Forwarding port ranges using iptables --to ?

ivj · 10-12-2004, 12:36 AM

Hi!

Normally, when I want to forward something thru my iptables, I use the following scheme:

-A PREROUTING -p tcp -i eth0 --dport 80 DNAT --to 192.168.0.1:80

Now I have a need to forward a range of ports. How would I go about that? I am thinking of

-A PREROUTING -p tcp -i eth0 --dport 100:1000 DNAT --to 192.168.0.1:100:1000

but I am not sure that will work.

Anybody has any thoughts? Thanks.

ivj · 10-12-2004, 12:38 AM

Well the iptables restart gave me no errors, but I am not sure if this will actually work. I'll test it in a few minutes.

ivj · 10-12-2004, 12:49 AM

Nope, does not seem to work. What I am trying to do is to be able to host a civilization 3 game via gamespy, which required lots of ports to be used. I have a home network behind a linux router, where I use iptables for all my forwarding needs.

For example, in past, if I wanted to set up a host for warcraft 3 game, I'd have to do the following:

Forward Warcraft 3 port
-A PREROUTING -p tcp --dport 6112 -i eth0 -j DNAT --to 192.168.0.16:6112

Unfortunately, civilization 3 required a LOT of ports, as described by their support page - http://www.atarisupport.com/newfaq/c...faq_prodissues

Here are the ports required for hosting:

# In order to host a game on the Internet through the built-in GameSpy software, the following ports must be opened:

* IRC - Port 6667
* Voice Chat - Port 3783
* Master Server UDP Heartbeat - Port 27900
* Master Server List Request - Port 28900
* GP Connection Manager - Port 29900
* GP Search Manager - Port 29901
* Custom UDP Pings - Port 13139
* Query Port - Port 6500
* DirectPlay - Port 2302
* Initial UPD COnnection - Port 6073 Inbound
* Subsequent UPD Inbound and Outbound - Ports 2302-2400

So, here's what I added to my iptables:

-A PREROUTING -p udp -i etho0 --dport 6073 -j DNAT --to 192.168.0.16:6073
-A PREROUTING -p udp -i etho0 --dport 2302:2400 -j DNAT --to 192.168.0.16:2302:2400
-A PREROUTING -p tcp -i etho0 --dport 6667 -j DNAT --to 192.168.0.16:6667
-A PREROUTING -p tcp -i etho0 --dport 3783 -j DNAT --to 192.168.0.16:3783
-A PREROUTING -p udp -i etho0 --dport 27900 -j DNAT --to 192.168.0.16:27900
-A PREROUTING -p tcp -i etho0 --dport 28900 -j DNAT --to 192.168.0.16:28900
-A PREROUTING -p tcp -i etho0 --dport 29900 -j DNAT --to 192.168.0.16:29900
-A PREROUTING -p tcp -i etho0 --dport 29901 -j DNAT --to 192.168.0.16:29901
-A PREROUTING -p udp -i etho0 --dport 13139 -j DNAT --to 192.168.0.16:13139
-A PREROUTING -p tcp -i etho0 --dport 6500 -j DNAT --to 192.168.0.16:6500
-A PREROUTING -p tcp -i etho0 --dport 2302 -j DNAT --to 192.168.0.16:2302

/etc/init.d/iptables restart gave me no errors, so I assume everything is correct. But I am still not able to host a game.

So either I did something wrong in the iptables, or gamespy or developers don't know what the hell their ports are.

Thanks in advance.

Demonbane · 10-12-2004, 06:49 PM

can't you just do

-j DNAT --to 192.168.0.16

you don't have to specify the port unless you want to map it to another port
Also make sure your firewall doesn't block these traffic

ivj · 10-12-2004, 06:51 PM

Hmm lemme try that

ivj · 10-12-2004, 06:55 PM

Nope didn't work. I left everything as it was but I got off the :<port_num> endings.

((

Demonbane · 10-12-2004, 07:04 PM

try log some packets and see whether they've being blocked or have successfully gone through the gateway

ivj · 10-12-2004, 07:47 PM

Can you give me some examples of how to do that?

Right now I only know of -j LOG

and I don't want to loose those packets, obviously.

Demonbane · 10-12-2004, 08:26 PM

use -j LOG for each of these ports(or port ranges)
then do another one in the end to log all denied packets

ivj · 10-12-2004, 09:15 PM

I did the following:

*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [1:69]

-A PREROUTING -p udp -i etho0 --dport 6073 -j LOG
-A PREROUTING -p udp -i etho0 --dport 2302:2400 -j LOG
-A PREROUTING -p tcp -i etho0 --dport 6667 -j LOG
-A PREROUTING -p tcp -i etho0 --dport 3783 -j LOG
-A PREROUTING -p udp -i etho0 --dport 27900 -j LOG
-A PREROUTING -p tcp -i etho0 --dport 28900 -j LOG
-A PREROUTING -p tcp -i etho0 --dport 29900 -j LOG
-A PREROUTING -p tcp -i etho0 --dport 29901 -j LOG
-A PREROUTING -p udp -i etho0 --dport 13139 -j LOG
-A PREROUTING -p tcp -i etho0 --dport 6500 -j LOG
-A PREROUTING -p tcp -i etho0 --dport 2302 -j LOG

-A POSTROUTING -s 192.168.0.0/24 -d 0/0 -o eth0 -j MASQUERADE

COMMIT

I didn't add an extra line with -j LOG, cuz wouldn't that cause ALL the packets to that machine to be dropped to LOG, and my entire network wouldn't work?

Now the problem is - i have no idea where this logs to, and I can't find any info in man or google.

Any wisdom you'd like to share?

Demonbane · 10-13-2004, 02:57 AM

-j LOG does not drop anything
it logs the matching packet, then pass it on to the next rule

depending on how your distro is setup afaik many distros aren't configured to log iptables entries into a separate file so you have to check the kernel logs or "dmesg"

in fact try logging on the client, see if traffic on these ports can reach the client.

ivj · 10-13-2004, 02:59 AM

I know dmesg is in /var/log but where are the kernel logs?

Demonbane · 10-13-2004, 03:03 AM

depends on the distro(how the logging daemon is setup)
nevertheless you should see it if you type "dmesg"

ivj · 10-13-2004, 03:05 AM

Ok I'll try that tomorrow, too sleepy to do that now.

Im running RH 9.0 btw. And dmesg is an actuall command? I just thought it was a log file name.