Is there any easy lag-free way to block IP ranges?
-
- Member
- Posts: 316
- Joined: Sun Feb 15, 2015 07:14
- IRC: redneonglow redblade7
- In-game: redblade7 redblade7_owner
Is there any easy lag-free way to block IP ranges?
Hi,
I need a way to block IP ranges, to block griefers who have several IDs consisting of different IPs in the same two ranges, as well as people who have made threats to hack my server.
The only way I know of that would do this would be iptables, but inspecting every single packet against hundreds or thousands of IPs in the block causes 20-40+ lag on my servers, making the game near unplayable for most.
I'd imagine I could spend hours placing 255 sets of IPs into ipban.txt or xban2 one at a time. But there has to be a better way, perhaps a Linux program separate from iptables that won't cause so much lag. Is there?
I need a way to block IP ranges, to block griefers who have several IDs consisting of different IPs in the same two ranges, as well as people who have made threats to hack my server.
The only way I know of that would do this would be iptables, but inspecting every single packet against hundreds or thousands of IPs in the block causes 20-40+ lag on my servers, making the game near unplayable for most.
I'd imagine I could spend hours placing 255 sets of IPs into ipban.txt or xban2 one at a time. But there has to be a better way, perhaps a Linux program separate from iptables that won't cause so much lag. Is there?
-redblade7, admin of: THE CREATIVE GARDENS (creative), THE VALLEYS (sandbox), and THE DIGITAL FARMS (farming/hunger/shops)
- rubenwardy
- Moderator
- Posts: 6978
- Joined: Tue Jun 12, 2012 18:11
- GitHub: rubenwardy
- IRC: rubenwardy
- In-game: rubenwardy
- Location: Bristol, United Kingdom
- Contact:
Re: Is there any easy lag-free way to block IP ranges?
you could create a mod to check the IP against the range on_joinplayer
-
- Member
- Posts: 316
- Joined: Sun Feb 15, 2015 07:14
- IRC: redneonglow redblade7
- In-game: redblade7 redblade7_owner
Re: Is there any easy lag-free way to block IP ranges?
I don't know how to create mods, and I don't know what on_joinplayer is. Does anything exist, even something that has nothing to do with Minetest? (Preferably something that has nothing to do with Minetest.)rubenwardy wrote:you could create a mod to check the IP against the range on_joinplayer
-redblade7, admin of: THE CREATIVE GARDENS (creative), THE VALLEYS (sandbox), and THE DIGITAL FARMS (farming/hunger/shops)
Re: Is there any easy lag-free way to block IP ranges?
Since you are talking about iptables and supposedly have linux:
ip route add blackhole 192.168.178.5/29 is the way to go there...
192.168.178.5 is the IP, /29 is the bitmask to use for the range.
https://www.aelius.com/njh/subnet_sheet.html
ip route add blackhole 192.168.178.5/29 is the way to go there...
192.168.178.5 is the IP, /29 is the bitmask to use for the range.
https://www.aelius.com/njh/subnet_sheet.html
A man much wiser than me once said: "go away, you are bothering me"
-
- Member
- Posts: 316
- Joined: Sun Feb 15, 2015 07:14
- IRC: redneonglow redblade7
- In-game: redblade7 redblade7_owner
Re: Is there any easy lag-free way to block IP ranges?
Will that avoid the lag issues I just described when doing it via iptables?Vapalus wrote:Since you are talking about iptables and supposedly have linux:
ip route add blackhole 192.168.178.5/29 is the way to go there...
192.168.178.5 is the IP, /29 is the bitmask to use for the range.
https://www.aelius.com/njh/subnet_sheet.html
-redblade7, admin of: THE CREATIVE GARDENS (creative), THE VALLEYS (sandbox), and THE DIGITAL FARMS (farming/hunger/shops)
Re: Is there any easy lag-free way to block IP ranges?
I had a big server with, let's say, 5.000 - 10.000 players once, on a pretty normal hardware, with all the stuff that comes with it; DoS, cheaters, hacking attempts, and the blackhole did a pretty fine job.
It's down to the OS level and doesn't even react to IPs from the given range.
https://vincent.bernat.im/en/blog/2017- ... okup-linux
It's talking about 50 ns here, but I guess that's processor related.
It's down to the OS level and doesn't even react to IPs from the given range.
https://vincent.bernat.im/en/blog/2017- ... okup-linux
It's talking about 50 ns here, but I guess that's processor related.
A man much wiser than me once said: "go away, you are bothering me"
-
- Member
- Posts: 316
- Joined: Sun Feb 15, 2015 07:14
- IRC: redneonglow redblade7
- In-game: redblade7 redblade7_owner
Re: Is there any easy lag-free way to block IP ranges?
"ip route add blackhole" on large ranges seems to introduce a bit of lag and slowness (probably about 2-10 at most) but not to the extent of being unplayable (the 20-40 I was getting with iptables). Thank you!
