On Friday 04 October 2002 8:40 pm, John Bleichert wrote:
> > > I'm trying to setup incoming and outgoing traffic correctly
> > > to play a game. The game's website specifies these ports:
> > >
> > > * Outgoing:
> > > src port: 5120-5129
> > > dst port: 5121-5300
> > >
> > > * Incoming:
> > > src port: 5121-5300
> > > dst port: 5120-5129
> > >
> > > Now, for incoming packets, I have:
> > >
> > > iptables -A PREROUTING -t nat -p udp \
> > > -d ${external} --dport 5120:5129 -j DNAT --to ${gamebox}
> > >
> > > Do I really need to specify the --sport for incoming? Or will the
> > > NAT'd packets retain that src-port data?
> >
> > I would recomend that you do specify both source and destination ports,
> > simply because it provides some small additional restriction on the
> > traffic you are allowing into your system. The more you can restrict
> > that whilst still allowing what you need, the better.
>
> So that would change it to this, correct?:
>
> iptables -A PREROUTING -t nat -p udp \
> -d ${external} --dport 5120:5129 --sport 5121:5300 \
> -j DNAT --to ${gamebox}
Yes, that's the idea :-)
> > > And do I really need to do anything for outgoing packets? As long
> > > as they are not blocked, should it work fine?
> >
> > Correct. If you have a policy which allows all outbound traffic, then
> > it will work with this game (provided, of course, that whatever protocol
> > this game uses does not mind being NATted...)
>
> Currently I'm allowing all outbound traffic, I haven't had the need (so
> far) to restrict it.
Okay.
Antony.
--
How I want a drink, alcoholic of course, after the heavy chapters
involving quantum mechanics.
- 3.14159265358979
