LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 10-12-2004, 12:36 AM   #1
ivj
Member
 
Registered: Jul 2004
Posts: 61

Rep: Reputation: 15
Forwarding port ranges using iptables --to ?


Hi!

Normally, when I want to forward something thru my iptables, I use the following scheme:

-A PREROUTING -p tcp -i eth0 --dport 80 DNAT --to 192.168.0.1:80

Now I have a need to forward a range of ports. How would I go about that? I am thinking of

-A PREROUTING -p tcp -i eth0 --dport 100:1000 DNAT --to 192.168.0.1:100:1000

but I am not sure that will work.

Anybody has any thoughts? Thanks.
 
Old 10-12-2004, 12:38 AM   #2
ivj
Member
 
Registered: Jul 2004
Posts: 61

Original Poster
Rep: Reputation: 15
Well the iptables restart gave me no errors, but I am not sure if this will actually work. I'll test it in a few minutes.
 
Old 10-12-2004, 12:49 AM   #3
ivj
Member
 
Registered: Jul 2004
Posts: 61

Original Poster
Rep: Reputation: 15
Nope, does not seem to work. What I am trying to do is to be able to host a civilization 3 game via gamespy, which required lots of ports to be used. I have a home network behind a linux router, where I use iptables for all my forwarding needs.

For example, in past, if I wanted to set up a host for warcraft 3 game, I'd have to do the following:

Forward Warcraft 3 port
-A PREROUTING -p tcp --dport 6112 -i eth0 -j DNAT --to 192.168.0.16:6112

Unfortunately, civilization 3 required a LOT of ports, as described by their support page - http://www.atarisupport.com/newfaq/c...faq_prodissues

Here are the ports required for hosting:

# In order to host a game on the Internet through the built-in GameSpy software, the following ports must be opened:

* IRC - Port 6667
* Voice Chat - Port 3783
* Master Server UDP Heartbeat - Port 27900
* Master Server List Request - Port 28900
* GP Connection Manager - Port 29900
* GP Search Manager - Port 29901
* Custom UDP Pings - Port 13139
* Query Port - Port 6500
* DirectPlay - Port 2302
* Initial UPD COnnection - Port 6073 Inbound
* Subsequent UPD Inbound and Outbound - Ports 2302-2400

So, here's what I added to my iptables:

-A PREROUTING -p udp -i etho0 --dport 6073 -j DNAT --to 192.168.0.16:6073
-A PREROUTING -p udp -i etho0 --dport 2302:2400 -j DNAT --to 192.168.0.16:2302:2400
-A PREROUTING -p tcp -i etho0 --dport 6667 -j DNAT --to 192.168.0.16:6667
-A PREROUTING -p tcp -i etho0 --dport 3783 -j DNAT --to 192.168.0.16:3783
-A PREROUTING -p udp -i etho0 --dport 27900 -j DNAT --to 192.168.0.16:27900
-A PREROUTING -p tcp -i etho0 --dport 28900 -j DNAT --to 192.168.0.16:28900
-A PREROUTING -p tcp -i etho0 --dport 29900 -j DNAT --to 192.168.0.16:29900
-A PREROUTING -p tcp -i etho0 --dport 29901 -j DNAT --to 192.168.0.16:29901
-A PREROUTING -p udp -i etho0 --dport 13139 -j DNAT --to 192.168.0.16:13139
-A PREROUTING -p tcp -i etho0 --dport 6500 -j DNAT --to 192.168.0.16:6500
-A PREROUTING -p tcp -i etho0 --dport 2302 -j DNAT --to 192.168.0.16:2302

/etc/init.d/iptables restart gave me no errors, so I assume everything is correct. But I am still not able to host a game.

So either I did something wrong in the iptables, or gamespy or developers don't know what the hell their ports are.

Thanks in advance.
 
Old 10-12-2004, 06:49 PM   #4
Demonbane
Guru
 
Registered: Aug 2003
Location: Sydney, Australia
Distribution: Gentoo
Posts: 1,796

Rep: Reputation: 47
can't you just do

-j DNAT --to 192.168.0.16

you don't have to specify the port unless you want to map it to another port
Also make sure your firewall doesn't block these traffic

Last edited by Demonbane; 10-12-2004 at 06:51 PM.
 
Old 10-12-2004, 06:51 PM   #5
ivj
Member
 
Registered: Jul 2004
Posts: 61

Original Poster
Rep: Reputation: 15
Hmm lemme try that
 
Old 10-12-2004, 06:55 PM   #6
ivj
Member
 
Registered: Jul 2004
Posts: 61

Original Poster
Rep: Reputation: 15
Nope didn't work. I left everything as it was but I got off the :<port_num> endings.

((
 
Old 10-12-2004, 07:04 PM   #7
Demonbane
Guru
 
Registered: Aug 2003
Location: Sydney, Australia
Distribution: Gentoo
Posts: 1,796

Rep: Reputation: 47
try log some packets and see whether they've being blocked or have successfully gone through the gateway
 
Old 10-12-2004, 07:47 PM   #8
ivj
Member
 
Registered: Jul 2004
Posts: 61

Original Poster
Rep: Reputation: 15
Can you give me some examples of how to do that?

Right now I only know of -j LOG

and I don't want to loose those packets, obviously.
 
Old 10-12-2004, 08:26 PM   #9
Demonbane
Guru
 
Registered: Aug 2003
Location: Sydney, Australia
Distribution: Gentoo
Posts: 1,796

Rep: Reputation: 47
use -j LOG for each of these ports(or port ranges)
then do another one in the end to log all denied packets
 
Old 10-12-2004, 09:15 PM   #10
ivj
Member
 
Registered: Jul 2004
Posts: 61

Original Poster
Rep: Reputation: 15
I did the following:

*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [1:69]

-A PREROUTING -p udp -i etho0 --dport 6073 -j LOG
-A PREROUTING -p udp -i etho0 --dport 2302:2400 -j LOG
-A PREROUTING -p tcp -i etho0 --dport 6667 -j LOG
-A PREROUTING -p tcp -i etho0 --dport 3783 -j LOG
-A PREROUTING -p udp -i etho0 --dport 27900 -j LOG
-A PREROUTING -p tcp -i etho0 --dport 28900 -j LOG
-A PREROUTING -p tcp -i etho0 --dport 29900 -j LOG
-A PREROUTING -p tcp -i etho0 --dport 29901 -j LOG
-A PREROUTING -p udp -i etho0 --dport 13139 -j LOG
-A PREROUTING -p tcp -i etho0 --dport 6500 -j LOG
-A PREROUTING -p tcp -i etho0 --dport 2302 -j LOG

-A POSTROUTING -s 192.168.0.0/24 -d 0/0 -o eth0 -j MASQUERADE

COMMIT

I didn't add an extra line with -j LOG, cuz wouldn't that cause ALL the packets to that machine to be dropped to LOG, and my entire network wouldn't work?

Now the problem is - i have no idea where this logs to, and I can't find any info in man or google.

Any wisdom you'd like to share?
 
Old 10-13-2004, 02:57 AM   #11
Demonbane
Guru
 
Registered: Aug 2003
Location: Sydney, Australia
Distribution: Gentoo
Posts: 1,796

Rep: Reputation: 47
-j LOG does not drop anything
it logs the matching packet, then pass it on to the next rule

depending on how your distro is setup afaik many distros aren't configured to log iptables entries into a separate file so you have to check the kernel logs or "dmesg"

in fact try logging on the client, see if traffic on these ports can reach the client.

Last edited by Demonbane; 10-13-2004 at 03:00 AM.
 
Old 10-13-2004, 02:59 AM   #12
ivj
Member
 
Registered: Jul 2004
Posts: 61

Original Poster
Rep: Reputation: 15
I know dmesg is in /var/log but where are the kernel logs?
 
Old 10-13-2004, 03:03 AM   #13
Demonbane
Guru
 
Registered: Aug 2003
Location: Sydney, Australia
Distribution: Gentoo
Posts: 1,796

Rep: Reputation: 47
depends on the distro(how the logging daemon is setup)
nevertheless you should see it if you type "dmesg"
 
Old 10-13-2004, 03:05 AM   #14
ivj
Member
 
Registered: Jul 2004
Posts: 61

Original Poster
Rep: Reputation: 15
Ok I'll try that tomorrow, too sleepy to do that now.

Im running RH 9.0 btw. And dmesg is an actuall command? I just thought it was a log file name.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
IPCHAINS port forwarding and IPTABLES port forwarding ediestajr Linux - Networking 26 01-14-2007 07:35 PM
port forwarding with iptables kkennedy Linux - Networking 1 09-01-2005 06:48 PM
IPTABLES and port forwarding freibuis Linux - Networking 5 04-21-2004 09:06 PM
iptables port forwarding MadTurki Linux - Networking 6 01-05-2004 01:03 PM
iptables port forwarding hawk4eye Linux - Security 2 02-07-2003 04:47 AM


All times are GMT -5. The time now is 09:23 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration