On Wed, Aug 15, 2001 at 10:22:16AM -0700, Justin Bengtson wrote:
> i run an iptables firewall at home that routes for two computers. we play a
> few games with people outside the firewall with my computer acting as the
> server. my internal network is 10.0.0.0/28 and my computer's ip is
> 10.0.0.14. the support docs for the games we play tell me to open port 4000
> to allow a connection, so the firewall needs to route any connections on
> that port directly to my computer. they say nothing about a UDP or TCP
> connection, so i set up routing strings for both :
run the game server, go to a command prompt, type
netstat -a -n |findstr LISTENING|findstr 10.0.0.14
If you don't see port 4000 listening on 10.0.0.14, then they lied. You'll also
see whether it is tcp or udp.
>
> $xif is the external interface on the firewall, eth1.
>
> iptables -t nat -A PREROUTING -p udp --dport 4000 -i $xif -j DNAT --to
> 10.0.0.14
> iptables -t nat -A PREROUTING -p tcp --dport 4000 -i $xif -j DNAT --to
> 10.0.0.14
man iptables
/dnat (search for)
DNAT
<snip>
--to-destination <ipaddr>[-<ipaddr>][:port-port]
>
> this does not work. people outside the firewall still get a "cannot connect
> to server" error. do i need a filter rule to allow connections to port 4000
> in? something like :
>
> iptables -A INPUT -p tcp --dport 4000 -j ACCEPT
> iptables -A INPUT -p udp --dport 4000 -j ACCEPT
This will definitely NOT work. You will open up 4000 to your firewall, and
will definitely NOT forward it. INPUT/OUTPUT is local ONLY.
>
> i drop any connection that is not established or related, allow SSH and DNS
> on the internal network as well as ip forwarding on internal.
>
> just wondering if anyone has any insight into this...
>
After you run your ruleset, run
iptables -L -n
to see what rules are in there. Your ruleset should have
iptables -F
iptables -F -t nat
at the beginning to clear the ruleset each time it is run, lest you have
duplicate rules. Also when you run it, it will report errors such as "--to is
not a valid command".
Cory
