Propert IPTABLES Configuration

Linux Netfilter discussions
 help / color / mirror / Atom feed

* Propert IPTABLES Configuration
@ 2002-12-07  0:25 Rob
  2002-12-07  5:32 ` james.Q.L
  0 siblings, 1 reply; 4+ messages in thread
From: Rob @ 2002-12-07  0:25 UTC (permalink / raw)
  To: netfilter

I am attempting to setup a Half-Life Counter-Strike Server on my 
machine.  I need
it setup so people can access it from the internet and my intranet.

I found the following ports I need setup.

TCP 6003 outbound, incoming replies (as specified in woncomm.lst)
TCP 7002 outbound, incoming replies (as specified in woncomm.lst)
UDP 27010 outbound, incoming replies (as specified in woncomm.lst)
UDP 27011 outbound, incoming replies (as specified in woncomm.lst)
UDP 27012 outbound, incoming replies (as specified in woncomm.lst)
UDP 27013 outbound, incoming replies
UDP 27015 outbound, incoming replies on 27015-27050


would something like this be right?

IPTABLES -A INPUT -i eth0 -p tcp -s any/0 -d any/0 --dport 6003 -m state 
--state ESTABLISHED,RELATED -j ACCEPT

with that in mind would I have to create an output for each one too?

IPTABLES -A OUTPUT -o eth0 -p tcp --dport 6003 -m state --state 
NEW,ESTABLISHED,RELATED -j ACCEPT

Thanks for your help.

Rob



^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Propert IPTABLES Configuration
  2002-12-07  0:25 Propert IPTABLES Configuration Rob
@ 2002-12-07  5:32 ` james.Q.L
  2002-12-07  6:24   ` Bob Sully
  0 siblings, 1 reply; 4+ messages in thread
From: james.Q.L @ 2002-12-07  5:32 UTC (permalink / raw)
  To: netfilter

 --- Rob <netfilter@cloudtown.com> wrote: > I am attempting to setup a Half-Life Counter-Strike
Server on my 
> machine.  I need
> it setup so people can access it from the internet and my intranet.
> 
> I found the following ports I need setup.
> 
> TCP 6003 outbound, incoming replies (as specified in woncomm.lst)
> TCP 7002 outbound, incoming replies (as specified in woncomm.lst)
> UDP 27010 outbound, incoming replies (as specified in woncomm.lst)
> UDP 27011 outbound, incoming replies (as specified in woncomm.lst)
> UDP 27012 outbound, incoming replies (as specified in woncomm.lst)
> UDP 27013 outbound, incoming replies
> UDP 27015 outbound, incoming replies on 27015-27050

i remember that 6003, 7001, 7002 are used for authentication and server lists.
so if you want only invite ppl join. maybe it's fine just open 27015 port.
someone correct me if i am wrong.
 
> 
> would something like this be right?
> 
> IPTABLES -A INPUT -i eth0 -p tcp -s any/0 -d any/0 --dport 6003 -m state 
> --state ESTABLISHED,RELATED -j ACCEPT

this will reject you friends who want to join the server by typing the ip in the game console.

> with that in mind would I have to create an output for each one too?
> 
> IPTABLES -A OUTPUT -o eth0 -p tcp --dport 6003 -m state --state 
> NEW,ESTABLISHED,RELATED -j ACCEPT

using NEW,ESTABLISHED,RELATED is the same as just saying "-j ACCEPT"
i think you want to allow "ESTABLISHED,RELATED " out.

IPTABLES -A OUTPUT -o eth0 -p tcp --dport 6003 -m state --state ESTABLISHED,RELATED -j ACCEPT

> Thanks for your help.
> 
> Rob
> 
>  

i am not so sure about the ports but in any rate, try it.

James.Q.L

=====
/James.Q.L

______________________________________________________________________ 
Post your free ad now! http://personals.yahoo.ca


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Propert IPTABLES Configuration
  2002-12-07  5:32 ` james.Q.L
@ 2002-12-07  6:24   ` Bob Sully
  2002-12-07 11:57     ` Roy Sigurd Karlsbakk
  0 siblings, 1 reply; 4+ messages in thread
From: Bob Sully @ 2002-12-07  6:24 UTC (permalink / raw)
  To: james.Q.L; +Cc: netfilter



Hey guys...I used to run a CS server on one of my machines.  This worked 
for me:

        # GAMES
        # Half-Life/CounterStrike
        #

        if [ $HALF_LIFE -gt 0 ]; then

            iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p UDP \
        --sport 27000:27050 --dport $UNPRIVPORTS -s $EXTERNAL_IP -d \
        $ANYWHERE -j ACCEPT

            iptables -A INPUT -i $EXTERNAL_INTERFACE -p UDP \
        --sport $UNPRIVPORTS --dport 27000:27050 -s $ANYWHERE -d \
        $EXTERNAL_IP -j ACCEPT

            if [ $VERBOSE -gt 0 ]; then
                echo "firewall: Half-Life/CounterStrike ports enabled"
            fi

        fi

where:

$EXTERNAL_INTERFACE = eth0 in my case
$EXTERNAL_IP = obvious
$UNPRIVPORTS = 1024:65535
$ANYWHERE = any/0

HTH -- Bob


On Sat, 7 Dec 2002, james.Q.L wrote:

>  --- Rob <netfilter@cloudtown.com> wrote: > I am attempting to setup a Half-Life Counter-Strike
> Server on my 
> > machine.  I need
> > it setup so people can access it from the internet and my intranet.
> > 
> > I found the following ports I need setup.
> > 
> > TCP 6003 outbound, incoming replies (as specified in woncomm.lst)
> > TCP 7002 outbound, incoming replies (as specified in woncomm.lst)
> > UDP 27010 outbound, incoming replies (as specified in woncomm.lst)
> > UDP 27011 outbound, incoming replies (as specified in woncomm.lst)
> > UDP 27012 outbound, incoming replies (as specified in woncomm.lst)
> > UDP 27013 outbound, incoming replies
> > UDP 27015 outbound, incoming replies on 27015-27050
> 
> i remember that 6003, 7001, 7002 are used for authentication and server lists.
> so if you want only invite ppl join. maybe it's fine just open 27015 port.
> someone correct me if i am wrong.
>  
> > 
> > would something like this be right?
> > 
> > IPTABLES -A INPUT -i eth0 -p tcp -s any/0 -d any/0 --dport 6003 -m state 
> > --state ESTABLISHED,RELATED -j ACCEPT
> 
> this will reject you friends who want to join the server by typing the ip in the game console.
> 
> > with that in mind would I have to create an output for each one too?
> > 
> > IPTABLES -A OUTPUT -o eth0 -p tcp --dport 6003 -m state --state 
> > NEW,ESTABLISHED,RELATED -j ACCEPT
> 
> using NEW,ESTABLISHED,RELATED is the same as just saying "-j ACCEPT"
> i think you want to allow "ESTABLISHED,RELATED " out.
> 
> IPTABLES -A OUTPUT -o eth0 -p tcp --dport 6003 -m state --state ESTABLISHED,RELATED -j ACCEPT
> 
> > Thanks for your help.
> > 
> > Rob

-- 
________________________________________
Bob Sully - Simi Valley, California, USA
http://www.malibyte.net

"The weather is here - wish you were beautiful." - J. Buffett




^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Propert IPTABLES Configuration
  2002-12-07  6:24   ` Bob Sully
@ 2002-12-07 11:57     ` Roy Sigurd Karlsbakk
  0 siblings, 0 replies; 4+ messages in thread
From: Roy Sigurd Karlsbakk @ 2002-12-07 11:57 UTC (permalink / raw)
  To: Bob Sully; +Cc: james.Q.L, netfilter

Bob Sully wrote:

>Hey guys...I used to run a CS server on one of my machines.  This worked 
>for me:
>
>        # GAMES
>        # Half-Life/CounterStrike
>        #
>
>        if [ $HALF_LIFE -gt 0 ]; then
>
>            iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p UDP \
>        --sport 27000:27050 --dport $UNPRIVPORTS -s $EXTERNAL_IP -d \
>        $ANYWHERE -j ACCEPT
>
>            iptables -A INPUT -i $EXTERNAL_INTERFACE -p UDP \
>        --sport $UNPRIVPORTS --dport 27000:27050 -s $ANYWHERE -d \
>        $EXTERNAL_IP -j ACCEPT
>
>            if [ $VERBOSE -gt 0 ]; then
>                echo "firewall: Half-Life/CounterStrike ports enabled"
>            fi
>
>        fi
>
>where:
>
>$EXTERNAL_INTERFACE = eth0 in my case
>$EXTERNAL_IP = obvious
>$UNPRIVPORTS = 1024:65535
>$ANYWHERE = any/0
>  
>
sure, but you'd better use -m state --state RELATED,ESTABLISHED[,NEW]? 
instead of
--sport $UNPRIVPORTS, as the former is stateful.

roy






^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2002-12-07 11:57 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-12-07  0:25 Propert IPTABLES Configuration Rob
2002-12-07  5:32 ` james.Q.L
2002-12-07  6:24   ` Bob Sully
2002-12-07 11:57     ` Roy Sigurd Karlsbakk

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox