LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices

Reply
 
Search this Thread
Old 04-27-2003, 02:46 AM   #1
Grim Reaper
Member
 
Registered: Apr 2002
Distribution: Gentoo 2006.0 AMD64
Posts: 399

Rep: Reputation: 30
IPTables Rule...


I guess this is the right forum for it as it doesn't really have anything to do with security...

I have setup a Day Of Defeat server (Half Life Mod) on my LAN and I want people on the net to be able to connect to it. On my firewall I have put this rule in for IPTables but for some reason people still cannot connect, so I'm guessing there is something wrong with the way Ive written the rule to forward the port to the server...

/sbin/iptables -A FORWARD -p TCP -i ppp0 --sport 27015 -o eth0 -d 192.168.0.155 --dport 27015 -j ACCEPT
/sbin/iptables -A FORWARD -p UDP -i ppp0 --sport 27015 -o eth0 -d 192.168.0.155 --dport 27015 -j ACCEPT

can you point out whats wrong?
 
Old 04-27-2003, 03:16 AM   #2
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 22,978
Blog Entries: 11

Rep: Reputation: 879Reputation: 879Reputation: 879Reputation: 879Reputation: 879Reputation: 879Reputation: 879
I would have thought that it should be in the input
chain, rather than a forwarding. But I've never tried
to run a server behind a firewall :}

If I'm wrong in the paragraph above maybe you
need to check the order of your rules ...

Cheers,
Tink
 
Old 04-27-2003, 03:38 AM   #3
Grim Reaper
Member
 
Registered: Apr 2002
Distribution: Gentoo 2006.0 AMD64
Posts: 399

Original Poster
Rep: Reputation: 30
Nah your probably right. I don't really know that much about IPtables...im still learning.

How would i write the rule to forward everything on port 27015 to 192.168.0.155 for the INPUT chain?


This is my entire rule file incase of the order of the rules:

/sbin/iptables -F
/sbin/iptables -A INPUT -m state --state NEW,INVALID -i ppp0 -j DROP
/sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
/sbin/iptables -I INPUT 1 -p tcp -m multiport --dport 22 -j ACCEPT
/sbin/iptables -I INPUT 1 -p tcp -m multiport --dport 80 -j ACCEPT

#DoD Server
/sbin/iptables -A FORWARD -p TCP -i ppp0 --sport 27015 -o eth0 -d 192.168.0.155 --dport 27015 -j ACCEPT
/sbin/iptables -A FORWARD -p UDP -i ppp0 --sport 27015 -o eth0 -d 192.168.0.155 --dport 27015 -j ACCEPT

echo 1 > /proc/sys/net/ipv4/ip_forward

Last edited by Grim Reaper; 04-27-2003 at 03:40 AM.
 
Old 04-27-2003, 10:34 AM   #4
dorian33
Member
 
Registered: Jan 2003
Location: Poland, Warsaw
Distribution: LFS, Gentoo
Posts: 587

Rep: Reputation: 32
1. You are using '--sport 27015' with rules for incoming packets. For me it is very strange since I know only some cases when I can be sure the client uses a fixed port number. Are you sure about it? If not do not use this phrase.
2. Since you have got ppp0 and eth0 I see (am I right?) that the firewall is separate box. So you need forwarding to the LAN DoD server.
Try (same should be probably applied for UDP protocol - I do no nothing about DoD server protocols):
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 27015 -j DNAT --to-destination=ip_of_DoD_NIC
iptables -A FORWARD -m state --state NEW -i ppp0 -p tcp --dport 27015 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
 
Old 04-27-2003, 05:35 PM   #5
Grim Reaper
Member
 
Registered: Apr 2002
Distribution: Gentoo 2006.0 AMD64
Posts: 399

Original Poster
Rep: Reputation: 30
Yeah you guessed correct. Its a LAN dod server and the firewall is a separate box.

The client does use a fixed portnumber because when they try to connect, they connect with this: myexternalip:27015

Also, I have two nics, eth0 going to the internal LAN, and eth1 going to my ADSL modem. When I connect to the ISP it creates the ppp0 virtual device...should i put ppp0 in the rules or eth1? or doesn't it really matter?

I don't know anything about the protcols that DOD uses either...thats why i put both UDP and TCP in, just incase

Ill try out your rules tonight...thats for the help
 
Old 04-27-2003, 09:22 PM   #6
Aussie
Senior Member
 
Registered: Sep 2001
Location: Brisvegas, Antipodes
Distribution: Slackware
Posts: 4,590

Rep: Reputation: 56
So.....tell me Grim, did you cut and paste your OCAU post here or was it the other way around?
 
Old 04-28-2003, 03:47 AM   #7
Grim Reaper
Member
 
Registered: Apr 2002
Distribution: Gentoo 2006.0 AMD64
Posts: 399

Original Poster
Rep: Reputation: 30
Nah, other way around :P I posted it here first then thought I'll try OCAU as well to get a fast response...as I asked you on ICQ (btw, i tried your thing but it didn't work ) about the same thing...
 
Old 04-28-2003, 04:21 AM   #8
Grim Reaper
Member
 
Registered: Apr 2002
Distribution: Gentoo 2006.0 AMD64
Posts: 399

Original Poster
Rep: Reputation: 30
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 27015 -j DNAT --to-destination=192.168.0.155

that works!! it worked!! w00tah! thank you s0000 much..

are the other two lines needed though, do they do anything special? also...is running just this one line secure, like can people do like, a SYN flood, or something?
 
Old 04-28-2003, 12:20 PM   #9
dorian33
Member
 
Registered: Jan 2003
Location: Poland, Warsaw
Distribution: LFS, Gentoo
Posts: 587

Rep: Reputation: 32
Typically firewall rules are setup to DROP all the packets. Next only allowed ones (to allowed ports) are accepted. Above two forward lines were presented assuming this philosophy.
If everything works without them it means that forwarding is enabled (probably it is default policy). So it is not necessary to use this lines in this case (the separate subject is security for such settings).
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Question about a iptables rule? rjw1678 Linux - Security 2 11-18-2005 07:46 AM
help with iptables rule!! vishamr2000 Linux - Security 6 11-09-2005 05:34 AM
iptables rule order Kumado Linux - Security 4 10-13-2005 11:12 PM
iptables ban rule hypton Linux - Networking 1 03-09-2004 10:42 PM
iptables rule order dunkyb Linux - Security 2 03-21-2003 07:56 AM


All times are GMT -5. The time now is 05:34 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration