* Propert IPTABLES Configuration
@ 2002-12-07 0:25 Rob
2002-12-07 5:32 ` james.Q.L
0 siblings, 1 reply; 4+ messages in thread
From: Rob @ 2002-12-07 0:25 UTC (permalink / raw)
To: netfilter
I am attempting to setup a Half-Life Counter-Strike Server on my
machine. I need
it setup so people can access it from the internet and my intranet.
I found the following ports I need setup.
TCP 6003 outbound, incoming replies (as specified in woncomm.lst)
TCP 7002 outbound, incoming replies (as specified in woncomm.lst)
UDP 27010 outbound, incoming replies (as specified in woncomm.lst)
UDP 27011 outbound, incoming replies (as specified in woncomm.lst)
UDP 27012 outbound, incoming replies (as specified in woncomm.lst)
UDP 27013 outbound, incoming replies
UDP 27015 outbound, incoming replies on 27015-27050
would something like this be right?
IPTABLES -A INPUT -i eth0 -p tcp -s any/0 -d any/0 --dport 6003 -m state
--state ESTABLISHED,RELATED -j ACCEPT
with that in mind would I have to create an output for each one too?
IPTABLES -A OUTPUT -o eth0 -p tcp --dport 6003 -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT
Thanks for your help.
Rob
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Propert IPTABLES Configuration
2002-12-07 0:25 Propert IPTABLES Configuration Rob
@ 2002-12-07 5:32 ` james.Q.L
2002-12-07 6:24 ` Bob Sully
0 siblings, 1 reply; 4+ messages in thread
From: james.Q.L @ 2002-12-07 5:32 UTC (permalink / raw)
To: netfilter
--- Rob <netfilter@cloudtown.com> wrote: > I am attempting to setup a Half-Life Counter-Strike
Server on my
> machine. I need
> it setup so people can access it from the internet and my intranet.
>
> I found the following ports I need setup.
>
> TCP 6003 outbound, incoming replies (as specified in woncomm.lst)
> TCP 7002 outbound, incoming replies (as specified in woncomm.lst)
> UDP 27010 outbound, incoming replies (as specified in woncomm.lst)
> UDP 27011 outbound, incoming replies (as specified in woncomm.lst)
> UDP 27012 outbound, incoming replies (as specified in woncomm.lst)
> UDP 27013 outbound, incoming replies
> UDP 27015 outbound, incoming replies on 27015-27050
i remember that 6003, 7001, 7002 are used for authentication and server lists.
so if you want only invite ppl join. maybe it's fine just open 27015 port.
someone correct me if i am wrong.
>
> would something like this be right?
>
> IPTABLES -A INPUT -i eth0 -p tcp -s any/0 -d any/0 --dport 6003 -m state
> --state ESTABLISHED,RELATED -j ACCEPT
this will reject you friends who want to join the server by typing the ip in the game console.
> with that in mind would I have to create an output for each one too?
>
> IPTABLES -A OUTPUT -o eth0 -p tcp --dport 6003 -m state --state
> NEW,ESTABLISHED,RELATED -j ACCEPT
using NEW,ESTABLISHED,RELATED is the same as just saying "-j ACCEPT"
i think you want to allow "ESTABLISHED,RELATED " out.
IPTABLES -A OUTPUT -o eth0 -p tcp --dport 6003 -m state --state ESTABLISHED,RELATED -j ACCEPT
> Thanks for your help.
>
> Rob
>
>
i am not so sure about the ports but in any rate, try it.
James.Q.L
=====
/James.Q.L
______________________________________________________________________
Post your free ad now! http://personals.yahoo.ca
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Propert IPTABLES Configuration
2002-12-07 5:32 ` james.Q.L
@ 2002-12-07 6:24 ` Bob Sully
2002-12-07 11:57 ` Roy Sigurd Karlsbakk
0 siblings, 1 reply; 4+ messages in thread
From: Bob Sully @ 2002-12-07 6:24 UTC (permalink / raw)
To: james.Q.L; +Cc: netfilter
Hey guys...I used to run a CS server on one of my machines. This worked
for me:
# GAMES
# Half-Life/CounterStrike
#
if [ $HALF_LIFE -gt 0 ]; then
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p UDP \
--sport 27000:27050 --dport $UNPRIVPORTS -s $EXTERNAL_IP -d \
$ANYWHERE -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p UDP \
--sport $UNPRIVPORTS --dport 27000:27050 -s $ANYWHERE -d \
$EXTERNAL_IP -j ACCEPT
if [ $VERBOSE -gt 0 ]; then
echo "firewall: Half-Life/CounterStrike ports enabled"
fi
fi
where:
$EXTERNAL_INTERFACE = eth0 in my case
$EXTERNAL_IP = obvious
$UNPRIVPORTS = 1024:65535
$ANYWHERE = any/0
HTH -- Bob
On Sat, 7 Dec 2002, james.Q.L wrote:
> --- Rob <netfilter@cloudtown.com> wrote: > I am attempting to setup a Half-Life Counter-Strike
> Server on my
> > machine. I need
> > it setup so people can access it from the internet and my intranet.
> >
> > I found the following ports I need setup.
> >
> > TCP 6003 outbound, incoming replies (as specified in woncomm.lst)
> > TCP 7002 outbound, incoming replies (as specified in woncomm.lst)
> > UDP 27010 outbound, incoming replies (as specified in woncomm.lst)
> > UDP 27011 outbound, incoming replies (as specified in woncomm.lst)
> > UDP 27012 outbound, incoming replies (as specified in woncomm.lst)
> > UDP 27013 outbound, incoming replies
> > UDP 27015 outbound, incoming replies on 27015-27050
>
> i remember that 6003, 7001, 7002 are used for authentication and server lists.
> so if you want only invite ppl join. maybe it's fine just open 27015 port.
> someone correct me if i am wrong.
>
> >
> > would something like this be right?
> >
> > IPTABLES -A INPUT -i eth0 -p tcp -s any/0 -d any/0 --dport 6003 -m state
> > --state ESTABLISHED,RELATED -j ACCEPT
>
> this will reject you friends who want to join the server by typing the ip in the game console.
>
> > with that in mind would I have to create an output for each one too?
> >
> > IPTABLES -A OUTPUT -o eth0 -p tcp --dport 6003 -m state --state
> > NEW,ESTABLISHED,RELATED -j ACCEPT
>
> using NEW,ESTABLISHED,RELATED is the same as just saying "-j ACCEPT"
> i think you want to allow "ESTABLISHED,RELATED " out.
>
> IPTABLES -A OUTPUT -o eth0 -p tcp --dport 6003 -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> > Thanks for your help.
> >
> > Rob
--
________________________________________
Bob Sully - Simi Valley, California, USA
http://www.malibyte.net
"The weather is here - wish you were beautiful." - J. Buffett
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Propert IPTABLES Configuration
2002-12-07 6:24 ` Bob Sully
@ 2002-12-07 11:57 ` Roy Sigurd Karlsbakk
0 siblings, 0 replies; 4+ messages in thread
From: Roy Sigurd Karlsbakk @ 2002-12-07 11:57 UTC (permalink / raw)
To: Bob Sully; +Cc: james.Q.L, netfilter
Bob Sully wrote:
>Hey guys...I used to run a CS server on one of my machines. This worked
>for me:
>
> # GAMES
> # Half-Life/CounterStrike
> #
>
> if [ $HALF_LIFE -gt 0 ]; then
>
> iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p UDP \
> --sport 27000:27050 --dport $UNPRIVPORTS -s $EXTERNAL_IP -d \
> $ANYWHERE -j ACCEPT
>
> iptables -A INPUT -i $EXTERNAL_INTERFACE -p UDP \
> --sport $UNPRIVPORTS --dport 27000:27050 -s $ANYWHERE -d \
> $EXTERNAL_IP -j ACCEPT
>
> if [ $VERBOSE -gt 0 ]; then
> echo "firewall: Half-Life/CounterStrike ports enabled"
> fi
>
> fi
>
>where:
>
>$EXTERNAL_INTERFACE = eth0 in my case
>$EXTERNAL_IP = obvious
>$UNPRIVPORTS = 1024:65535
>$ANYWHERE = any/0
>
>
sure, but you'd better use -m state --state RELATED,ESTABLISHED[,NEW]?
instead of
--sport $UNPRIVPORTS, as the former is stateful.
roy
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2002-12-07 11:57 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-12-07 0:25 Propert IPTABLES Configuration Rob
2002-12-07 5:32 ` james.Q.L
2002-12-07 6:24 ` Bob Sully
2002-12-07 11:57 ` Roy Sigurd Karlsbakk
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox