iptables vs. world of warcraft
 

Is there something unusual that I need to do to forward ports for world of warcraft via iptables? I don't feel very confident about my understanding of iptables or tcp/ip, but I thought these rules made sense:

$IPTABLES -A PREROUTING -t nat -p tcp -i $EXTIF -d $gateway --dport 3724 -j DNAT --to-destination 192.168.0.10-192.168.0.100
$IPTABLES -A PREROUTING -t nat -p tcp -i $EXTIF -d $gateway --dport 6112 -j DNAT --to-destination 192.168.0.10-192.168.0.100
$IPTABLES -A PREROUTING -t nat -p tcp -i $EXTIF -d $gateway --dport 6881:6999 -j DNAT --to-destination 192.168.0.10-192.168.0.100

$IPTABLES -A FORWARD -p tcp -i $EXTIF -d 192.168.0.10-192.168.0.100 --dport 3724 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i $EXTIF -d 192.168.0.10-192.168.0.100 --dport 6112 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i $EXTIF -d 192.168.0.10-192.168.0.100 --dport 6881:6999 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

I think a packet is supposed to come in and be matched against rules in the PREROUTING chain, so packets from the wow server should match and then go on to DNAT. Then packets go onto the FORWARD chain and should be accepted.

But, I get in syslog errors that I think are implying that packets are being caught by:

$IPTABLES -A FORWARD -m state --state INVALID -j LINVALID

where packets get logged in the LINVALID chain and then dropped.

If I remove -m state --state NEW,ESTABLISHED,RELATED from the FORWARD chain rules above, it looks like packets are being caught by:

$IPTABLES -A FORWARD -j LDROP

(in other words, no rule matched) where packets get logged in the LDROP chain and then dropped.

The log lines look like:

Dec 18 19:20:23 bleh kernel: [17617673.000000] fp=TCP:1 a=DROP IN=eth0 OUT=eth1 SRC=some.ip.address DST=192.168.0.100 LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=49822 DF PROTO=TCP SPT=2673 DPT=3724 WINDOW=65535 RES=0x00 SYN URGP=0

for the LDROP chain, or:

Dec 18 19:26:39 bleh kernel: [17618049.736000] fp=INVALID:1 a=DROP IN=eth0 OUT= MAC=00:01:6c:3d:3d:6f:00:02:3b:02:a4:91:08:00 SRC=x.x.x.x DST=my.external.ip.address LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=5697 DF PROTO=TCP SPT=4492 DPT=3724 WINDOW=0 RES=0x00 ACK RST URGP=0

(or RST instead of ACK RST) for the LINVALID chain.

Do you have any thoughts about what the problem could be?

Have you turned on IP forwarding in the kernel, by default it's turned off, this is seperate to the forwarding rules. Try:

Can you post the entire iptables script, I'm not the best at iptables but the full script will help to understand what is exactly being filtered. Also you can only DNAT to a single ipaddress as far as I know, not to a range of addresses.

Yes, I turn on IP forwarding. As far as DNAT, I get the same results using a single address. Besides, the man page refers to the --to-destination parameter of DNAT as taking a range of addresses.

The script follows. It is an altered version of http://www.linuxguruz.com/iptables/s...rewall_023.txt

#!/bin/sh -x
IPTABLES="/sbin/iptables"


case "$1" in
stop)
echo "Shutting down firewall..."
$IPTABLES -F
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -X -t nat

$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
echo "...done"
;;
status)
echo $"Table: filter"
$IPTABLES --list
echo $"Table: nat"
$IPTABLES -t nat --list
;;
restart|reload)
$0 stop
$0 start
;;
start)
echo "Starting Firewall..."
echo ""


## Default external interface (used, if EXTIF isn't specified on command line)
DEFAULT_EXTIF="eth0"

## Default internal interface (used, if INTIF isn't specified on command line)
DEFAULT_INTIF="eth1"

#----Special Variables-----#

# IP Mask for all IP addresses
UNIVERSE="0.0.0.0/0"

# Specification of the high unprivileged IP ports.
UNPRIVPORTS="1024:65535"

# Specification of X Window System (TCP) ports.
XWINPORTS="6000:6063"

# Ports for IRC-Connection-Tracking
IRCPORTS="6665,6666,6667,6668,6669,7000"


#TORTOISE="192.168.0.101"

