|
Hello all. I’m using iptables on RH 8.0
to route and firewall my cable connection to the rest of the lan. My problem is joining games (Ghost
Recon) on ubi.com from behind the firewall. Ubi.com requires port 80 for http which
works fine, port 6667 for chat which also works fine, and 40000-42000 for the
game (I’m assuming) which seems to be random when I run nmap on machines running the game with no firewall. Is there a way to allow one or multiple
machines behind the firewall to join/host a game by forwarding the ports. I
attached my iptables script that I’m currently
using. Thanks, Matt #!/bin/sh # #
rc.firewall - Initial SIMPLE IP Firewall script for
Linux 2.4.x and iptables # #
Copyright (C) 2001
Oskar Andreasson
<blueflux@xxxxxxxxxxx> # #
This program is free software; you can redistribute it
and/or modify #
it under the terms of the GNU General Public License
as published by #
the Free Software Foundation; version 2 of the
License. # #
This program is distributed in the hope that it will
be useful, #
but WITHOUT ANY WARRANTY; without even the implied warranty
of # MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE. See the # GNU General Public License for more details. # #
You should have received a copy of the GNU General
Public License #
along with this program or from the site that you
downloaded it #
from; if not, write to the Free Software Foundation,
Inc., 59 #
Place, # ########################################################################### # # 1. Configuration options. # ########################################################################### # # Local Area Network configuration. # #
your LAN's IP range and localhost
IP. /24 means to only use the first 24 #
bits of the 32 bit IP adress. the
same as netmask 255.255.255.0 # LAN_IP="192.168.0.254" LAN_IP_RANGE="192.168.0.0/16" LAN_BCAST_ADRESS="192.168.255.255" LAN_IFACE="eth1" ########################################################################### # w # Localhost Configuration. # LO_IFACE="lo" LO_IP="127.0.0.1" ########################################################################### # # Internet Configuration. # INET_IP="12.251.163.214" INET_IFACE="eth0" ########################################################################### # # IPTables Configuration. # IPTABLES="/sbin/iptables" ########################################################################### # # 2. Module loading. # # #
Needed to initially load modules # /sbin/depmod -a # #
Adds some iptables targets
like LOG, REJECT and MASQUARADE. # /sbin/modprobe ip_conntrack /sbin/modprobe ip_tables /sbin/modprobe iptable_filter /sbin/modprobe iptable_mangle /sbin/modprobe iptable_nat /sbin/modprobe ipt_LOG #/sbin/modprobe ipt_REJECT #/sbin/modprobe ipt_MASQUERADE # #
Support for owner matching # #/sbin/modprobe ipt_owner # # Support for connection tracking of FTP and IRC. # #/sbin/modprobe ip_conntrack_ftp #/sbin/modprobe ip_conntrack_irc ########################################################################### # # 3.
/proc set up. # #
Enable ip_forward if you have two or more networks,
including the #
Internet, that needs forwarding of packets through
this box. This is #
critical since it is turned off as default in Linux. # echo
"1" > /proc/sys/net/ipv4/ip_forward # #
Dynamic IP users: # #echo
"1" > /proc/sys/net/ipv4/ip_dynaddr ########################################################################### # # 4. IPTables rules set up. # #
Set default policies for the INPUT, FORWARD and OUTPUT chains. #
Drop ALL packets $IPTABLES
-P INPUT DROP $IPTABLES
-P OUTPUT DROP $IPTABLES
-P FORWARD DROP # #
bad_tcp_packets chain # #
Take care of bad TCP packets that we don't want. # $IPTABLES
-N bad_tcp_packets $IPTABLES
-A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \ --log-prefix
"New not syn:" $IPTABLES
-A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP # #
Do some checks for obviously spoofed IP's # $IPTABLES
-A bad_tcp_packets -i
$INET_IFACE -s 192.168.0.0/16 -j DROP $IPTABLES
-A bad_tcp_packets -i
$INET_IFACE -s 10.0.0.0/8 -j DROP $IPTABLES
-A bad_tcp_packets -i
$INET_IFACE -s 172.16.0.0/12 -j DROP # #
Enable simple IP Forwarding and Network Address Translation # $IPTABLES
-t nat -A POSTROUTING -o $INET_IFACE -j SNAT
--to-source $INET_IP # #
Bad TCP packets we don't want # $IPTABLES
-A FORWARD -p tcp -j bad_tcp_packets # #
Accept the packets we actually want to forward # $IPTABLES
-A FORWARD -i $LAN_IFACE -j ACCEPT $IPTABLES
-A FORWARD -m state --state ESTABLISHED,RELATED -j
ACCEPT $IPTABLES
-A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-level
DEBUG --log-prefix "IPT FORWARD packet died: " # #
Create separate chains for ICMP, TCP and UDP to traverse # $IPTABLES
-N icmp_packets $IPTABLES
-N tcp_packets $IPTABLES
-N udpincoming_packets # #
The allowed chain for TCP connections # $IPTABLES
-N allowed $IPTABLES
-A allowed -p TCP --syn -j
ACCEPT $IPTABLES
-A allowed -p TCP -m state --state ESTABLISHED,RELATED
-j ACCEPT $IPTABLES
-A allowed -p TCP -j DROP # #
ICMP rules # #
Changed rules totally $IPTABLES
-A icmp_packets -p ICMP -s
0/0 --icmp-type 8 -j ACCEPT $IPTABLES
-A icmp_packets -p ICMP -s
0/0 --icmp-type 11 -j ACCEPT # #
TCP rules # $IPTABLES
-A tcp_packets -p TCP -s 0/0 --dport
21 -j allowed $IPTABLES
-A tcp_packets -p TCP -s 0/0 --dport
22 -j allowed $IPTABLES
-A tcp_packets -p TCP -s 0/0 --dport
25 -j allowed $IPTABLES
-A tcp_packets -p TCP -s 0/0 --dport
80 -j allowed $IPTABLES
-A tcp_packets -p TCP -s 0/0 --dport
110 -j allowed $IPTABLES
-A tcp_packets -p TCP -s 0/0 --dport
113 -j allowed $IPTABLES
-A tcp_packets -p TCP -s 0/0 --dport
1723 -j allowed # #
UDP ports # #
nondocumented commenting out of these rules #$IPTABLES
-A udpincoming_packets -p UDP -s 0/0 --source-port 53
-j ACCEPT #$IPTABLES
-A udpincoming_packets -p UDP -s 0/0 --source-port
123 -j ACCEPT $IPTABLES
-A udpincoming_packets -p
UDP -s 0/0 --source-port 2074 -j ACCEPT $IPTABLES
-A udpincoming_packets -p
UDP -s 0/0 --source-port 4000 -j ACCEPT ########################## #
INPUT chain # #
Bad TCP packets we don't want. # $IPTABLES
-A INPUT -p tcp -j bad_tcp_packets # #
Rules for incoming packets from the internet. # $IPTABLES
-A INPUT -p ICMP -i $INET_IFACE -j icmp_packets $IPTABLES
-A INPUT -p TCP -i $INET_IFACE -j tcp_packets $IPTABLES
-A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets # #
VPN for incoming connections to 192.168.0.1 # $IPTABLES
-t nat -A PREROUTING -i
eth0 -p tcp --dport 1723 -j
DNAT --to 192.168.0.1 $IPTABLES
-t nat -A PREROUTING -i
eth0 -p 47 -j DNAT --to 192.168.0.1 $IPTABLES
-A FORWARD -p tcp -d 192.168.0.1/16 --dport 1723 -j ACCEPT $IPTABLES
-A FORWARD -p 47 -d 192.168.0.1/16 -j ACCEPT # #E-Mail
routes to 192.168.0.1 # $IPTABLES
-t nat -A PREROUTING -i
eth0 -p tcp --dport 25 -j
DNAT --to 192.168.0.1 $IPTABLES
-t nat -A PREROUTING -i
eth0 -p tcp --dport 110 -j
DNAT --to 192.168.0.1 $IPTABLES
-A FORWARD -p tcp -d 192.168.0.1 --dport 25 -j ACCEPT $IPTABLES
-A FORWARD -p tcp -s 192.168.0.1 --dport 25 -j ACCEPT #
Rules for special networks not part of the Internet # $IPTABLES
-A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j
ACCEPT $IPTABLES
-A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT $IPTABLES
-A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT $IPTABLES
-A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT $IPTABLES
-A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j
ACCEPT $IPTABLES
-A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED
\ -j
ACCEPT $IPTABLES
-A INPUT -m limit --limit 3/minute --limit-burst 3 -j
LOG \ --log-level
DEBUG --log-prefix "IPT INPUT packet died: " ############################### #
OUTPUT chain # # #
Bad TCP packets we don't want. # $IPTABLES
-A OUTPUT -p tcp -j bad_tcp_packets # #
Special OUTPUT rules to decide which IP's to allow. # $IPTABLES
-A OUTPUT -p ALL -s $LO_IP -j ACCEPT $IPTABLES
-A OUTPUT -p ALL -s $LAN_IP -j ACCEPT $IPTABLES
-A OUTPUT -p ALL -s $INET_IP -j ACCEPT # #
Log weird packets that don't match the above. # $IPTABLES
-A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j
LOG \ --log-level
DEBUG --log-prefix "IPT OUTPUT packet died: " |
