LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 12-16-2002, 05:42 PM   #1
Sonicsone
LQ Newbie
 
Registered: Nov 2002
Distribution: RedHat
Posts: 12

Rep: Reputation: 0
Question IPChains & UDP ports


Hello,

I have a RH 6.2 Linux box running as my firewall. I have a RH 7.3 Linux box running as my CS/DOD server. My server runs great, people can connect, Gametiger can find it but the WON list cannot.

I know this is an issue with the UDP packets and how my firewall is treating them.

I forward UDP 27015 to my CS Server from the outside, my CS Server responds on port 27015, but my firewall is sending it out on some miscellaneous UDP port like 61000.

Example: CS Server sends as 192.168.2.2:27015 ------> firewall sends as $EXT_IP:61536

Question: What is the IPChains rule that would make it do 1 for 1 port mapping from internal machines to the internet?

Example: CS Server sends as 192.168.2.2:27015 ------> firewall sends as $EXT_IP:27015

DOES ANYBODY OUT THERE KNOW HOW TO DO THIS? There has to be a way to tell the firewall to not change the UDP port...

PLEASE HELP!!!!

Thanks,

Jim
 
Old 12-16-2002, 07:43 PM   #2
DavidPhillips
Guru
 
Registered: Jun 2001
Location: South Alabama
Distribution: Fedora / RedHat / SuSE
Posts: 7,154

Rep: Reputation: 56
the client that's sending the data back cannot be controlled by the firewall. You just need the unprivileged ports to be open

ipchains -A input -i $ETERNAL_INTERFACE -p udp -y \
--destination-port $UNPRIVPORTS \
--source-port $UNPRIVPORTS -j ACCEPT

ipchains -A output -i $ETERNAL_INTERFACE -p udp \
--destination-port $UNPRIVPORTS \
--source-port $UNPRIVPORTS -j ACCEPT
 
Old 12-16-2002, 08:32 PM   #3
Sonicsone
LQ Newbie
 
Registered: Nov 2002
Distribution: RedHat
Posts: 12

Original Poster
Rep: Reputation: 0
Quote:
Originally posted by DavidPhillips
the client that's sending the data back cannot be controlled by the firewall. You just need the unprivileged ports to be open

ipchains -A input -i $ETERNAL_INTERFACE -p udp -y \
--destination-port $UNPRIVPORTS \
--source-port $UNPRIVPORTS -j ACCEPT

ipchains -A output -i $ETERNAL_INTERFACE -p udp \
--destination-port $UNPRIVPORTS \
--source-port $UNPRIVPORTS -j ACCEPT
Thanks for the reply!

Not the answer I was looking for though. I have the ports open but from what you are saying, I cannot tell the firewall to leave the ports alone...

Oh well, I guess I might be defeated. If I can't get the internal box to announce through the firewall on port 27015, then it won't list on WON (the master list of servers). Even when I take the firewall completely down, it doesn't work right. The only thing that has worked is putting the CS server on my external ip address directly (then I have no network connectivity for my other machines).

Thanks again,

Jim
 
Old 12-16-2002, 08:45 PM   #4
DavidPhillips
Guru
 
Registered: Jun 2001
Location: South Alabama
Distribution: Fedora / RedHat / SuSE
Posts: 7,154

Rep: Reputation: 56
it should work

the router knows that the machine on the other end is wanting to use the other port

the port 27015 must be forwarded for it to work, so taking down the firewall completely won't work

what are you using for your ipmasqadm rules
 
Old 12-17-2002, 10:13 AM   #5
Sonicsone
LQ Newbie
 
Registered: Nov 2002
Distribution: RedHat
Posts: 12

Original Poster
Rep: Reputation: 0
Quote:
Originally posted by DavidPhillips
it should work

the router knows that the machine on the other end is wanting to use the other port

the port 27015 must be forwarded for it to work, so taking down the firewall completely won't work

what are you using for your ipmasqadm rules
Well, for testing purposes, I take my firewall completely down. Then I issue this command:

ipmasqadm portfw -a -P udp -L $IPADDR 27015 -R 192.168.2.2 27015

At this point everything is wide open, default policies are to ACCEPT, and I have that one port forwarded to the internal server.

The internal server is listening on port 27015 and when I start the game, it shows that it has started on 192.168.2.2:27015. But, for some reason, it is showing up to the outside world as:

my.ext.ip:61576 (or some other unpriveleged port).

Do you have any insight as to what might be causing this port redirection (so to speak)? I thought it might be that "ip_masq_udp_dloose" needed to be enabled:
(echo "1" = /proc/sys/net/ip_masq_udp_dloose)

I have tried that both on and off, and it made no difference. I would think that the router should simply masq everything internal going to the outside and leave everything on the same ports.

Any suggestions/insight would be greatly appreciated at this point. I don't even know if I want to run a CS server any longer, but I don't like being as stumped as I am right now....

Thanks again,

Jim
 
Old 12-17-2002, 12:20 PM   #6
DavidPhillips
Guru
 
Registered: Jun 2001
Location: South Alabama
Distribution: Fedora / RedHat / SuSE
Posts: 7,154

Rep: Reputation: 56
yea, that looks right

what happens if you put it on a different port, like 27016 or 27017
 
Old 12-17-2002, 12:22 PM   #7
DavidPhillips
Guru
 
Registered: Jun 2001
Location: South Alabama
Distribution: Fedora / RedHat / SuSE
Posts: 7,154

Rep: Reputation: 56
I guess I might need to fire up my old rh 6.2 and check it out



does it show WON auth when it fires up?

I was just looking back up at the posts, I think it's working if other people can connect.

Last edited by DavidPhillips; 12-17-2002 at 12:25 PM.
 
Old 12-17-2002, 12:59 PM   #8
Sonicsone
LQ Newbie
 
Registered: Nov 2002
Distribution: RedHat
Posts: 12

Original Poster
Rep: Reputation: 0
Quote:
Originally posted by DavidPhillips
I guess I might need to fire up my old rh 6.2 and check it out

does it show WON auth when it fires up?

I was just looking back up at the posts, I think it's working if other people can connect.
Yeah, it shows WON Auth when booting up. The way people can get to it is by connecting via console (if they know the address). It doesn't show on the main WON list, but it can be found by using Gametiger or Gamespy Arcade. It just seems to be the main WON list that can't pick it up... I have had random people jump on the server with the "quick connect" option as well, but that just goes to the quickest, closest available server.

How I know that it is using an off port is because when I use Gametiger to "sniff" the external address, it tells what port it is on (usually 61XXX). Maybe I need to leave it up for a couple of days to see if it shows up on WON.
 
Old 12-17-2002, 01:07 PM   #9
DavidPhillips
Guru
 
Registered: Jun 2001
Location: South Alabama
Distribution: Fedora / RedHat / SuSE
Posts: 7,154

Rep: Reputation: 56
yes, your ip is masqed and people are connecting, so it has to be working
 
Old 12-17-2002, 01:48 PM   #10
Sonicsone
LQ Newbie
 
Registered: Nov 2002
Distribution: RedHat
Posts: 12

Original Poster
Rep: Reputation: 0
Quote:
Originally posted by DavidPhillips
yes, your ip is masqed and people are connecting, so it has to be working


Thanks a lot for helping me, I appreciate it. I am sure others will benefit from this post too... I have seen this question asked over and over, but I have yet to see it resolved (as far as not showing up on WON). The information I have seen is pretty vague at best..

Here is a tidbit from another forum with the crux of the problem and the best info I have found detailing the problem:

"Not the IP is the prob, the port is the prob. When it leaves your router and goes to WON, it has a port different then 27015. So WON wants to check back for example IP:61234 - but at this port there is no CS-Server waiting for communication - the server is listening at 27015

Now your CS-Server want's to communicate via port 27015 (again, only an example). This goes to the router - and then we ran into the problem: the router doesn't take port 27015 to communicate with the internet
He uses maybe 60123 or any other - so you have to check that the router forwards in AND out 1 to 1
But how to get it work with a hardwarerouter - sorry, don't know.

OK guys, I found a solution that worked for me: I told my FW to route any udp-packet from hlds to the internet without exchanging the Port.

It worked on my HW-Router (Bintec X1200), but I don't know how to set up an ipchains or iptables based Linux NAT-firewall. Maybe there's a guru out there to post the settings for these people.
But the theory is simple:
1. hlds sends udp-packets from its IP, e.g. 192.168.1.3, port 27015 to the firewall, e.g. 192.168.1.254
2. the firewall receives the packet on its internal NIC 192.168.1.254 and retransmits it via its external NIC, e.g. 200.123.123.123. And now thats the point: it has to use port 27015 again! Otherwise your server will be listed with a wrong port (the new one, randomly selected by the firewall)."

That is exactly the issue I am dealing with.....

Jim

Last edited by Sonicsone; 12-17-2002 at 01:56 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
UDP ports Khalinsar Linux - Security 1 06-05-2005 12:51 PM
question about udp ports mcd Linux - Networking 3 03-15-2005 04:13 AM
IPChains & External Ports engnet Linux - Security 3 05-28-2003 04:02 AM
ipchains & blocked ports? jasonhbishop Linux - Networking 3 06-03-2002 08:43 PM
Ipchains and UDP mikeyt_3333 Linux - Networking 5 11-23-2001 04:54 AM


All times are GMT -5. The time now is 08:13 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration