Jump to content


TC Ingress IPIP Blocker

Recommended Posts

TC Ingress IPIP Blocker

Hey everyone,


I just figured I'd share a small project I made last night. This project was made because I've heard of players bypassing the Source Engine IP blocking method on HG and GFL's JailBreak server. I know HG was trying to block these players through their firewall on the machine, but the problem is packets coming in from the Anycast network are in IPIP formation and unfortunately, most firewall tools like IPTables and NFTables don't have standard methods to block packets based off of the inner IP header's source address.


You may be able to do this with IPTable's or NFTable's payload matching. But this would be a pain and you'd need to convert the IP to binary data along with network byte order. With that said, the TC ingress filter is definitely faster than both IPTables and NFTables.


A simple TC BPF program that attaches to the ingress filter and blocks any IPs stored in the specified file (default is /etc/IPIPBlock/list.conf). This program checks the source IP of the inner IP header.


Usage is as follows:


./IPIPBlock --dev <interface> --list <file> --time <updatetime> [--help]


Where <interface> is the interface incoming IPIP packets enter and <file> is the file that contains all the IPs to blacklist. The default interface is ens18 and the default file is /etc/IPIPBlock/list.conf. The <updatetime> value indicates how often to update the blacklist map from the local file.


Note - Comments or characters after an IP in the blacklist file should be fine. I've tested this and there were no changes in behavior compared to nothing being added after an IP per line.


For example, the following works: # Malicious host (not actually) and this will still block regardless of the comment.
garbage # This never gets processed from what I've seen and is just treated as a garbage value.


You may use git and make to build this project. For example:


git --recursive https://github.com/gamemann/TC-Ingress-IPIP-Blocker.git
cd TC-Ingress-IPIP-Blocker/
make && sudo make install


Note - Clang and LLVM are required to build this project.




GitHub Repository

Share this post

Link to post
Share on other sites

Posted  Edited by Zeins. · Hidden

When it comes to coding im amazed how people can somehow memorize everything they need to make a game or a community or website like fr i would imagine it took a very long time lol.

Edited by Zeins.



                                                                                                                                                               -Former Nerd-



Share this post

Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Create New...