Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hey I'm trying to host a UT2004 server on a windows machine behind my Slackware Router / Firewall.
The guy who set this up for me did all the initial configuration, so I'm mostly nub but still learning, I did manage to change it from DHCP to a static IP when I changed ISPs, which was absolute hell for me.
Anyway he said if I needed to forward more ports I just edit rc.portforward and basically copy what he's setup changing some details.
I've gathered that the required ports are UDP 7777, 7778, 7787 and 7788, and TCP 28902. The server is running on port 7777, the other UDP ports are apparantly backups and the TCP is for the master server list.
Code:
#!/bin/sh
#
# /etc/rc.d/rc.local: Local system initialization script.
#
# Put any local setup commands in here:
echo "Forwarding Ports..."
extip="xx.xx.xx.xx"
iptables -A PREROUTING -t nat -p tcp -d $extip --dport 80 \-j DNAT --to 192.168.2.96:80
#Ryan's IRC
iptables -A PREROUTING -t nat -p tcp -d $extip --dport 59 \-j DNAT --to 192.168.2.97:59
echo "Forwarding Port 6113 to Client02..."
iptables -A PREROUTING -t nat -p tcp -d $extip --dport 6113 \-j DNAT --to 192.168.2.92:6113
echo "Forwarding Port 6114 to Client03..."
iptables -A PREROUTING -t nat -p tcp -d $extip --dport 6114 \-j DNAT --to 192.168.2.91:6114
echo "Forwarding Port 6115 to Client04..."
iptables -A PREROUTING -t nat -p tcp -d $extip --dport 6115 \-j DNAT --to 192.168.2.89:6115
echo "Forwarding Port 6116 to Client05..."
iptables -A PREROUTING -t nat -p tcp -d $extip --dport 6116 \-j DNAT --to 192.168.2.90:6116
echo "Forwarding Port 6117 to Client06..."
iptables -A PREROUTING -t nat -p tcp -d $extip --dport 6117 \-j DNAT --to 192.168.2.88:6117
echo "Forwarding Port 6118 to Client07..."
iptables -A PREROUTING -t nat -p tcp -d $extip --dport 6118 \-j DNAT --to 192.168.2.98:6118
echo "Forwarding Port 6119 to Client08..."
iptables -A PREROUTING -t nat -p tcp -d $extip --dport 6119 \-j DNAT --to 192.168.2.94:6119
echo "Forwarding Port 6120 to Client09..."
iptables -A PREROUTING -t nat -p tcp -d $extip --dport 6120 \-j DNAT --to 192.168.2.95:6120
echo "Forwarding Port 6121 to Client10..."
iptables -A PREROUTING -t nat -p tcp -d $extip --dport 6121 \-j DNAT --to 192.168.2.93:6121
echo "Forwarding Port 27015 to Server01..."
iptables -A PREROUTING -t nat -p tcp -d $extip --dport 27015 \-j DNAT --to 192.168.2.96:27015
echo "Forwarding Port 27015 to Server01..."
iptables -A PREROUTING -t nat -p tcp -d $extip --dport 27015 \-j DNAT --to 192.168.2.96:27010
iptables -A PREROUTING -t nat -p udp -d $extip --dport 7777 \-j DNAT --to 192.168.2.96:7777
iptables -A PREROUTING -t nat -p udp -d $extip --dport 7787 \-j DNAT --to 192.168.2.96:7787
iptables -A PREROUTING -t nat -p udp -d $extip --dport 7778 \-j DNAT --to 192.168.2.96:7778
iptables -A PREROUTING -t nat -p tcp -d $extip --dport 28902 \-j DNAT --to 192.168.2.96:28902
iptables -A PREROUTING -t nat -p udp -d $extip --dport 7788 \-j DNAT --to 192.168.2.96:7788
59 rows, 158 columns
(I replaced my extip with xx.xx.xx.xx to paste here, in the real file it is correct).
The entries I made are the last ones at the bottom, without the echo.
After entering these I rebooted the router and asked a couple of people to try to connect but they couldn't. Server shows up as "Unknown Server" which means it can't find a server at the IP address. I can connect to it over LAN.
Searching this forum turns up rc.portforwards that are similar but the commands are slightly different, I'm not sure what I need to change.
You may need some rules in the iptables FORWARD chain to allow these as well..
depends on whether you have a DROP policy in the FORWARD chain or not..
A mention...
when you DNAT, you don't need to specify the destination port number if it isn't changing, eg --dport 27015 \-j DNAT --to 192.168.2.96:27015 can be --dport 27015 \-j DNAT --to 192.168.2.96
Get rid of the \ if the rules are on one line.
It's only used to continue the rule on the next line, eg if it's too wide for the script page
You also have a duplicated line..
--dport 27015 \-j DNAT --to 192.168.2.96:27015 &
--dport 27015 \-j DNAT --to 192.168.2.96:27010
Only the first line will do anything. There won't be any packets for the 2nd line to operate on..
And a final comment.. the -d $extip is unnecessary if you have only 1 ip number.
It adds another check which takes time to perform, like the port check..
Last edited by peter_robb; 06-29-2004 at 04:42 PM.
You may need some rules in the iptables FORWARD chain to allow these as well..
I think everything is be set to DROP, I'm not sure but I'm unable to host any games or recieve DCC transfers over IRC so it would seem logical. This is probably a good thing.
How do I get it to ACCEPT on these ports, can it be done in rc.portforward or somewhere else?
