I am using a linux based firwall/router.. masquerading all of my internal computers. I can receive files without any problems. But I can not send files.. (seems strange to me..)..
Has anyone had this problem.. or found a fix for this problem. ..Kevin |
Hi,
I have the same problem. If someone have a idea thanks Ludo |
I've tested this and have no problems once you use the correct rules in your firewall.
The output rule from your external IP address should allow your IP to send from ports 1023:65535 to destination port of 1863 any IP address. Your input rule to your external IP address should allow your IP to receive only a SYN flag with a source port of 1863 to a destination port of 1023:65525 from the IP range 64.4.13.0/24 UDP is not needed only TCP. An example of an Linux IPchains rule would look like this: The example external IP address is 64.45.11.23 ipchains -A output -p tcp -s 64.45.11.23 1023:65535 --dport 1863 -j ACCEPT ipchains -A input -p tcp ! -y -s 64.4.13.0/24 --sport 1863 -d 64.45.11.23 1023:65535 -j ACCEPT /Raz |
Hi,
Thanks for your response, I'll try this. Bye Ludo |
this may sound dumb
I dont use messenger myself my liitle brother uses it. so i dont know how it works.
this external ip address in the example, is it the address of the machine u r talking to, r the msn server. Have Fun :) |
Yeah MSM's servers router the messages from one of the IP addresses in the 64.4.13.0/24 subnet.
It then uses its Port 1863 to talk back to your systems non-privileged port <1023, once you started the connection. You only need to worry about incoming connections as you control the outgoing, so the example lets you go out to any server on that port number, but only accept MSM servers subnet as incoming. /Raz |
Thanks for your response,
I have a half life server, and I can't play on my windows' PC but the others does. I think, it's the same problem. Anyone knows the ip adresse of msn server ? Thanks again. Ludo Excuse for my english, I'm french. |
MSM uses about 30 servers for it's message system so you have to allow the whole subnet of 64.4.13.0 access in on port 1863.
If your running a half-life server then when you set-up the port it will default to the standard Counter-strike port of 27015, you'll need to allow external people access to this port number and connections back to there client on a port higher then 1023. Also allow ICMP messages for echo request messages or people will join your server thinking it's the fastest one on the net and have no way of knowing the ping times. If I didn't understand you and you want to connect to a HL server then you'll need to allow port 27015 access out and the WON servers IP address and port number inculding UDP access for your ID to work. /Raz |
MSM ipchains
ipchains -A output -p tcp -s 64.45.11.23 1023:65535 --dport 1863 -j ACCEPT
ipchains -A input -p tcp ! -y -s 64.4.13.0/24 --sport 1863 -d 64.45.11.23 1023:65535 -j ACCEPT ..trying to understand...hmmmmmm I am running Lan with the 192.168.xxx.xxx. This ipchain is a copy of "razbot" ipchains from Apr 2001. The 64.45.11.23 : would that be my gateway ip address which is 192.168.0.1? also in "input" ipchain rule...is the (looks like !) or is it |? Thank You Rod |
Hi Rod,
It looks ok. "yes its a !!!!!! not a ||||||" Make sure your internal IP can also talk to the external IP in the firewall rules, also I guess your doing NAT. eth0 = 192.168.xxx.67 "example" eth0:0 = 64.45.11.23 "gateway ip" so I would use: # Allow NAT for all IP internal ipchains -A forward -s 192.168.xxx.0/24 -j MASQ # allow my client access to firewalls input/output chains ipchains -A input -i eth0 -s 192.168.xxx.67 -j ACCEPT ipchains -A output -i eth0 -d 192.168.xxx.67 -j ACCEPT # allow MSN trusted servers only. ipchains -A output -p tcp -s 64.45.11.23 1023:65535 --dport 1863 -j ACCEPT ipchains -A input -p tcp ! -y -s 64.4.13.0/24 --sport 1863 -d 64.45.11.23 1023:65535 -j ACCEPT # Don't forget to stop spoofing etc etc etc ipchains -A input -i eth0:0 -s 10.0.0.0/8 -d 0/0 -j DENY -l ipchains -A input -i eth0:0 -s 172.16.0.0/12 -d 0/0 -j DENY -l ipchains -A input -i eth0:0 -s 192.168.0.0/16 -d 0/0 -j DENY -l ipchains -A input -i eth0:0 -s 127.0.0.0/8 -d 0/0 -j DENY -l ipchains -A input -i eth0:0 -s 255.255.255.255 -j DENY -l ipchains -A input -i eth0:0 -d 0.0.0.0 -j DENY -l /Raz |
One More Question - RAZ
Thank you for answering my first question so quickly...
In my router machine (I am using a LRP)....I am using two NIC's eth0....attached to the DSL modem eth1....attached to internal LAN In your answer you list eth0 and eth0:0 Is my eth0 = your eth0 and Is my eth1 = your eth0:0 Thanks again for the previous fast answer with so much info.. Rod |
One More Question - RAZ
Thank you for answeing my question in such detail...
I amusing a LRP for my router eth0 connected to the DSL modem eth1 connected to internal LAN You used eth0 and eth0:0 Does my eth0 = your eth0 and Does my eth1 = your eth0:0 Thanks again Rod |
Yes,
I'm using a system with 1 network card and 2 virtual network interfaces. Works just as well as two cards but you can't see any physical separation of the firewall so it's easy to unplug something. /raz yours eth0:0 = eth1 eth0 = eth0 |
Thanks again
Rod |
i have tried this set of rules above and i cant send files. does this set of rules work for anyone????
192.168.1.3 = MY WIN98 PC 192.168.1.1 = LINUX SERVER ETH0 XXX.XXX.XXX.XXX = SERVERS INTERNET IP ETH1 /sbin/ipchains -F # Allow NAT for all IP internal /sbin/ipchains -A forward -s 192.168.1.0/24 -j MASQ # allow my client access to firewalls input/output chains /sbin/ipchains -A input -i eth0 -s 192.168.1.3 -j ACCEPT /sbin/ipchains -A output -i eth0 -d 192.168.1.3 -j ACCEPT # allow MSN trusted servers only. /sbin/ipchains -A output -p tcp -s xxx.xxx.xxx.xxx 1023:65535 --dport 1863 -j ACCEPT /sbin/ipchains -A input -p tcp ! -y -s 64.4.13.0/24 ---sport 1863 -d xxx.xxx.xxx.xxx 1023:65535 -j ACCEPT # Don't forget to stop spoofing etc etc etc /sbin/ipchains -A input -i eth1 -s 10.0.0.0/8 -d 0/0 -j DENY -l /sbin/ipchains -A input -i eth1 -s 172.16.0.0/12 -d 0/0 -j DENY -l /sbin/ipchains -A input -i eth1 -s 192.168.0.0/16 -d 0/0 -j DENY -l /sbin/ipchains -A input -i eth1 -s 127.0.0.0/8 -d 0/0 -j DENY -l /sbin/ipchains -A input -i eth1 -s 255.255.255.255 -j DENY -l /sbin/ipchains -A input -i eth1 -d 0.0.0.0 -j DENY -l I must admit its driving me nuts not been able to send files Can anyone stop the suffering :) Cheers ________________________ Have Fun :) |
All times are GMT -5. The time now is 04:28 PM. |