Hosting a popular multiplayer game like Rust, Minecraft, or Palworld makes you a prime target. In the gaming world, disgruntled players and rival server owners frequently use cheap botnets to launch Layer 4 volumetric attacks (like UDP floods or SYN floods) to crash your instance and steal your player base.

While hardware-level mitigation is the ultimate defense, every server administrator must know how to configure a software-level firewall as their first line of defense. By setting up custom iptables rules on your Linux machine, you can filter out script-kiddie attacks, drop malformed packets, and enforce strict rate limits before they exhaust your game's allocated RAM.

What You'll Learn

How to secure your SSH connection before applying aggressive firewall rules.

How to drop invalid, fragmented, and malformed packets used in server-crashing exploits.

How to configure UDP rate limiting to stop basic flood attacks.

How to open specific ports for popular multiplayer games (Rust, Palworld, Minecraft).

How to make your iptables rules persistent across server reboots.

Step 1: The Golden Rule (Don't Lock Yourself Out)

Before we start dropping packets, we must ensure that established connections and your active SSH session are not blocked.

Connect to your server via SSH and run the following commands to allow loopback traffic and preserve your SSH connection:

bash


# Allow all traffic on the loopback interface (localhost)
sudo iptables -A INPUT -i lo -j ACCEPT

# Allow already established and related connections
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Allow incoming SSH connections (Port 22)
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

Step 2: Drop Malformed and Invalid Packets

Attackers often send broken or malformed packets designed to confuse the server's TCP/IP stack, causing the CPU to spike as it tries to process them. We can instruct iptables to drop these immediately.

bash


# Drop packets with an INVALID state
sudo iptables -A INPUT -m conntrack --ctstate INVALID -j DROP

# Drop fragmented packets (often used to bypass simple firewalls)
sudo iptables -A INPUT -f -j DROP

# Drop excessive TCP RST (Reset) packets to prevent Smurf-style attacks
sudo iptables -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT
sudo iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP

Step 3: Implement Layer 4 Rate Limiting (The UDP/SYN Flood Defense)

Most multiplayer games use UDP (User Datagram Protocol) because it is faster than TCP for real-time player movement. Unfortunately, UDP is stateless, making it the favorite protocol for flood attacks.

We can set a rate limit to ensure no single IP address can flood the server with thousands of requests per second.

bash


# Mitigate TCP SYN Floods
sudo iptables -A INPUT -p tcp --syn -m limit --limit 10/s --limit-burst 20 -j ACCEPT
sudo iptables -A INPUT -p tcp --syn -j DROP

# Mitigate UDP Floods (Adjust limits based on your game's normal traffic)
sudo iptables -A INPUT -p udp -m limit --limit 50/s --limit-burst 100 -j ACCEPT
sudo iptables -A INPUT -p udp -j DROP

Note: If players complain about connection drops during intense gameplay, you may need to increase the --limit and --limit-burst values.

Step 4: Open Specific Game Server Ports

Now that the server is rate-limited and protected from junk data, you need to open the specific ports your game requires.

For a Palworld Server (Default UDP 8211):

bash


sudo iptables -A INPUT -p udp --dport 8211 -j ACCEPT

For a Rust Server (Default UDP 28015 for game, TCP 28016 for RCON):

bash


sudo iptables -A INPUT -p udp --dport 28015 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 28016 -j ACCEPT

For a Minecraft Server (Default TCP 25565):

bash


sudo iptables -A INPUT -p tcp --dport 25565 -j ACCEPT

Step 5: Set the Default Policy and Save

Finally, change the default policy to DROP. This means if a packet doesn't match any of the "ACCEPT" rules we just created, it will be discarded automatically.

bash


sudo iptables -P INPUT DROP

To ensure these rules survive a server reboot, install the persistent iptables package:

bash


sudo apt install iptables-persistent -y

When prompted during installation, select Yes to save current IPv4 rules. If you make changes in the future, save them manually with:

bash


sudo netfilter-persistent save

The Hardware Reality: When Software Firewalls Fail

Setting up iptables is a mandatory best practice, but it has a fatal flaw: Software firewalls consume CPU cycles to drop packets.

If an attacker launches a 50 Gbps volumetric DDoS attack against your server, iptables might correctly identify the bad packets, but the sheer volume of traffic will completely saturate your server's network port. When the physical pipe is full, legitimate player traffic cannot get in, and your server goes offline regardless of your firewall rules.

The iDatam Hardware Solution

To run a truly bulletproof multiplayer cluster, you need protection before the traffic ever reaches your server's operating system.

When you deploy an iDatam Game Server, you gain access to our enterprise-grade DDoS Dedicated Servers infrastructure. We utilize edge-level hardware scrubbing centers that automatically detect and absorb massive Layer 3 and Layer 4 volumetric floods seamlessly.

Stop wasting your CPU cycles fighting off botnets. Deploy your gaming community on iDatam's DDoS-protected bare-metal network and keep your uptime at 100%.

iDatam Recommended Tutorials

Discover iDatam Dedicated Server Locations

iDatam servers are available around the world, providing diverse options for hosting websites. Each region offers unique advantages, making it easier to choose a location that best suits your specific hosting needs.

🌐 North America

🌐 South America

🌐 Europe

🌐 Asia

🌐 Australia

🌐 Africa