IPTABLES, Port Forwarding, and Warcrfat III

Johnsernickle · 11-23-2003, 10:47 AM

I Have set up a linux router for my network wiht a 56k modem. I Have gotten help from various websites to make my firewall file. Everyhting has worked great up to now, including ftp sites and everything. But recently i have installed warcraft 3 hoping to play it on battle.net. When i try to connect the game says i have chosen an incorrect server. When i looked on Blizzard's support site they said for warcraft III to function properly it must:

# Allow port 6112 TCP out and allow established sessions in
# Allow port 6112 TCP in (hosting custom games)
# Allow port 6113-6119 TCP out and in (hosting custom games if you’ve changed the default port in the Options/Gameplay screen)

Here's where i got the info from:

http://www.blizzard.com/support/?id=msi0445p

Also, although i dont mind as much, i also cannot send files over aim. That hasnt worked for me since ive gotten the firewall working, and i cant figure out witch port is required for that. The router on my network is running red hat 9 and also acts as a DHCP server for my network. Behnind my router i have 2 Win2k computers and one debian computer, if that matters at all. Here's my firewall script, maybe you can help me fix it up.

#!/bin/sh

echo -e "\n\n Loading firewall...\n"

#----------------------------------------#
# Kernel Modules #
#----------------------------------------#

IPTABLES=/sbin/iptables
DEPMOD=/sbin/depmod
INSMOD=/sbin/insmod

#----------------------------------------#
# Setting EXTERNAL and INTERNAL #
# interfaces for the network #
#----------------------------------------#

EXTIF="ppp0"
INTIF="eth0"
INTIF2="eth1"

echo " External Interface: $EXTIF"
echo " Internal Interface: $INTIF and $INTIF2"

#----------------------------------------#
# Checking Kernel Modules #
#----------------------------------------#

echo -en " loading kernel modules: "

echo -en "verifying all kernel modules, "
$DEPMOD -a

#----------------------------------------#
# Re-Loading Defaults #
#----------------------------------------#

echo -en "ip_tables, "
$INSMOD ip_tables

echo -en "ip_conntrack, "
$INSMOD ip_conntrack

echo -en "iptable_nat, "
$INSMOD iptable_nat

#---------------------------------------#
# FTP tracking mechanism #
#---------------------------------------#

echo -en "ip_conntrack_ftp, "
$INSMOD ip_conntrack_ftp

#---------------------------------------#
# IRC tracking mechanism #
#---------------------------------------#

echo -en "ip_conntrack_irc, "
$INSMOD ip_conntrack_irc

#---------------------------------------#
# NAT for Non-Passive FTP #
#---------------------------------------#

echo -en "ip_nat_ftp, "
$INSMOD ip_nat_ftp

#---------------------------------------#
# NAT for IRC DDC #
#---------------------------------------#

echo -e "ip_nat_irc"
$INSMOD ip_nat_irc

echo ". Done loading modules."

#----------------------------------------#
# CRITICAL: Enable IP forwarding #
# #
# /etc/sysconfig/network #
# #
# FORWARD_IPV4=false #
# to #
# FORWARD_IPV4=true #
# #
#----------------------------------------#

echo " enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward

#----------------------------------------#
# Dynamic IP Adress Support #
#----------------------------------------#

echo " enabling DynamicAddr.."
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

#----------------------------------------#
# Flushing Old Tables #
#----------------------------------------#

echo " clearing any existing rules and setting default policy.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD REJECT
$IPTABLES -F FORWARD
$IPTABLES -t nat -F

#----------------------------------------#
# Initilizing Forwarding #
#----------------------------------------#

echo " FWD: Allow all connections OUT and only existing and related ones IN"
$IPTABLES -A FORWARD -i $INTIF2 -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $INTIF2 -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF2 -o $INTIF -j ACCEPT

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF2 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG

echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

echo -e "\n Firewall done.\n"

Maybe someone can help me unserstand this script a little more too, because i only really unserstand parts of it. Also, i forgot to mention that starcraft used to function properly on battle.net, with the same firewall script, but i couldnt host games. Thanks in advance,

- Peter

Dewar · 11-24-2003, 03:38 PM

The line you need to add to make sure everything goes smoothly should be the following....

$IPTABLES -A FORWARD -p tcp --dport 6112 -j ACCEPT

and it should go right before the log line ($IPTABLES -A FORWARD -j LOG) at the end of the forwarding part of your script.

As for what it all means, I'm pretty good at the iptables stuff, but all the lines before that are greek to me.

-Derek