Oh and do I have to reboot for the changes to take effect? I have been rebooting each time so far but I have to wait until no one is using the net, could be a while on a busy day.
Last edited by lord_emperor; 06-29-2004 at 06:23 PM.
Don't have to reboot!! The iptables system is a live system, so you can make changes while it's running..
What you have posted looks like a copy of /etc/rc.local.
If it has been renamed to rc.portforward, it cannot be started twice, or you will get duplicated rules,
so I suggest adding the new rules in a command line as they are written in the script.
Next reboot, they will be automatically loaded from the script (and the other rules from wherever they are now..)
do iptables-save in a command line to view the active rules..
To make a FORWARD rule from these rules, add another rule..
change iptables -A PREROUTING -t nat -p udp --dport 7777 -j DNAT --to 192.168.2.96
into iptables -A FORWARD -p udp --dport 7777 -d 192.168.2.96 -j ACCEPT
for each of them..
Also make sure this one exists to allow RELATED traffic.. iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
It is probably already there.. It needs to be the first or second rule.
The order of the rules is very important, so doing iptables -A won't guarantee they will be in the correct position in the rule set. It depends on what is before them.
Have a read of this tutorial and see why some rules come first and others last.
I opened up rc.local and took a look, it's completely different.
I didn't see that the comment was the same before. Is rc.portforward not a normal file to have? If so would I be better off putting my forwarding commands in another file?
This is what is in my rc.local :
Code:
#!/bin/sh
#
# /etc/rc.d/rc.local: Local system initialization script.
#
# Put any local setup commands in here:
echo "Setting up NAT (Network Address Translations)..."
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface eth1 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "Starting DHCP Server..."
route add -host 255.255.255.255 dev eth1
/usr/sbin/dhcpd eth1
echo: "Starting NOIP2..."
/usr/local/bin/noip2
No idea what this file means.
I added the RELATED line at the top of rc.portforward and made the modifications you requested to the other lines, then I pasted them into the CLI. Still no dice.
Edit: Thanks for the tutorial, I am reading it through now and trying to understand.
Edit2: As best I can tell it should be working but isn't.
Last edited by lord_emperor; 06-30-2004 at 02:10 PM.
This is what iptables-save gave me. I see a lot of accepts in there, is everything set to accept?
Code:
# Generated by iptables-save v1.2.7a on Mon Jun 28 19:19:00 2004
*nat
:PREROUTING ACCEPT [19094:1315728]
:POSTROUTING ACCEPT [41:5581]
:OUTPUT ACCEPT [620:55568]
-A PREROUTING -p udp -m udp --dport 7777 -j DNAT --to-destination 192.168.2.96
-A PREROUTING -p udp -m udp --dport 7778 -j DNAT --to-destination 192.168.2.96
-A PREROUTING -p udp -m udp --dport 7787 -j DNAT --to-destination 192.168.2.96
-A PREROUTING -p udp -m udp --dport 7788 -j DNAT --to-destination 192.168.2.96
-A PREROUTING -p tcp -m tcp --dport 28902 -j DNAT --to-destination 192.168.2.96
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Mon Jun 28 19:19:00 2004
# Generated by iptables-save v1.2.7a on Mon Jun 28 19:19:00 2004
*filter
:INPUT ACCEPT [10075:1263968]
:FORWARD ACCEPT [396132:124167287]
:OUTPUT ACCEPT [9214:1022806]
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -d 192.168.2.96 -p udp -m udp --dport 7777 -j ACCEPT
-A FORWARD -d 192.168.2.96 -p udp -m udp --dport 7778 -j ACCEPT
-A FORWARD -d 192.168.2.96 -p udp -m udp --dport 7787 -j ACCEPT
-A FORWARD -d 192.168.2.96 -p udp -m udp --dport 7788 -j ACCEPT
-A FORWARD -d 192.168.2.96 -p tcp -m tcp --dport 28902 -j ACCEPT
COMMIT
# Completed on Mon Jun 28 19:19:00 2004
Edit2: The top part is teh nat table and the bottom part the filter table? Should those things be in ther filter table, is that where they go if you don't specify -t or are they duplicated there?
Edit: Couple questions as things dawn on me:
How can I tell what the default policy is?
If I flush the iptables and start over will that help? Will this change the default policy?
Can I delete rc.portforward and just do everything through command lines?
Are there any other files that could be affecting the firewall situation?
Edit3:
Got some help in an IRC channel, sound out that everythign is set to accept! =(
The forward part does look right though.
Anyway now I want to set this up right. I want to DROP all but the ports I allow right? So what default policy do I set for INPUT OUTPUT and FORWARD?
Shouldn't the server have worked from the start then? What else could be preventing it from working?
FINAL EDIT: Tried doing some stuff and it broke the internet (which I fixed somehow). I think I need to do this in the middle of the night when nobody will be effected, possibly on a fresh install on a new box, this thing is just too messed up with someone else setting it up and me making changes I don't really understand.
Last edited by lord_emperor; 06-30-2004 at 04:40 PM.
The rules look good enough to work ok, so, yes, something is biting them..
The UT2004 Forum shows this and mentions TCP port 28900 as well..
So I guess it's time to see if the packets are getting to 192.168.2.96 properly..
I would use hping to send TCP or UDP packets and make sure the UT2004 server gets them.. eg hping -2p 7777 ip.of.UT.server & hping -Sp 28902 ip.of UT.server
Last edited by peter_robb; 07-05-2004 at 02:29 PM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
