routing game packets

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, 4 Oct 2002, Antony Stone wrote:

> Date: Fri, 4 Oct 2002 20:20:52 +0100
> From: Antony Stone <Antony@Soft-Solutions.co.uk>
> To: netfilter@lists.netfilter.org
> Subject: Re: routing game packets
> 
> On Friday 04 October 2002 7:42 pm, John Bleichert wrote:
> 
> > I'm trying to setup incoming and outgoing traffic correctly
> > to play a game. The game's website specifies these ports:
> >
> > * Outgoing:
> >    src port: 5120-5129
> >    dst port: 5121-5300
> >
> > * Incoming:
> >    src port: 5121-5300
> >    dst port: 5120-5129
> >
> > Now, for incoming packets, I have:
> >
> >    iptables -A PREROUTING -t nat -p udp \
> >       -d ${external} --dport 5120:5129 -j DNAT --to ${gamebox}
> >
> > Do I really need to specify the --sport for incoming? Or will the
> > NAT'd packets retain that src-port data?
> 
> I would recomend that you do specify both source and destination ports, 
> simply because it provides some small additional restriction on the traffic 
> you are allowing into your system.   The more you can restrict that whilst 
> still allowing what you need, the better.

So that would change it to this, correct?:

iptables -A PREROUTING -t nat -p udp                      \
       -d ${external} --dport 5120:5129 --sport 5121:5300 \
       -j DNAT --to ${gamebox}


> 
> > And do I really need to do anything for outgoing packets? As long
> > as they are not blocked, should it work fine?
> 
> Correct.   If you have a policy which allows all outbound traffic, then it 
> will work with this game (provided, of course, that whatever protocol this 
> game uses does not mind being NATted...)

Currently I'm allowing all outbound traffic, I haven't had the need (so 
far) to restrict it.

> 
> If you have a policy which only allows traffic to particular destination 
> ports out of your network then you should add an appropriate rule specifying 
> both source port range and destination port range to allow the game to talk.
> 
> Don't forget to add the appropriate rules to your FORWARDing chain to allow 
> the packets through your firewall after they've been NATted by the above 
> rule...
> 
> By the way, I assume the game website did specify that you need to allow UDP ?
> 
> The rule you've written above allows UDP (and not TCP) - I trust this is what 
> you need....
> 
> Antony.
> 

Yep - UDP only. Thanks for the help!

JB

#  John Bleichert 
#  http://vonbek.dhs.org/latest.jpg
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux