Skip to content

gamingmagic/rofirewall-rathena

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits
README.md
README.md
 
 
proxyROfirewall.sh
proxyROfirewall.sh
 
 
rOfirewall.sh
rOfirewall.sh
 
 

Repository files navigation

# rOfirewall - iptables/ipset DDoS Shield

A simple installer/manager script for iptables + ipset-based DDoS protection tailored for rAthena/Ragnarok servers.

**Features:**

- Installs required dependencies: `iptables`, `ipset`, `curl`, `whois`
- Blocks entire countries or individual ASNs (zones)
- NEW: Geo-allow list (only allow listed countries) and ISP-allow list (ASNs)
- Named port setup for Ragnarok (`login`, `char`, `map`, `web`) + extras
- Whitelist individual IP addresses
- Rate-limits new TCP connections per port
- Single `rofirewall` command reapplies everything

Installation

Fetch, install dependencies, and register as a system command in one go:

sudo apt-get update \
  && sudo apt-get -y install curl \
  && cd /home \
  && curl -Lo rOfirewall.sh \
       https://raw.githubusercontent.com/gamingmagic/rofirewall-rathena/main/rofirewall.sh \
  && chmod +x rOfirewall.sh \
  && ./rOfirewall.sh install

(This copies rofirewall into /usr/local/bin/ for global use.)

Command Usage

All commands below assume you have rofirewall installed (or are running ./rOfirewall.sh from its directory).

Command Description
rofirewall Full apply: install deps, ensure default CN block if none, flush & apply rules
rofirewall add-port <PORT> Add a TCP port to ports.list (kept on next apply)
rofirewall set-ports --login L --char C --map M --web W [--extra \"p1,p2\" --no-ssh] Rewrite ports.list with named Ragnarok ports (and optional extras)
rofirewall add-block-zone <URL> Download and add a country block list (ipdeny format)
rofirewall add-block-asn <ASN> Fetch and block all prefixes announced by the ASN
rofirewall set-allow-countries <iso...> Allow only these ISO2 country codes (use clear to disable)
rofirewall set-allow-asn <ASN...> Allow only these ASNs/ISPs (use clear to disable)
rofirewall whitelist-ip <IP> Add a single IPv4 address to the whitelist

After any add-* command, simply re-run:

sudo rofirewall

to rebuild and reload your nftables configuration.

Configuration Files

All data files live in /usr/local/bin by default:

  • ports.list: Allowed TCP ports (one per line). Use set-ports or edit manually.
  • whitelist.zone: Whitelisted IPv4 addresses (one per line).
  • allow_countries.list: ISO2 country codes that are allowed (optional; emptied by set-allow-countries clear).
  • allow_asn.list: AS numbers that are allowed (optional; emptied by set-allow-asn clear).
  • *.zone: Country or ASN block lists (downloaded via add-block-zone or add-block-asn).

Defaults loaded on first run:

  • Ports: 6900, 6121, 5121, 8888, 6964, 6164, 5164, 8884, 3306, 22
  • Country block: China (cn.zone) auto-added if no other block zone exists
  • SYN-rate limit: 5 per second per source

To tweak, just edit these files or use the rofirewall add-* commands.

Uninstall

Remove the command and data files, then flush nftables rules:

sudo rm /usr/local/bin/rofirewall \
          /usr/local/bin/ports.list \
          /usr/local/bin/whitelist.zone \
          /usr/local/bin/*.zone
sudo nft flush ruleset

Warning: This script requires root privileges. Always test in a non-production environment first.

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages