LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 06-29-2004, 02:28 PM   #1
lord_emperor
LQ Newbie
 
Registered: May 2004
Posts: 9

Rep: Reputation: 0
Slackware 9.0 port forwarding UT2004 server


Hey I'm trying to host a UT2004 server on a windows machine behind my Slackware Router / Firewall.

The guy who set this up for me did all the initial configuration, so I'm mostly nub but still learning, I did manage to change it from DHCP to a static IP when I changed ISPs, which was absolute hell for me.

Anyway he said if I needed to forward more ports I just edit rc.portforward and basically copy what he's setup changing some details.

I've gathered that the required ports are UDP 7777, 7778, 7787 and 7788, and TCP 28902. The server is running on port 7777, the other UDP ports are apparantly backups and the TCP is for the master server list.

Code:
#!/bin/sh
#
# /etc/rc.d/rc.local:  Local system initialization script.
#
# Put any local setup commands in here:
echo "Forwarding Ports..."
extip="xx.xx.xx.xx"

iptables -A PREROUTING -t nat -p tcp -d $extip --dport 80 \-j DNAT --to 192.168.2.96:80

#Ryan's IRC
iptables -A PREROUTING -t nat -p tcp -d $extip --dport 59 \-j DNAT --to 192.168.2.97:59

echo "Forwarding Port 6113 to Client02..."
iptables -A PREROUTING -t nat -p tcp -d $extip --dport 6113 \-j DNAT --to 192.168.2.92:6113

echo "Forwarding Port 6114 to Client03..."
iptables -A PREROUTING -t nat -p tcp -d $extip --dport 6114 \-j DNAT --to 192.168.2.91:6114

echo "Forwarding Port 6115 to Client04..."
iptables -A PREROUTING -t nat -p tcp -d $extip --dport 6115 \-j DNAT --to 192.168.2.89:6115

echo "Forwarding Port 6116 to Client05..."
iptables -A PREROUTING -t nat -p tcp -d $extip --dport 6116 \-j DNAT --to 192.168.2.90:6116

echo "Forwarding Port 6117 to Client06..."
iptables -A PREROUTING -t nat -p tcp -d $extip --dport 6117 \-j DNAT --to 192.168.2.88:6117

echo "Forwarding Port 6118 to Client07..."
iptables -A PREROUTING -t nat -p tcp -d $extip --dport 6118 \-j DNAT --to 192.168.2.98:6118

echo "Forwarding Port 6119 to Client08..."
iptables -A PREROUTING -t nat -p tcp -d $extip --dport 6119 \-j DNAT --to 192.168.2.94:6119

echo "Forwarding Port 6120 to Client09..."
iptables -A PREROUTING -t nat -p tcp -d $extip --dport 6120 \-j DNAT --to 192.168.2.95:6120

echo "Forwarding Port 6121 to Client10..."
iptables -A PREROUTING -t nat -p tcp -d $extip --dport 6121 \-j DNAT --to 192.168.2.93:6121

echo "Forwarding Port 27015 to Server01..."
iptables -A PREROUTING -t nat -p tcp -d $extip --dport 27015 \-j DNAT --to 192.168.2.96:27015

echo "Forwarding Port 27015 to Server01..."
iptables -A PREROUTING -t nat -p tcp -d $extip --dport 27015 \-j DNAT --to 192.168.2.96:27010

iptables -A PREROUTING -t nat -p udp -d $extip --dport 7777 \-j DNAT --to 192.168.2.96:7777

iptables -A PREROUTING -t nat -p udp -d $extip --dport 7787 \-j DNAT --to 192.168.2.96:7787

iptables -A PREROUTING -t nat -p udp -d $extip --dport 7778 \-j DNAT --to 192.168.2.96:7778

iptables -A PREROUTING -t nat -p tcp -d $extip --dport 28902 \-j DNAT --to 192.168.2.96:28902

iptables -A PREROUTING -t nat -p udp -d $extip --dport 7788 \-j DNAT --to 192.168.2.96:7788

59 rows, 158 columns
(I replaced my extip with xx.xx.xx.xx to paste here, in the real file it is correct).

The entries I made are the last ones at the bottom, without the echo.

After entering these I rebooted the router and asked a couple of people to try to connect but they couldn't. Server shows up as "Unknown Server" which means it can't find a server at the IP address. I can connect to it over LAN.

Searching this forum turns up rc.portforwards that are similar but the commands are slightly different, I'm not sure what I need to change.
 
Old 06-29-2004, 04:38 PM   #2
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 48
You may need some rules in the iptables FORWARD chain to allow these as well..
depends on whether you have a DROP policy in the FORWARD chain or not..

A mention...
when you DNAT, you don't need to specify the destination port number if it isn't changing, eg
--dport 27015 \-j DNAT --to 192.168.2.96:27015 can be
--dport 27015 \-j DNAT --to 192.168.2.96

Get rid of the \ if the rules are on one line.
It's only used to continue the rule on the next line, eg if it's too wide for the script page

You also have a duplicated line..
--dport 27015 \-j DNAT --to 192.168.2.96:27015 &
--dport 27015 \-j DNAT --to 192.168.2.96:27010

Only the first line will do anything. There won't be any packets for the 2nd line to operate on..

And a final comment.. the -d $extip is unnecessary if you have only 1 ip number.
It adds another check which takes time to perform, like the port check..

Last edited by peter_robb; 06-29-2004 at 04:42 PM.
 
Old 06-29-2004, 06:20 PM   #3
lord_emperor
LQ Newbie
 
Registered: May 2004
Posts: 9

Original Poster
Rep: Reputation: 0
Thanks, I cleaned up the duplicated line and the unnecessary characters.

All my lines look like this now (except with different numbers obviously):

echo "Forwarding ports for UT2004 server..."
iptables -A PREROUTING -t nat -p udp --dport 7777 -j DNAT --to 192.168.2.96

iptables -A PREROUTING -t nat -p udp --dport 7787 -j DNAT --to 192.168.2.96

iptables -A PREROUTING -t nat -p udp --dport 7778 -j DNAT --to 192.168.2.96

iptables -A PREROUTING -t nat -p tcp --dport 28902 -j DNAT --to 192.168.2.96

iptables -A PREROUTING -t nat -p udp --dport 7788 -j DNAT --to 92.168.2.96


Is that right?

Quote:
You may need some rules in the iptables FORWARD chain to allow these as well..
I think everything is be set to DROP, I'm not sure but I'm unable to host any games or recieve DCC transfers over IRC so it would seem logical. This is probably a good thing.

How do I get it to ACCEPT on these ports, can it be done in rc.portforward or somewhere else?

Oh and do I have to reboot for the changes to take effect? I have been rebooting each time so far but I have to wait until no one is using the net, could be a while on a busy day.

Last edited by lord_emperor; 06-29-2004 at 06:23 PM.
 
Old 06-30-2004, 04:46 AM   #4
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 48
Don't have to reboot!! The iptables system is a live system, so you can make changes while it's running..
What you have posted looks like a copy of /etc/rc.local.
If it has been renamed to rc.portforward, it cannot be started twice, or you will get duplicated rules,
so I suggest adding the new rules in a command line as they are written in the script.
Next reboot, they will be automatically loaded from the script (and the other rules from wherever they are now..)
do iptables-save in a command line to view the active rules..


To make a FORWARD rule from these rules, add another rule..
change iptables -A PREROUTING -t nat -p udp --dport 7777 -j DNAT --to 192.168.2.96
into iptables -A FORWARD -p udp --dport 7777 -d 192.168.2.96 -j ACCEPT
for each of them..
Also make sure this one exists to allow RELATED traffic..
iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
It is probably already there.. It needs to be the first or second rule.

The order of the rules is very important, so doing iptables -A won't guarantee they will be in the correct position in the rule set. It depends on what is before them.
Have a read of this tutorial and see why some rules come first and others last.
 
Old 06-30-2004, 12:11 PM   #5
lord_emperor
LQ Newbie
 
Registered: May 2004
Posts: 9

Original Poster
Rep: Reputation: 0
I opened up rc.local and took a look, it's completely different.
I didn't see that the comment was the same before. Is rc.portforward not a normal file to have? If so would I be better off putting my forwarding commands in another file?

This is what is in my rc.local :

Code:
#!/bin/sh
#
# /etc/rc.d/rc.local:  Local system initialization script.
#
# Put any local setup commands in here:
echo "Setting up NAT (Network Address Translations)..."
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface eth1 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward

echo "Starting DHCP Server..."
route add -host 255.255.255.255 dev eth1
/usr/sbin/dhcpd eth1

echo: "Starting NOIP2..."
/usr/local/bin/noip2
No idea what this file means.

I added the RELATED line at the top of rc.portforward and made the modifications you requested to the other lines, then I pasted them into the CLI. Still no dice.

Edit: Thanks for the tutorial, I am reading it through now and trying to understand.

Edit2: As best I can tell it should be working but isn't.

Last edited by lord_emperor; 06-30-2004 at 02:10 PM.
 
Old 06-30-2004, 02:16 PM   #6
lord_emperor
LQ Newbie
 
Registered: May 2004
Posts: 9

Original Poster
Rep: Reputation: 0
This is what iptables-save gave me. I see a lot of accepts in there, is everything set to accept?

Code:
# Generated by iptables-save v1.2.7a on Mon Jun 28 19:19:00 2004
*nat
:PREROUTING ACCEPT [19094:1315728]
:POSTROUTING ACCEPT [41:5581]
:OUTPUT ACCEPT [620:55568]
-A PREROUTING -p udp -m udp --dport 7777 -j DNAT --to-destination 192.168.2.96
-A PREROUTING -p udp -m udp --dport 7778 -j DNAT --to-destination 192.168.2.96
-A PREROUTING -p udp -m udp --dport 7787 -j DNAT --to-destination 192.168.2.96
-A PREROUTING -p udp -m udp --dport 7788 -j DNAT --to-destination 192.168.2.96
-A PREROUTING -p tcp -m tcp --dport 28902 -j DNAT --to-destination 192.168.2.96
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Mon Jun 28 19:19:00 2004
# Generated by iptables-save v1.2.7a on Mon Jun 28 19:19:00 2004
*filter
:INPUT ACCEPT [10075:1263968]
:FORWARD ACCEPT [396132:124167287]
:OUTPUT ACCEPT [9214:1022806]
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -d 192.168.2.96 -p udp -m udp --dport 7777 -j ACCEPT
-A FORWARD -d 192.168.2.96 -p udp -m udp --dport 7778 -j ACCEPT
-A FORWARD -d 192.168.2.96 -p udp -m udp --dport 7787 -j ACCEPT
-A FORWARD -d 192.168.2.96 -p udp -m udp --dport 7788 -j ACCEPT
-A FORWARD -d 192.168.2.96 -p tcp -m tcp --dport 28902 -j ACCEPT
COMMIT
# Completed on Mon Jun 28 19:19:00 2004

Edit2: The top part is teh nat table and the bottom part the filter table? Should those things be in ther filter table, is that where they go if you don't specify -t or are they duplicated there?


Edit: Couple questions as things dawn on me:

How can I tell what the default policy is?
If I flush the iptables and start over will that help? Will this change the default policy?
Can I delete rc.portforward and just do everything through command lines?
Are there any other files that could be affecting the firewall situation?

Edit3:

Got some help in an IRC channel, sound out that everythign is set to accept! =(

The forward part does look right though.

Anyway now I want to set this up right. I want to DROP all but the ports I allow right? So what default policy do I set for INPUT OUTPUT and FORWARD?

Code:
root@lantechrouter:~# iptables -L -n |less
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     udp  --  0.0.0.0/0            192.168.2.96       udp dpt:7777
ACCEPT     udp  --  0.0.0.0/0            192.168.2.96       udp dpt:7778
ACCEPT     udp  --  0.0.0.0/0            192.168.2.96       udp dpt:7787
ACCEPT     udp  --  0.0.0.0/0            192.168.2.96       udp dpt:7788
ACCEPT     tcp  --  0.0.0.0/0            192.168.2.96       tcp dpt:28902

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
Shouldn't the server have worked from the start then? What else could be preventing it from working?


FINAL EDIT: Tried doing some stuff and it broke the internet (which I fixed somehow). I think I need to do this in the middle of the night when nobody will be effected, possibly on a fresh install on a new box, this thing is just too messed up with someone else setting it up and me making changes I don't really understand.

Last edited by lord_emperor; 06-30-2004 at 04:40 PM.
 
Old 07-05-2004, 02:22 PM   #7
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 48
The rules look good enough to work ok, so, yes, something is biting them..

The UT2004 Forum shows this and mentions TCP port 28900 as well..

So I guess it's time to see if the packets are getting to 192.168.2.96 properly..
I would use hping to send TCP or UDP packets and make sure the UT2004 server gets them.. eg
hping -2p 7777 ip.of.UT.server & hping -Sp 28902 ip.of UT.server

Last edited by peter_robb; 07-05-2004 at 02:29 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
port forwarding via web server nerd32768 Linux - Networking 1 09-21-2005 01:21 PM
Help with apache server dir and port forwarding leemoreau Linux - Software 13 03-25-2005 09:56 AM
SoF2 Linux Server and Port Forwarding adskiremote Linux - Games 0 07-30-2004 04:15 AM
Server doesn't work with port forwarding enables Dawyea Linux - Networking 7 06-19-2004 09:57 AM
Windows Terminal Server port-forwarding linuxtesting2 Linux - Networking 2 03-30-2004 11:28 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 02:42 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration