Help with game server

Linux Netfilter discussions
 help / color / mirror / Atom feed

* Help with game server
@ 2002-12-22  2:06 Mark Ryan
  2002-12-22  8:20 ` Joel Newkirk
  0 siblings, 1 reply; 2+ messages in thread
From: Mark Ryan @ 2002-12-22  2:06 UTC (permalink / raw)
  To: netfilter

I have a linux firewall/router with iptables firewall script.  I am
trying to run a Medal of Honor game server so that me and a friend can
play.

I only want him to be able to connect...however I can't seem to get the
rules right.  It seems that Medal of Honor is using port 12203.  I have
the following rules but they don't work:

These to allow the connection:
$IPTABLES -A INPUT -p udp -i $EXT_IF -s 68.99.10.xx -d 67.8.168.xx
--dport 12203 -j ACCEPT
$IPTABLES -A INPUT -p tcp -i $EXT_IF -s 68.99.10.xx -d 67.8.168.xx
--dport 12203 -j ACCEPT

These to forward to internal machine:
$IPTABLES -t nat -A PREROUTING -p tcp --dport 12203 -i eth1 -s
68.99.10.xx -j DNAT --to 192.168.1.5:12203
$IPTABLES -t nat -A PREROUTING -p udp --dport 12203 -i eth1 -s
68.99.10.xx -j DNAT --to 192.168.1.5:12203

Am I doing something wrong?

Mark

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: Help with game server
  2002-12-22  2:06 Help with game server Mark Ryan
@ 2002-12-22  8:20 ` Joel Newkirk
  0 siblings, 0 replies; 2+ messages in thread
From: Joel Newkirk @ 2002-12-22  8:20 UTC (permalink / raw)
  To: Mark Ryan, netfilter

On Saturday 21 December 2002 09:06 pm, Mark Ryan wrote:
> I have a linux firewall/router with iptables firewall script.  I am
> trying to run a Medal of Honor game server so that me and a friend can
> play.
>
> I only want him to be able to connect...however I can't seem to get
> the rules right.  It seems that Medal of Honor is using port 12203.  I
> have the following rules but they don't work:
>
> These to allow the connection:
> $IPTABLES -A INPUT -p udp -i $EXT_IF -s 68.99.10.xx -d 67.8.168.xx
> --dport 12203 -j ACCEPT
> $IPTABLES -A INPUT -p tcp -i $EXT_IF -s 68.99.10.xx -d 67.8.168.xx
> --dport 12203 -j ACCEPT
>
> These to forward to internal machine:
> $IPTABLES -t nat -A PREROUTING -p tcp --dport 12203 -i eth1 -s
> 68.99.10.xx -j DNAT --to 192.168.1.5:12203
> $IPTABLES -t nat -A PREROUTING -p udp --dport 12203 -i eth1 -s
> 68.99.10.xx -j DNAT --to 192.168.1.5:12203
>
> Am I doing something wrong?

If the connection won't work, then the answer is obviously "yes"... :^)

You have rules in INPUT for this.  If the connection is coming in at 
67.8.168.xx and being DNATted in PREROUTING to a local machine, then the 
INPUT chain will never see this traffic.  You seem to be constructing 
things based on ipchains' handling - with iptables/netfilter PREROUTING 
(mangle table prerouting chain, then nat table prerouting chain, 
specifically) is the first to see a given packet, then a routing 
decision is made, and the packet goes to either INPUT or FORWARD. 
(either the firewall box itself or forwarding to another machine.)

[IMPORTANT]
Medal of Honor uses the Quake3 engine, so it will probably require the 
Quake NAT helper in patch-o-matic, since the Q3 engine does things like 
embedding IP addresses in the data itself, not just the header. (NAT 
normally only affects packet headers)  This will require you to download 
P-O-M, patch your kernel sources, and recompile your kernel and 
iptables.  The only other solution is to have the server sit directly on 
the public IP, IE the server and the firewall machine the same.

That said, the correct rules for DNATting would probably be:

$IPTABLES -t nat -A PREROUTING -p tcp --dport 12203 -i eth1 -j DNAT --to 
192.168.1.5
$IPTABLES -t nat -A PREROUTING -p udp --dport 12203 -i eth1 -j DNAT --to 
192.168.1.5
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 12203 -j ACCEPT
$IPTABLES -A FORWARD -p udp --dport 12203 -j ACCEPT

These five rules are likely all you'll need.  (well, along with the Q3 
issue addressed above) Actually, you only need specific PREROUTING and 
FORWARD rules for whatever the initial connection will be, then EST/REL 
will handle everything else.  I don't know what protocol the initial 
connection uses for MoH though.  (you can try it this way, and if it 
works then "iptables -L -v -n" will show you which rule, udp or tcp, 
caught the initial connections)  

You can specify your friend's IP in the FORWARD rules above if you want 
(and if his IP is static) with the "-s 68.99.10.xx", but specifying 
destination IP is redundant, since the packet is already HERE, and 
specifying the destination port for the DNAT target is unnecessary, 
since it will by default use the same port as the packet started with, 
and change only the destIP.  Also, if you test destIP in FORWARD rules, 
be aware that the DNAT has already changed the destIP, so it will now be 
192.168.1.5, NOT 67.8.168.x...

If you set things up where the game server is the firewall, directly 
addressable at the public IP, then all you would need would be:

$IPTABLES -A INPUT -p tcp --dport 12203 -i eth1 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 12203 -i eth1 -j ACCEPT
$IPTABLES -A INPUT -m state --state ESTABLISHED, RELATED -j ACCEPT

and if you have DROP policy for output then
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
should allow the server to continue to communicate once an outside 
machine makes the initial contact.

Obviously this assumes that you are running the Linux version of Medal of 
Honor for the server...

> Mark

j

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2002-12-22  8:20 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-12-22  2:06 Help with game server Mark Ryan
2002-12-22  8:20 ` Joel Newkirk

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox