I guess this is the right forum for it as it doesn't really have anything to do with security...

I have setup a Day Of Defeat server (Half Life Mod) on my LAN and I want people on the net to be able to connect to it. On my firewall I have put this rule in for IPTables but for some reason people still cannot connect, so I'm guessing there is something wrong with the way Ive written the rule to forward the port to the server...

/sbin/iptables -A FORWARD -p TCP -i ppp0 --sport 27015 -o eth0 -d 192.168.0.155 --dport 27015 -j ACCEPT
/sbin/iptables -A FORWARD -p UDP -i ppp0 --sport 27015 -o eth0 -d 192.168.0.155 --dport 27015 -j ACCEPT

can you point out whats wrong?

I would have thought that it should be in the input
chain, rather than a forwarding. But I've never tried
to run a server behind a firewall :}

If I'm wrong in the paragraph above maybe you
need to check the order of your rules ...

Cheers,
Tink

Nah your probably right. I don't really know that much about IPtables...im still learning.

How would i write the rule to forward everything on port 27015 to 192.168.0.155 for the INPUT chain?


This is my entire rule file incase of the order of the rules:

/sbin/iptables -F
/sbin/iptables -A INPUT -m state --state NEW,INVALID -i ppp0 -j DROP
/sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
/sbin/iptables -I INPUT 1 -p tcp -m multiport --dport 22 -j ACCEPT
/sbin/iptables -I INPUT 1 -p tcp -m multiport --dport 80 -j ACCEPT

#DoD Server
/sbin/iptables -A FORWARD -p TCP -i ppp0 --sport 27015 -o eth0 -d 192.168.0.155 --dport 27015 -j ACCEPT
/sbin/iptables -A FORWARD -p UDP -i ppp0 --sport 27015 -o eth0 -d 192.168.0.155 --dport 27015 -j ACCEPT

echo 1 > /proc/sys/net/ipv4/ip_forward

1. You are using '--sport 27015' with rules for incoming packets. For me it is very strange since I know only some cases when I can be sure the client uses a fixed port number. Are you sure about it? If not do not use this phrase.
2. Since you have got ppp0 and eth0 I see (am I right?) that the firewall is separate box. So you need forwarding to the LAN DoD server.
Try (same should be probably applied for UDP protocol - I do no nothing about DoD server protocols):
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 27015 -j DNAT --to-destination=ip_of_DoD_NIC
iptables -A FORWARD -m state --state NEW -i ppp0 -p tcp --dport 27015 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Yeah you guessed correct. Its a LAN dod server and the firewall is a separate box.

The client does use a fixed portnumber because when they try to connect, they connect with this: myexternalip:27015

Also, I have two nics, eth0 going to the internal LAN, and eth1 going to my ADSL modem. When I connect to the ISP it creates the ppp0 virtual device...should i put ppp0 in the rules or eth1? or doesn't it really matter?

I don't know anything about the protcols that DOD uses either...thats why i put both UDP and TCP in, just incase

Ill try out your rules tonight...thats for the help

So.....tell me Grim, did you cut and paste your OCAU post here or was it the other way around?

Nah, other way around :P I posted it here first then thought I'll try OCAU as well to get a fast response...as I asked you on ICQ (btw, i tried your thing but it didn't work ) about the same thing...

iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 27015 -j DNAT --to-destination=192.168.0.155

that works!! it worked!! w00tah! thank you s0000 much..

are the other two lines needed though, do they do anything special? also...is running just this one line secure, like can people do like, a SYN flood, or something?

Typically firewall rules are setup to DROP all the packets. Next only allowed ones (to allowed ports) are accepted. Above two forward lines were presented assuming this philosophy.
If everything works without them it means that forwarding is enabled (probably it is default policy). So it is not necessary to use this lines in this case (the separate subject is security for such settings).