-redblade7, admin of: THE CREATIVE GARDENS (creative), THE VALLEYS (sandbox), and THE DIGITAL FARMS (farming/hunger/shops)
Re: Is there any easy lag-free way to block IP ranges?
The most efficient way on Linux is to use `ipset` as it can be used to define network ranges, and then block them using `iptables` if they match the `ipset`.
There are many guides that cover the topic, here's one that I think does a good job: https://wiki.archlinux.org/index.php/Ipset
There are many guides that cover the topic, here's one that I think does a good job: https://wiki.archlinux.org/index.php/Ipset
-
- Member
- Posts: 316
- Joined: Sun Feb 15, 2015 07:14
- IRC: redneonglow redblade7
- In-game: redblade7 redblade7_owner
Re: Is there any easy lag-free way to block IP ranges?
How is that different from adding the ranges to an iptables config file manually (which was making the game unplayable)?sofar wrote:The most efficient way on Linux is to use `ipset` as it can be used to define network ranges, and then block them using `iptables` if they match the `ipset`.
There are many guides that cover the topic, here's one that I think does a good job: https://wiki.archlinux.org/index.php/Ipset
-redblade7, admin of: THE CREATIVE GARDENS (creative), THE VALLEYS (sandbox), and THE DIGITAL FARMS (farming/hunger/shops)
Re: Is there any easy lag-free way to block IP ranges?
It seems that there can be a significant improvement in the performance of iptables when the ipset utility is used.redblade7 wrote:How is that different from adding the ranges to an iptables config file manually (which was making the game unplayable)?
https://developers.redhat.com/blog/2017 ... -nftables/
Re: Is there any easy lag-free way to block IP ranges?
Iptables is a highly complex system. Each rule has significant execution time, although I doubt that on any decent hardware you'd even notice a few rules (do you run on a really low end machine?). However, ipset is a really specific addition that avoids most of the iptables performance issues and offers enough functionality to replace things like blocklists for IP ranges easily. You only then need *one* iptables rule, so the performance hit is a lot smaller than with everything in lots of iptables rules.zing269 wrote:It seems that there can be a significant improvement in the performance of iptables when the ipset utility is used.redblade7 wrote:How is that different from adding the ranges to an iptables config file manually (which was making the game unplayable)?
https://developers.redhat.com/blog/2017 ... -nftables/
Re: Is there any easy lag-free way to block IP ranges?
The fact that he has a feelable speed decrease on blackhole must mean he's running it on a RasPi, or something like that.
A man much wiser than me once said: "go away, you are bothering me"
-
- Member
- Posts: 316
- Joined: Sun Feb 15, 2015 07:14
- IRC: redneonglow redblade7
- In-game: redblade7 redblade7_owner
Re: Is there any easy lag-free way to block IP ranges?
I'm running it on a VPS, provider is Linode. I have hundreds of thousands of IPs blackholed though.Vapalus wrote:The fact that he has a feelable speed decrease on blackhole must mean he's running it on a RasPi, or something like that.
-redblade7, admin of: THE CREATIVE GARDENS (creative), THE VALLEYS (sandbox), and THE DIGITAL FARMS (farming/hunger/shops)
Re: Is there any easy lag-free way to block IP ranges?
I don't think iptables is slow like that.redblade7 wrote:I need a way to block IP ranges, .. iptables, .. causes 20-40+ lag
Someone did a performance-test, and found
>The breaking point for Xeon is at about 30,000 new requests per second
>netfilter/iptables does not scale well if one wants to use large number of rules in a single chain.
So maybe your firewall-setup is just inefficent.
See this post on stackexchange :
>I have added about 3500 IP addresses to iptables
>>setup an ipset instead
'My' wiki-pages: Build-a-home - basic-robot - basic_robot_csm - basic-machines - digtron - xdecor -
Map-Database
Map-Database
Re: Is there any easy lag-free way to block IP ranges?
I've been running stuff on a VPS, too, and never had any issues with using either iptables or blackhole.redblade7 wrote:I'm running it on a VPS, provider is Linode. I have hundreds of thousands of IPs blackholed though.
The speed in which the OS does the paket handling is so extremely fast (50 nanoseconds!) that I have to doubt if your system is clean.
If the light flies for 50 ns, it goes as far as 15 meters. A normal human should not be able to see, smell, hear or measure a difference of that timespan. What you are talking about, 5 ms, is like 100 times more than that.
How do you measure the lag difference?
A man much wiser than me once said: "go away, you are bothering me"
-
- Member
- Posts: 316
- Joined: Sun Feb 15, 2015 07:14
- IRC: redneonglow redblade7
- In-game: redblade7 redblade7_owner
Re: Is there any easy lag-free way to block IP ranges?
Turns out that in addition to the blackholing I was just long overdue for a /clearobjects on that server (last time I did was over 6 months ago). It had gotten so bad that I was getting weird packet errors when trying to connect today. I hate doing a /clearobjects because everyone loses all their tamed animals and loose carts that way, but more mobs = more lag. After doing that, everything works fine with blackhole. Thank you!
-redblade7, admin of: THE CREATIVE GARDENS (creative), THE VALLEYS (sandbox), and THE DIGITAL FARMS (farming/hunger/shops)
-
- Member
- Posts: 316
- Joined: Sun Feb 15, 2015 07:14
- IRC: redneonglow redblade7
- In-game: redblade7 redblade7_owner
Re: Is there any easy lag-free way to block IP ranges?
That and I've been getting endless about of ABMs caused by the instability of the bees mod, which is on two of my servers. After updating the mod to a beta (though also abandoned) version I was having crashes on a daily basis, but I found several problems in the code and after adding missing variables and commenting out extra features that I didn't want to be bothered figuring out, it seems to work fine. Thank you!redblade7 wrote:Turns out that in addition to the blackholing I was just long overdue for a /clearobjects on that server (last time I did was over 6 months ago). It had gotten so bad that I was getting weird packet errors when trying to connect today. I hate doing a /clearobjects because everyone loses all their tamed animals and loose carts that way, but more mobs = more lag. After doing that, everything works fine with blackhole. Thank you!
-redblade7, admin of: THE CREATIVE GARDENS (creative), THE VALLEYS (sandbox), and THE DIGITAL FARMS (farming/hunger/shops)
- Hamlet
- Member
- Posts: 766
- Joined: Sat Jul 29, 2017 21:09
- IRC: H4mlet
- In-game: Hamlet
- Location: Lombardy, Italy
Re: Is there any easy lag-free way to block IP ranges?
Perhaps you've already done this, but I would suggest to reduce the Items' Entity Time To Live (item_entity_ttl); by default it is set to 900 (15mins)... I think that 300 (5mins) is more than enough for a player to recover what might have been dropped because of death or whatever the reason.redblade7 wrote:Turns out that in addition to the blackholing I was just long overdue for a /clearobjects on that server (last time I did was over 6 months ago). It had gotten so bad that I was getting weird packet errors when trying to connect today. I hate doing a /clearobjects because everyone loses all their tamed animals and loose carts that way, but more mobs = more lag. After doing that, everything works fine with blackhole. Thank you!
My repositories: Codeberg.org | My ContentDB's page
-
- Member
- Posts: 316
- Joined: Sun Feb 15, 2015 07:14
- IRC: redneonglow redblade7
- In-game: redblade7 redblade7_owner
Re: Is there any easy lag-free way to block IP ranges?
Yes, always had 300Hamlet wrote:Perhaps you've already done this, but I would suggest to reduce the Items' Entity Time To Live (item_entity_ttl); by default it is set to 900 (15mins)... I think that 300 (5mins) is more than enough for a player to recover what might have been dropped because of death or whatever the reason.
-redblade7, admin of: THE CREATIVE GARDENS (creative), THE VALLEYS (sandbox), and THE DIGITAL FARMS (farming/hunger/shops)
-
- Member
- Posts: 316
- Joined: Sun Feb 15, 2015 07:14
- IRC: redneonglow redblade7
- In-game: redblade7 redblade7_owner
Re: Is there any easy lag-free way to block IP ranges?
I just noticed that when I upgraded postgresql last, I had the config set up incorrectly, shared_buffers was set to 18MB instead of 18GB. I don't know what effect this typo would have had, but everything has been fine regardless.
-redblade7, admin of: THE CREATIVE GARDENS (creative), THE VALLEYS (sandbox), and THE DIGITAL FARMS (farming/hunger/shops)
- sorcerykid
- Member
- Posts: 1847
- Joined: Fri Aug 26, 2016 15:36
- GitHub: sorcerykid
- In-game: Nemo
- Location: Illinois, USA
Re: Is there any easy lag-free way to block IP ranges?
This is a repost from March 29, 2019, due to the forum rollback.
I know I'm chiming in a bit late, but I just wanted to mention that it's possible to block IP address ranges using Auth Redux. Authentication rulesets can be edited and reloaded even while the server is running to block login attempts from malicious clients.
If you have a large number of individual IP addresses, then they can also be checked in a flat text file.
I know I'm chiming in a bit late, but I just wanted to mention that it's possible to block IP address ranges using Auth Redux. Authentication rulesets can be edited and reloaded even while the server is running to block login attempts from malicious clients.
Code: Select all
# block all IPs from 192.168 with third and fourth octets full range
when $addr is /192.168.?.?/a fail
# block all IPs from 128.0.0 with fourth octet range 0 to10 inclusive
when $addr is /128.0.0.10</a fail
Who is online
Users browsing this forum: No registered users and 22 guests