Firewall rules bypassed?

TeamSpeak Server
1

Hello everyone, I need your help / advice please:

I have created the following IPtables rules for our server:

#!/bin/bash
# Firewall Regeln 

iptables -F
iptables -X

iptables -N DENY
iptables -A DENY -p tcp -m tcp -m limit --limit 30/sec --limit-burst 100 -m comment --comment "Anti-DoS" -j REJECT --reject-with tcp-reset
iptables -A DENY -m limit --limit 30/sec --limit-burst 100 -m comment --comment "Anti-DoS" -j REJECT --reject-with icmp-proto-unreachable
iptables -A DENY -m comment --comment "Alles andere ignorieren" -j DROP

iptables -N SERVICES
iptables -A SERVICES -p tcp -m tcp --dport 53 -m comment --comment "Erlaube: DNS" -j ACCEPT
iptables -A SERVICES -p udp -m udp --dport 2008 -m comment --comment "Erlaube: Accounting" -j ACCEPT
iptables -A SERVICES -p tcp -m tcp --dport 9987 -m comment --comment "Erlaube: TS-Port" -j ACCEPT
iptables -A SERVICES -p udp -m udp --dport 10011 -m comment --comment "Erlaube: TS-Port" -j ACCEPT
iptables -A SERVICES -p tcp -m tcp --dport 22 -m comment --comment "Erlaube: SSH-Zugriff" -j ACCEPT
iptables -A SERVICES -j RETURN

iptables -A INPUT -i lo -m comment --comment "Erlaube: Loopback" -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -m comment --comment "Erlaube: Related und Established Verbindungen" -j ACCEPT
iptables -A INPUT -m comment --comment "Erlaube Standard Dienste" -j SERVICES
iptables -A INPUT -p icmp -m comment --comment "Erlaube: ICMP" -j ACCEPT
iptables -A INPUT -m comment --comment "Ignoriere alles andere" -j DENY
iptables -P INPUT DROP

Now a few days ago and yesterday I noticed that the incoming traffic (from the Teamspeak itself) has increased enormously. Normally I have incoming traffic around 4-6 GB but a few days ago the traffic was 100 GB in just one hour! Unfortunately I only have the whole thing for IPv4 :frowning:

My question would be: how is it possible if the user is logged in as a user to cause such traffic via Teamspeak and how can I still optimize my script? Or how can I find out which user it was? Is there a possibility?

I thank you guys for the help / answer