#----Flood Variables-----#

# Overall Limit for TCP-SYN-Flood detection
TCPSYNLIMIT="5/s"
# Burst Limit for TCP-SYN-Flood detection
TCPSYNLIMITBURST="10"

# Overall Limit for Loggging in Logging-Chains
LOGLIMIT="2/s"
# Burst Limit for Logging in Logging-Chains
LOGLIMITBURST="10"

# Overall Limit for Ping-Flood-Detection
PINGLIMIT="5/s"
# Burst Limit for Ping-Flood-Detection
PINGLIMITBURST="10"



#----Automatically determine infos about involved interfaces-----#

### External Interface:

## Get external interface from command-line
## If no interface is specified then set $DEFAULT_EXTIF as EXTIF
if [ "x$2" != "x" ]; then
EXTIF=$2
else
EXTIF=$DEFAULT_EXTIF
fi
echo External Interface: $EXTIF

## Determine external IP
EXTIP="`ifconfig $EXTIF | grep inet | cut -d : -f 2 | cut -d \ -f 1`"
if [ "$EXTIP" = '' ]; then
echo "Aborting: Unable to determine the IP-address of $EXTIF !"
exit 1
fi
echo External IP: $EXTIP

## Determine external gateway
EXTGW=`route -n | grep -A 4 UG | awk '{ print $2}'`
echo Default GW: $EXTGW


echo " --- "


### Internal Interface:

## Get internal interface from command-line
## If no interface is specified then set $DEFAULT_INTIF as INTIF
if [ "x$3" != "x" ]; then
INTIF=$3
else
INTIF=$DEFAULT_INTIF
fi
echo Internal Interface: $INTIF

## Determine internal IP
INTIP="`ifconfig $INTIF | grep inet | cut -d : -f 2 | cut -d \ -f 1`"
if [ "$INTIP" = '' ]; then
echo "Aborting: Unable to determine the IP-address of $INTIF !"
exit 1
fi
echo Internal IP: $INTIP

## Determine internal netmask
INTMASK="`ifconfig $INTIF | grep Mask | cut -d : -f 4`"
echo Internal Netmask: $INTMASK

## Determine network address of the internal network
INTLAN=$INTIP'/'$INTMASK
echo Internal LAN: $INTLAN

echo ""


#----Load IPTABLES-modules-----#


#Insert modules- should be done automatically if needed

#If the IRC-modules are available, uncomment them below

echo "Loading IPTABLES modules"

dmesg -n 1 #Kill copyright display on module load
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
#/sbin/modprobe ip_conntrack_irc ports=$IRCPORTS
#/sbin/modprobe ip_nat_irc ports=$IRCPORTS
dmesg -n 6

echo " --- "


#----Clear/Reset all chains-----#

#Clear all IPTABLES-chains

#Flush everything, start from scratch
$IPTABLES -F
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -X -t nat

#Set default policies to DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP


#----Set network sysctl options-----#


echo "Setting sysctl options"

#Enable forwarding in kernel
echo 1 > /proc/sys/net/ipv4/ip_forward

#Disabling IP Spoofing attacks.
echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter

#Don't respond to broadcast pings (Smurf-Amplifier-Protection)
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

#Block source routing
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

#Kill timestamps
echo 0 > /proc/sys/net/ipv4/tcp_timestamps

#Enable SYN Cookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

#Kill redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

#Enable bad error message protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

#Log martians (packets with impossible addresses)
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

#Set out local port range
echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range

#Reduce DoS'ing ability by reducing timeouts
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack


echo " --- "

echo "Creating user-chains"



#----Create logging chains-----#

##These are the logging-chains. They all have a certain limit of log-entries/sec to prevent log-flooding
##The syslog-entries will be fireparse-compatible (see http://www.fireparse.com)


#Invalid packets (not ESTABLISHED,RELATED or NEW)
$IPTABLES -N LINVALID
$IPTABLES -A LINVALID -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=INVALID:1 a=DROP "
$IPTABLES -A LINVALID -j DROP

