Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
10-14-2014, 11:32 AM
|
#1
|
|
Member
Registered: Jun 2014
Posts: 176
Rep: 
|
Steam and iptables
I'm trying to get Steam work with my iptables rules but even though I allow all traffic Steam needs I can't play some games like Counter Strike.
The only "problem" with my iptables rules is the OUTPUT chain. If I let it open Counter Strike works. If I close it and open the ports Steam said it's needed, it doesn't.
My OUTPUT chain:
Code:
# Drop OUTPUT, except rules specified by us
iptables -P OUTPUT DROP
# Accept outbound stablished and related traffic
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# http, Mail, DNS and https accepted
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 25 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
# Steam
iptables -A OUTPUT -p udp --dport 27000:27015 -j ACCEPT
iptables -A OUTPUT -p udp --dport 27015:27030 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 27014:27050 -j ACCEPT
iptables -A OUTPUT -p udp --dport 3478 -j ACCEPT
iptables -A OUTPUT -p udp --dport 4379 -j ACCEPT
iptables -A OUTPUT -p udp --dport 4380 -j ACCEPT
iptables -A OUTPUT -p udp --dport 4380 -j ACCEPT
# Steam
# Drop invalid
iptables -N drop_invalid
iptables -A OUTPUT -m conntrack --ctstate INVALID -j drop_invalid
iptables -A drop_invalid -j LOG --log-level info --log-prefix "drop_invalid -- DENY "
iptables -A drop_invalid -j DROP
# This shouldn't be necessary, but nevertheless a precaution
iptables -A OUTPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK,PSH,URG SYN -m state --state NEW -j DROP
# This ends my whole iptables rules.
# All traffic is now dropped and logged
iptables -N RULE_13
iptables -A OUTPUT -j RULE_13
iptables -A INPUT -j RULE_13
iptables -A FORWARD -j RULE_13
iptables -A RULE_13 -j LOG --log-level info --log-prefix "RULE 13 -- DENY "
iptables -A RULE_13 -j DROP
https://support.steampowered.com/kb_...8571-GLVN-8711
Last edited by Amarildo; 10-14-2014 at 11:33 AM.
|
|
|
|
|
10-14-2014, 12:08 PM
|
#2
|
|
Member
Registered: Nov 2010
Location: Germany
Distribution: Gentoo
Posts: 286
Rep: 
|
You could try with icmp enabled, or check which ports are accessed with
...while OUTPUT policy is ACCEPT. |
|
|
|
|
10-14-2014, 12:23 PM
|
#3
|
|
Member
Registered: Jun 2014
Posts: 176
Original Poster
Rep:
|
I don't want OUTPUT with ACCEPT policy.
Regards.
Last edited by Amarildo; 10-14-2014 at 12:25 PM.
|
|
|
|
|
10-14-2014, 12:37 PM
|
#4
|
|
Member
Registered: Nov 2010
Location: Germany
Distribution: Gentoo
Posts: 286
Rep:
|
I meant just for diagnostics, to know the ports.
|
|
|
1 members found this post helpful.
|
|
10-14-2014, 12:57 PM
|
#5
|
|
Member
Registered: Jun 2014
Posts: 176
Original Poster
Rep:
|
Oh, I see. Sorry for my misinterpretation. I'll see what I can do.
This is the output. I'll make sure to allow this ports and test it again.
Code:
lsof -i
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
dhcpcd 328 root 6u IPv4 11798 0t0 UDP *:bootpc
steam 736 junior 34u IPv4 13175 0t0 TCP localhost.localdomain:57343 (LISTEN)
steam 736 junior 42u IPv4 13181 0t0 UDP *:27036
steam 736 junior 56u IPv4 13190 0t0 TCP *:27036 (LISTEN)
steam 736 junior 64u IPv4 13220 0t0 UDP *:54298
steam 736 junior 82u IPv4 19131 0t0 UDP *:58927
steam 736 junior 91u IPv4 580522 0t0 TCP localhost.localdomain:57343->localhost.localdomain:35955 (ESTABLISHED)
steam 736 junior 92u IPv4 580429 0t0 TCP localhost.localdomain:57343->localhost.localdomain:35954 (ESTABLISHED)
steam 736 junior 100u IPv4 580018 0t0 TCP localhost.localdomain:57343->localhost.localdomain:35952 (ESTABLISHED)
steam 736 junior 101u IPv4 580177 0t0 TCP localhost.localdomain:57343->localhost.localdomain:35953 (ESTABLISHED)
hl_linux 3120 junior 36u IPv4 572833 0t0 TCP localhost.localdomain:35952->localhost.localdomain:57343 (ESTABLISHED)
hl_linux 3120 junior 89u IPv4 581025 0t0 UDP *:33058
hl_linux 3120 junior 90u IPv4 581432 0t0 UDP *:27015
hl_linux 3120 junior 91u IPv4 581433 0t0 UDP *:27005
hl_linux 3120 junior 92u IPv4 581434 0t0 UDP *:27025
gameoverl 3123 junior 21u IPv4 572844 0t0 TCP localhost.localdomain:35953->localhost.localdomain:57343 (ESTABLISHED)
gameoverl 3123 junior 28u IPv4 580428 0t0 TCP localhost.localdomain:35954->localhost.localdomain:57343 (ESTABLISHED)
gameoverl 3123 junior 29u IPv4 580521 0t0 TCP localhost.localdomain:35955->localhost.localdomain:57343 (ESTABLISHED)
gameoverl 3123 junior 38u IPv4 580653 0t0 UDP *:37688
gameoverl 3123 junior 100u IPv4 580018 0t0 TCP localhost.localdomain:57343->localhost.localdomain:35952 (ESTABLISHED)
Last edited by Amarildo; 10-14-2014 at 01:04 PM.
|
|
|
|
|
10-14-2014, 01:57 PM
|
#6
|
|
Member
Registered: Jun 2014
Posts: 176
Original Poster
Rep:
|
Well, turns out the ports change everytime I open the game. Damn.
Last edited by Amarildo; 10-15-2014 at 10:23 AM.
|
|
|
|
|
10-15-2014, 10:22 AM
|
#7
|
|
Member
Registered: Jun 2014
Posts: 176
Original Poster
Rep:
|
Can I allow Steam as a whole instead of specifying ports?
|
|
|
|
|
10-15-2014, 11:11 AM
|
#8
|
|
Member
Registered: Nov 2010
Location: Germany
Distribution: Gentoo
Posts: 286
Rep:
|
Not that I know if. But I think it is still reasonably secure if anything local is allowed:
Code:
-s 127.0.0.1 -d 127.0.0.1
or
|
|
|
|
|
10-15-2014, 11:18 AM
|
#9
|
|
Member
Registered: Jun 2014
Posts: 176
Original Poster
Rep:
|
Well, the loopback interface was already configured.
I think I got somewhere where I want with GUFW. I could set rules for DROP on both INPUT and OUTPUT, plus it automatically opens ports for Steam if I create a rule as the attachment shows.
Regards.
|
|
|
|
All times are GMT -5. The time now is 08:44 AM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
