LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 10-14-2014, 11:32 AM   #1
Amarildo
Member
 
Registered: Jun 2014
Posts: 176

Rep: Reputation: Disabled
Steam and iptables


I'm trying to get Steam work with my iptables rules but even though I allow all traffic Steam needs I can't play some games like Counter Strike.

The only "problem" with my iptables rules is the OUTPUT chain. If I let it open Counter Strike works. If I close it and open the ports Steam said it's needed, it doesn't.

My OUTPUT chain:

Code:
# Drop OUTPUT, except rules specified by us
iptables -P OUTPUT  DROP

# Accept outbound stablished and related traffic
iptables -A OUTPUT  -m conntrack --ctstate ESTABLISHED,RELATED  -j ACCEPT

# http, Mail, DNS and https accepted
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 25 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT

# Steam
iptables -A OUTPUT -p udp --dport 27000:27015 -j ACCEPT
iptables -A OUTPUT -p udp --dport 27015:27030 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 27014:27050 -j ACCEPT
iptables -A OUTPUT -p udp --dport 3478 -j ACCEPT
iptables -A OUTPUT -p udp --dport 4379 -j ACCEPT
iptables -A OUTPUT -p udp --dport 4380 -j ACCEPT
iptables -A OUTPUT -p udp --dport 4380 -j ACCEPT
# Steam

# Drop invalid
iptables -N drop_invalid 
iptables -A OUTPUT   -m conntrack --ctstate INVALID  -j drop_invalid
iptables -A drop_invalid -j LOG  --log-level info --log-prefix "drop_invalid -- DENY "
iptables -A drop_invalid -j DROP

# This shouldn't be necessary, but nevertheless a precaution
iptables -A OUTPUT  -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK,PSH,URG SYN -m state --state NEW -j DROP

# This ends my whole iptables rules. 
# All traffic is now dropped and logged
iptables -N RULE_13
iptables -A OUTPUT  -j RULE_13
iptables -A INPUT  -j RULE_13
iptables -A FORWARD  -j RULE_13
iptables -A RULE_13  -j LOG  --log-level info --log-prefix "RULE 13 -- DENY "
iptables -A RULE_13  -j DROP
https://support.steampowered.com/kb_...8571-GLVN-8711

Last edited by Amarildo; 10-14-2014 at 11:33 AM.
 
Old 10-14-2014, 12:08 PM   #2
cepheus11
Member
 
Registered: Nov 2010
Location: Germany
Distribution: Gentoo
Posts: 286

Rep: Reputation: 91
You could try with icmp enabled, or check which ports are accessed with
Code:
lsof -i
...while OUTPUT policy is ACCEPT.
 
Old 10-14-2014, 12:23 PM   #3
Amarildo
Member
 
Registered: Jun 2014
Posts: 176

Original Poster
Rep: Reputation: Disabled
I don't want OUTPUT with ACCEPT policy.

Regards.

Last edited by Amarildo; 10-14-2014 at 12:25 PM.
 
Old 10-14-2014, 12:37 PM   #4
cepheus11
Member
 
Registered: Nov 2010
Location: Germany
Distribution: Gentoo
Posts: 286

Rep: Reputation: 91
I meant just for diagnostics, to know the ports.
 
1 members found this post helpful.
Old 10-14-2014, 12:57 PM   #5
Amarildo
Member
 
Registered: Jun 2014
Posts: 176

Original Poster
Rep: Reputation: Disabled
Oh, I see. Sorry for my misinterpretation. I'll see what I can do.