#TCP-Packets with one ore more bad flags
$IPTABLES -N LBADFLAG
$IPTABLES -A LBADFLAG -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=BADFLAG:1 a=DROP "
$IPTABLES -A LBADFLAG -j DROP

#Logging of connection attempts on special ports (Trojan portscans, special services, etc.)
$IPTABLES -N LSPECIALPORT
$IPTABLES -A LSPECIALPORT -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=SPECIALPORT:1 a=DROP "
$IPTABLES -A LSPECIALPORT -j DROP

#Logging of possible TCP-SYN-Floods
$IPTABLES -N LSYNFLOOD
$IPTABLES -A LSYNFLOOD -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=SYNFLOOD:1 a=DROP "
$IPTABLES -A LSYNFLOOD -j DROP

#Logging of possible Ping-Floods
$IPTABLES -N LPINGFLOOD
$IPTABLES -A LPINGFLOOD -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=PINGFLOOD:1 a=DROP "
$IPTABLES -A LPINGFLOOD -j DROP


#All other dropped packets
$IPTABLES -N LDROP
$IPTABLES -A LDROP -p tcp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=TCP:1 a=DROP "
$IPTABLES -A LDROP -p udp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=UDP:2 a=DROP "
$IPTABLES -A LDROP -p icmp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=ICMP:3 a=DROP "
$IPTABLES -A LDROP -f -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=FRAGMENT:4 a=DROP "
$IPTABLES -A LDROP -j DROP

#All other rejected packets
$IPTABLES -N LREJECT
$IPTABLES -A LREJECT -p tcp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=TCP:1 a=REJECT "
$IPTABLES -A LREJECT -p udp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=UDP:2 a=REJECT "
$IPTABLES -A LREJECT -p icmp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=ICMP:3 a=REJECT "
$IPTABLES -A LREJECT -f -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=FRAGMENT:4 a=REJECT "
$IPTABLES -A LREJECT -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A LREJECT -p udp -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A LREJECT -j REJECT



#----Create Accept-Chains-----#


#TCPACCEPT - Check for SYN-Floods before letting TCP-Packets in

$IPTABLES -N TCPACCEPT
$IPTABLES -A TCPACCEPT -p tcp --syn -m limit --limit $TCPSYNLIMIT --limit-burst $TCPSYNLIMITBURST -j ACCEPT
$IPTABLES -A TCPACCEPT -p tcp --syn -j LSYNFLOOD
$IPTABLES -A TCPACCEPT -p tcp ! --syn -j ACCEPT


#----Create special User-Chains-----#


#CHECKBADFLAG - Kill any Inbound/Outbound TCP-Packets with impossible flag-combinations (Some port-scanners use these, eg. nmap Xmas,Null,etc.-scan)

$IPTABLES -N CHECKBADFLAG
$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL FIN,URG,PSH -j LBADFLAG
$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LBADFLAG
$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL ALL -j LBADFLAG
$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL NONE -j LBADFLAG
$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags SYN,RST SYN,RST -j LBADFLAG
$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags SYN,FIN SYN,FIN -j LBADFLAG



#FILTERING FOR SPECIAL PORTS


#Inbound/Outbound SILENTDROPS/REJECTS (Things we don't want in our Logs)

#SMB-Traffic
$IPTABLES -N SMB

$IPTABLES -A SMB -p tcp --dport 137 -j DROP
$IPTABLES -A SMB -p tcp --dport 138 -j DROP
$IPTABLES -A SMB -p tcp --dport 139 -j DROP
$IPTABLES -A SMB -p tcp --dport 445 -j DROP
$IPTABLES -A SMB -p udp --dport 137 -j DROP
$IPTABLES -A SMB -p udp --dport 138 -j DROP
$IPTABLES -A SMB -p udp --dport 139 -j DROP
$IPTABLES -A SMB -p udp --dport 445 -j DROP

$IPTABLES -A SMB -p tcp --sport 137 -j DROP
$IPTABLES -A SMB -p tcp --sport 138 -j DROP
$IPTABLES -A SMB -p tcp --sport 139 -j DROP
$IPTABLES -A SMB -p tcp --sport 445 -j DROP
$IPTABLES -A SMB -p udp --sport 137 -j DROP
$IPTABLES -A SMB -p udp --sport 138 -j DROP
$IPTABLES -A SMB -p udp --sport 139 -j DROP
$IPTABLES -A SMB -p udp --sport 445 -j DROP


