From mboxrd@z Thu Jan 1 00:00:00 1970 From: Roy Sigurd Karlsbakk Subject: Re: Propert IPTABLES Configuration Date: Sat, 07 Dec 2002 12:57:28 +0100 Sender: netfilter-admin@lists.netfilter.org Message-ID: <3DF1E228.60804@karlsbakk.net> References: Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii"; format="flowed" To: Bob Sully Cc: "james.Q.L" , netfilter@lists.netfilter.org Bob Sully wrote: >Hey guys...I used to run a CS server on one of my machines. This worked >for me: > > # GAMES > # Half-Life/CounterStrike > # > > if [ $HALF_LIFE -gt 0 ]; then > > iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p UDP \ > --sport 27000:27050 --dport $UNPRIVPORTS -s $EXTERNAL_IP -d \ > $ANYWHERE -j ACCEPT > > iptables -A INPUT -i $EXTERNAL_INTERFACE -p UDP \ > --sport $UNPRIVPORTS --dport 27000:27050 -s $ANYWHERE -d \ > $EXTERNAL_IP -j ACCEPT > > if [ $VERBOSE -gt 0 ]; then > echo "firewall: Half-Life/CounterStrike ports enabled" > fi > > fi > >where: > >$EXTERNAL_INTERFACE = eth0 in my case >$EXTERNAL_IP = obvious >$UNPRIVPORTS = 1024:65535 >$ANYWHERE = any/0 > > sure, but you'd better use -m state --state RELATED,ESTABLISHED[,NEW]? instead of --sport $UNPRIVPORTS, as the former is stateful. roy