Securing the Chat Relay

Auto-banning clients

Enabling the auto-banning feature is highly recommended in order to mitigate the risk of denial-of-service attacks or other possible problems.

Restricting client access

Client access can be further restricted using rules in the server's local firewall or your site's main firewall, if you have one. If you have a specific set of client IPs who should have access to the Chat Relay, you can create firewall rules to allow only those IPs and block everything else.

A simple example of an iptables rule set to restrict client access:

/sbin/iptables -A INPUT -s 1.2.3.4 -p tcp --dport 23456 -j ACCEPT

/sbin/iptables -A INPUT -s 2.3.4.5 -p tcp --dport 23456 -j ACCEPT

/sbin/iptables -A INPUT -p tcp --dport 23456 -j DROP

In this example, we are allowing client connections on port 23456 (the default client listener port) from the IP addresses 1.2.3.4 and 2.3.4.5, and dropping all other packets coming to that port. Note that the name of the chain (INPUT in this example) may be different depending on the Linux distribution.

Protecting the message listener

Auto-banning and TCP firewall rules only work for clients connecting to the client listener. To protect the message listener from being flooded by unwanted UDP traffic, you should create rules in the server's local firewall to allow traffic from the desired game servers, and block everything else.

A simple example of an iptables rule set to protect the message listener:

/sbin/iptables -A INPUT -s 1.2.3.4 -p udp --dport 12345 -j ACCEPT

/sbin/iptables -A INPUT -s 2.3.4.5 -p udp --dport 12345 -j ACCEPT

/sbin/iptables -A INPUT -p udp --dport 12345 -j DROP

In this example, we are allowing incoming UDP packets to port 12345 (the default message listener port) from the IP addresses 1.2.3.4 and 2.3.4.5, and dropping all other packets coming to that port. Note that the name of the chain (INPUT in this example) may be different depending on the Linux distribution.