#Inbound Special Ports

$IPTABLES -N SPECIALPORTS

#Deepthroat Scan
$IPTABLES -A SPECIALPORTS -p tcp --dport 6670 -j LSPECIALPORT

#Subseven Scan
$IPTABLES -A SPECIALPORTS -p tcp --dport 1243 -j LSPECIALPORT
$IPTABLES -A SPECIALPORTS -p udp --dport 1243 -j LSPECIALPORT
$IPTABLES -A SPECIALPORTS -p tcp --dport 27374 -j LSPECIALPORT
$IPTABLES -A SPECIALPORTS -p udp --dport 27374 -j LSPECIALPORT
$IPTABLES -A SPECIALPORTS -p tcp --dport 6711:6713 -j LSPECIALPORT

#Netbus Scan
$IPTABLES -A SPECIALPORTS -p tcp --dport 12345:12346 -j LSPECIALPORT
$IPTABLES -A SPECIALPORTS -p tcp --dport 20034 -j LSPECIALPORT

#Back Orifice scan
$IPTABLES -A SPECIALPORTS -p udp --dport 31337:31338 -j LSPECIALPORT

#X-Win
#$IPTABLES -A SPECIALPORTS -p tcp --dport $XWINPORTS -j LSPECIALPORT

#Hack'a'Tack 2000
$IPTABLES -A SPECIALPORTS -p udp --dport 28431 -j LSPECIALPORT



#ICMP/TRACEROUTE FILTERING


#Inbound ICMP/Traceroute

$IPTABLES -N ICMPINBOUND

#Ping Flood protection. Accept $PINGLIMIT echo-requests/sec, rest will be logged/dropped
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type echo-request -m limit --limit $PINGLIMIT --limit-burst $PINGLIMITBURST -j ACCEPT
#
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type echo-request -j LPINGFLOOD

#Block ICMP-Redirects (Should already be catched by sysctl-options, if enabled)
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type redirect -j LDROP

#Block ICMP-Timestamp (Should already be catched by sysctl-options, if enabled)
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type timestamp-request -j LDROP
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type timestamp-reply -j LDROP

#Block ICMP-address-mask (can help to prevent OS-fingerprinting)
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type address-mask-request -j LDROP
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type address-mask-reply -j LDROP


#Allow all other ICMP in
$IPTABLES -A ICMPINBOUND -p icmp -j ACCEPT




#Outbound ICMP/Traceroute

$IPTABLES -N ICMPOUTBOUND

#Block ICMP-Redirects (Should already be catched by sysctl-options, if enabled)
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type redirect -j LDROP

#Block ICMP-TTL-Expired
#MS Traceroute (MS uses ICMP instead of UDp for tracert)
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type ttl-zero-during-transit -j LDROP
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type ttl-zero-during-reassembly -j LDROP

#Block ICMP-Parameter-Problem
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type parameter-problem -j LDROP

#Block ICMP-Timestamp (Should already be catched by sysctl-options, if enabled)
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type timestamp-request -j LDROP
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type timestamp-reply -j LDROP

#Block ICMP-address-mask (can help to prevent OS-fingerprinting)
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type address-mask-request -j LDROP
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type address-mask-reply -j LDROP


##Accept all other ICMP going out
$IPTABLES -A ICMPOUTBOUND -p icmp -j ACCEPT



#----End User-Chains-----#



echo " --- "


#----Start Ruleset-----#

echo "Implementing firewall rules..."


#################
## INPUT-Chain ## (everything that is addressed to the firewall itself)
#################


##GENERAL Filtering

# Kill INVALID packets (not ESTABLISHED, RELATED or NEW)
$IPTABLES -A INPUT -m state --state INVALID -j LINVALID

# Check TCP-Packets for Bad Flags
$IPTABLES -A INPUT -p tcp -j CHECKBADFLAG


##Packets FROM FIREWALL-BOX ITSELF

#Local IF
$IPTABLES -A INPUT -i lo -j ACCEPT
#
#Kill connections to the local interface from the outside world (--> Should be already catched by kernel/rp_filter)
$IPTABLES -A INPUT -d 127.0.0.0/8 -j LREJECT