This is the output. I'll make sure to allow this ports and test it again.
Code:
lsof -i
COMMAND    PID   USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
dhcpcd     328   root    6u  IPv4  11798      0t0  UDP *:bootpc 
steam      736 junior   34u  IPv4  13175      0t0  TCP localhost.localdomain:57343 (LISTEN)
steam      736 junior   42u  IPv4  13181      0t0  UDP *:27036 
steam      736 junior   56u  IPv4  13190      0t0  TCP *:27036 (LISTEN)
steam      736 junior   64u  IPv4  13220      0t0  UDP *:54298 
steam      736 junior   82u  IPv4  19131      0t0  UDP *:58927 
steam      736 junior   91u  IPv4 580522      0t0  TCP localhost.localdomain:57343->localhost.localdomain:35955 (ESTABLISHED)
steam      736 junior   92u  IPv4 580429      0t0  TCP localhost.localdomain:57343->localhost.localdomain:35954 (ESTABLISHED)
steam      736 junior  100u  IPv4 580018      0t0  TCP localhost.localdomain:57343->localhost.localdomain:35952 (ESTABLISHED)
steam      736 junior  101u  IPv4 580177      0t0  TCP localhost.localdomain:57343->localhost.localdomain:35953 (ESTABLISHED)
hl_linux  3120 junior   36u  IPv4 572833      0t0  TCP localhost.localdomain:35952->localhost.localdomain:57343 (ESTABLISHED)
hl_linux  3120 junior   89u  IPv4 581025      0t0  UDP *:33058 
hl_linux  3120 junior   90u  IPv4 581432      0t0  UDP *:27015 
hl_linux  3120 junior   91u  IPv4 581433      0t0  UDP *:27005 
hl_linux  3120 junior   92u  IPv4 581434      0t0  UDP *:27025 
gameoverl 3123 junior   21u  IPv4 572844      0t0  TCP localhost.localdomain:35953->localhost.localdomain:57343 (ESTABLISHED)
gameoverl 3123 junior   28u  IPv4 580428      0t0  TCP localhost.localdomain:35954->localhost.localdomain:57343 (ESTABLISHED)
gameoverl 3123 junior   29u  IPv4 580521      0t0  TCP localhost.localdomain:35955->localhost.localdomain:57343 (ESTABLISHED)
gameoverl 3123 junior   38u  IPv4 580653      0t0  UDP *:37688 
gameoverl 3123 junior  100u  IPv4 580018      0t0  TCP localhost.localdomain:57343->localhost.localdomain:35952 (ESTABLISHED)

Last edited by Amarildo; 10-14-2014 at 01:04 PM.
 
Old 10-14-2014, 01:57 PM   #6
Amarildo
Member
 
Registered: Jun 2014
Posts: 176

Original Poster
Rep: Reputation: Disabled
Well, turns out the ports change everytime I open the game. Damn.

Last edited by Amarildo; 10-15-2014 at 10:23 AM.
 
Old 10-15-2014, 10:22 AM   #7
Amarildo
Member
 
Registered: Jun 2014
Posts: 176

Original Poster
Rep: Reputation: Disabled
Can I allow Steam as a whole instead of specifying ports?
 
Old 10-15-2014, 11:11 AM   #8
cepheus11
Member
 
Registered: Nov 2010
Location: Germany
Distribution: Gentoo
Posts: 286

Rep: Reputation: 91
Not that I know if. But I think it is still reasonably secure if anything local is allowed:
Code:
-s 127.0.0.1 -d 127.0.0.1
or
Code:
-i lo -o lo
 
Old 10-15-2014, 11:18 AM   #9
Amarildo
Member
 
Registered: Jun 2014
Posts: 176

Original Poster
Rep: Reputation: Disabled
Well, the loopback interface was already configured.

I think I got somewhere where I want with GUFW. I could set rules for DROP on both INPUT and OUTPUT, plus it automatically opens ports for Steam if I create a rule as the attachment shows.

Regards.
Attached Thumbnails
Click image for larger version

Name:	snapshot11.png
Views:	78
Size:	108.0 KB
ID:	16656  
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Valve Steam Machines, Steam Controller, and SteamOS: Visionary or Vapor? LXer Syndicated Linux News 0 10-10-2013 08:32 PM
LXer: Steam OS, Steam Machines and Valve Software’s “multiple partners” LXer Syndicated Linux News 0 10-02-2013 12:20 AM
LXer: Valve's Linux-powered Steam Machines gather steam LXer Syndicated Linux News 0 09-26-2013 04:00 AM
LXer: iBomber games coming to Steam for Linux! Steam also expands their Beta! LXer Syndicated Linux News 0 12-06-2012 09:50 PM
Steam on Wine, cannot login,"Steam is having trouble connecting to the Steam servers" cantab Linux - Games 1 06-19-2010 06:32 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 01:22 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration