins) is more than enough for a player to recover what might have been dropped because of death or whatever the reason.


Yes, always had 300
-redblade7, admin of: THE CREATIVE GARDENS (creative), THE VALLEYS (sandbox), and THE DIGITAL FARMS (farming/hunger/shops)
 

redblade7
Member
 
Posts: 212
Joined: Sun Feb 15, 2015 07:14
IRC: redneonglow redblade7
In-game: redblade7 redblade7_owner

Re: Is there any easy lag-free way to block IP ranges?

by redblade7 » Wed May 09, 2018 11:14

I just noticed that when I upgraded postgresql last, I had the config set up incorrectly, shared_buffers was set to 18MB instead of 18GB. I don't know what effect this typo would have had, but everything has been fine regardless.
-redblade7, admin of: THE CREATIVE GARDENS (creative), THE VALLEYS (sandbox), and THE DIGITAL FARMS (farming/hunger/shops)
 


Return to Problems



Who is online

Users browsing this forum: No registered users and 2 guests