##VNC
$IPTABLES -A INPUT -p tcp --sport 5801 -j DROP
$IPTABLES -A INPUT -p tcp --sport 5901 -j DROP
$IPTABLES -A INPUT -p tcp --sport 6001 -j DROP

$IPTABLES -A SPECIALPORTS -p tcp --dport $XWINPORTS -j LSPECIALPORT

##Packets FROM INTERNAL NET


##Allow unlimited traffic from internal network using legit addresses to firewall-box
##If protection from the internal interface is needed, alter it

$IPTABLES -A INPUT -i $INTIF -s $INTLAN -j ACCEPT

#Kill anything from outside claiming to be from internal network (Address-Spoofing --> Should be already catched by rp_filter)
$IPTABLES -A INPUT -s $INTLAN -j LREJECT



##Packets FROM EXTERNAL NET


##ICMP & Traceroute filtering

#Filter ICMP
$IPTABLES -A INPUT -i $EXTIF -p icmp -j ICMPINBOUND

#Block UDP-Traceroute
$IPTABLES -A INPUT -p udp --dport 33434:33523 -j LDROP


##Silent Drops/Rejects (Things we don't want in our logs)

#Drop all SMB-Traffic
$IPTABLES -A INPUT -i $EXTIF -j SMB

#Silently reject Ident (Don't DROP ident, because of possible delays when establishing an outbound connection)
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 113 -j REJECT --reject-with tcp-reset


##Public services running ON FIREWALL-BOX (comment out to activate):

# ftp-data
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 20 -j TCPACCEPT

# ftp
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 21 -j TCPACCEPT

# ssh
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 22 -j TCPACCEPT

#telnet
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 23 -j TCPACCEPT

# http
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 80 -j TCPACCEPT

$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 2234 -j TCPACCEPT
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 5534 -j TCPACCEPT

#Separate logging of special portscans/connection attempts

$IPTABLES -A INPUT -i $EXTIF -j SPECIALPORTS

##Allow ESTABLISHED/RELATED connections in

$IPTABLES -A INPUT -i $EXTIF -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport $UNPRIVPORTS -m state --state RELATED -j TCPACCEPT
$IPTABLES -A INPUT -i $EXTIF -p udp --dport $UNPRIVPORTS -m state --state RELATED -j ACCEPT


##Catch all rule
$IPTABLES -A INPUT -j LDROP





##################
## Output-Chain ## (everything that comes directly from the Firewall-Box)
##################



##Packets TO FIREWALL-BOX ITSELF

#Local IF
$IPTABLES -A OUTPUT -o lo -j ACCEPT


##Packets TO INTERNAL NET

#Allow unlimited traffic to internal network using legit addresses
$IPTABLES -A OUTPUT -o $INTIF -d $INTLAN -j ACCEPT



##Packets TO EXTERNAL NET


##ICMP & Traceroute

$IPTABLES -A OUTPUT -o $EXTIF -p icmp -j ICMPOUTBOUND



##Silent Drops/Rejects (Things we don't want in our logs)

#SMB
$IPTABLES -A OUTPUT -o $EXTIF -j SMB

#Ident
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 113 -j REJECT --reject-with tcp-reset



##Public services running ON FIREWALL-BOX (comment out to activate):

# ftp-data
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 20 -j ACCEPT

# ftp
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 21 -j ACCEPT

# ssh
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

#telnet
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 23 -m state --state ESTABLISHED -j ACCEPT

# http
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport 2234 -j TCPACCEPT
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport 5534 -j TCPACCEPT

##Accept all tcp/udp traffic on unprivileged ports going out

$IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -p tcp --sport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -p udp --sport $UNPRIVPORTS -j ACCEPT



##Catch all rule

$IPTABLES -A OUTPUT -j LDROP



####################
## FORWARD-Chain ## (everything that passes the firewall)
####################


##GENERAL Filtering

# Check TCP-Packets for Bad Flags
$IPTABLES -A FORWARD -p tcp -j CHECKBADFLAG

# WOW
$IPTABLES -A FORWARD -p tcp -i $EXTIF -d 192.168.0.100 --dport 3724 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i $EXTIF -d 192.168.0.100 --dport 6112 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i $EXTIF -d 192.168.0.100 --dport 6881:6999 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A FORWARD -p tcp -i $EXTIF -d 192.168.0.10-192.168.0.100 --dport 3724 -j ACCEPT
#$IPTABLES -A FORWARD -p tcp -i $EXTIF -d 192.168.0.10-192.168.0.100 --dport 6112 -j ACCEPT
#$IPTABLES -A FORWARD -p tcp -i $EXTIF -d 192.168.0.10-192.168.0.100 --dport 6881:6999 -j ACCEPT

##VNC

$IPTABLES -A FORWARD -p tcp --sport 5801 -j DROP
$IPTABLES -A FORWARD -p tcp --sport 5901 -j DROP
$IPTABLES -A FORWARD -p tcp --sport 6001 -j DROP

##Filtering FROM INTERNAL NET

##Silent Drops/Rejects (Things we don't want in our logs)

#SMB
$IPTABLES -A FORWARD -o $EXTIF -j SMB


##Allow all other forwarding (from Ports > 1024) from Internal Net to External Net
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s $INTLAN -p tcp --sport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s $INTLAN -p udp --sport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s $INTLAN -p icmp -j ACCEPT



##Filtering FROM EXTERNAL NET


##Silent Drops/Rejects (Things we don't want in our logs)

#SMB
$IPTABLES -A FORWARD -i $EXTIF -j SMB


##Allow replies coming in
$IPTABLES -A FORWARD -i $EXTIF -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -p tcp --dport $UNPRIVPORTS -m state --state RELATED -j TCPACCEPT
$IPTABLES -A FORWARD -i $EXTIF -p udp --dport $UNPRIVPORTS -m state --state RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -p icmp -m state --state RELATED -j ACCEPT

##Catch all rule/Deny every other forwarding

$IPTABLES -A FORWARD -j LDROP




################
## PREROUTING ##
################

##Port-Forwarding (--> Also see chain FORWARD)

#$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF -d my.ip.address --dport 3724 -j DNAT --to-destination 192.168.0.10:3724-192.168.0.100:3724
#$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF -d my.ip.address --dport 6112 -j DNAT --to-destination 192.168.0.10:6112-192.168.0.100:6112
#$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF -d my.ip.address --dport 6881:6999 -j DNAT --to-destination 192.168.0.10:6881-6999-192.168.0.100:6881-6999

#$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 6699 -s 0.0.0.0/0.0.0.0 -m state --state INVALID -j DROP
#$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 6699 -s 0.0.0.0/0.0.0.0 -m state --state NEW -j DNAT --to 192.168.0.100:6699
#$IPTABLES -A FORWARD -i $EXTIF -p tcp --dport 6699 -s 0.0.0.0/0.0.0.0 -m state --state NEW -j ACCEPT

#$IPTABLES -t nat -A PREROUTING -i $EXTIF -p udp --dport 6257 -s 0.0.0.0/0.0.0.0 -m state --state INVALID -j DROP
#$IPTABLES -t nat -A PREROUTING -i $EXTIF -p udp --dport 6257 -s 0.0.0.0/0.0.0.0 -m state --state NEW -j DNAT --to 192.168.0.100:6257
#$IPTABLES -A FORWARD -i $EXTIF -p udp --dport 6257 -m state --state NEW -j ACCEPT

# WOW
$IPTABLES -A PREROUTING -t nat -p tcp -i $EXTIF -d my.ip.address --dport 3724 -j DNAT --to-destination 192.168.0.100
$IPTABLES -A PREROUTING -t nat -p tcp -i $EXTIF -d my.ip.address --dport 6112 -j DNAT --to-destination 192.168.0.100
$IPTABLES -A PREROUTING -t nat -p tcp -i $EXTIF -d my.ip.address --dport 6881:6999 -j DNAT --to-destination 192.168.0.100


###################
## POSTROUTING ##
###################

#Masquerade from Internal Net to External Net
$IPTABLES -A POSTROUTING -t nat -o $EXTIF -j SNAT --to-source $EXTIP

# example iptables -t nat -A POSTROUTING -p tcp -d $INTERNAL_MACHINE_IP --dport $INTERNAL_MACHINE_PORT -j SNAT --to-source $FW_INTERNAL_IP



#------End Ruleset------#

echo "...done"
echo ""


echo "--> IPTABLES firewall loaded/activated <--"


##--------------------------------End Firewall---------------------------------##



;;
*)
echo "Usage: firewall (start|stop|restart|status) EXTIF INTIF"
exit 1
esac

exit 0

Two corrections for the moment;
is to be used for load balancing & not multicasting(as you must have thought initially).

And the other thing that i donot understand in the whole scenario is that why did you used state NEW in FORWARD chains at -i $EXTIF for your WOW ports. This does'nt make sense. You should only use RELATED & ESTABLISHED to allow IN at -i $EXTIF.

Also try to go through this sample firewall setup; as this has code for WOW accessibility.

Those rules look right to me. I have something similar for my OpenBSD firewall from when I played WoW. One note: If more than one machine needs to download the patch you'll need to change the rule to point to the 2nd machine after the first one is done. The easier way is to just share the patch file from the 1st machine to any additional machines that need it (as long as they all run the same OS).

Uggh. I'm deleting what I just wrote, because it is actually working. I had "peer-to-peer" deselected at some point after it complained that I'm behind a firewall and didn't turn it back on. That was what I was seeing recently instead of the message about peer-to-peer being disabled.

So, I'm not sure what fixed the problem now.

I see that if I use -m state --state ESTABLISHED,RELATED in the FORWARD rules as amitsharma_26 was suggesting, I get a bunch of drop messages in syslog with SYN set, and I don't if I add NEW.

The downloader uses bittorrent, so do I need NEW because a bittorrent client is supposed to be initiating connections over those ports?

I am not a known of WOW usage, nor i played it ever; but are you sure that for these -dports --> 3724, 6112, 6881-6999, connections are also being originated from OUTSIDE(internet) ?

I only know that syslog shows lines from the logging rules in the script, if I leave out NEW. The log lines show the source ip address from outside with a WOW port and also SYN, which I assume means that the packet has SYN set, which I think means that a connection is being initiated.

The download activity using these ports is said to be done using bittorrent.

I am trying to set this up too. I have a question about that help file.

INET_IP="1.1.1.1" # External Interface 1

I have a global IP address... is that supposed to be my global IP address? I am not sure.

It is used in the following 3 lines
#$IPTABLES -t nat -A PREROUTING -p tcp -i $INET_IFACE -d $INET_IP --dport $WOW_PORT1 -j DNAT --to-destination $SAM:$WOW_PORT1
#$IPTABLES -t nat -A PREROUTING -p tcp -i $INET_IFACE -d $INET_IP --dport $WOW_PORT2 -j DNAT --to-destination $SAM:$WOW_PORT2
#$IPTABLES -t nat -A PREROUTING -p tcp -i $INET_IFACE -d $INET_IP --dport $WOW_PORT3 -j DNAT --to-destination $SAM:$WOW_PORT3

I replaced
$INET_IFACE with eth0 since that is my external interface
$SAM with my game machines ip address
$WOW_PORT1-3 with the appropriate ports
$INET_IP with my machine's global ip... is that supposed to be a gateway? How do I check if my isp is giving me a gateway, because my address assigned to my machine when it asks for an IP address from the DHCP server is the global IP address they have given me.

When I replaced it with those iptables is giving me an error when I restart it on the first line that used my global IP address

I am a linux newb and hope you can help me

The $INET_IP is the ip-address your ISP has assigned to you (global Address as you call it)

Also you don't replace the variables $INET_IP with actual devices or value in the script, these variables are used so you only have to declare them once like this:


When you run the script it will automatically replace the $INET_IP with the value declared earlier in the script 222.333.444.555

Ok I think figured it out

The thing is I am not using the script to set things up. I am editing my iptables file directly then restarting it.

Here is the segment of my iptables
What I changed is I removed the -t nat
and put the PREROUTING statements under my *nat
Maybe I am not understanding what the -t nat means or if the *nat means anything significant but it appears to be working.

Thanks for your help.

While we pipe any rule in "-t nat", we mean that this rule will fall under table nat (for natting) & which further has PREROUTING (for DNATing), POSTROUTING (for SNATing), OUTPUT (for local box's own DNATing) Chains.