In the rules that have 27000-27022 or 27015-27022 as the port range,
that's just because these rules are on my L4D server and the forks
listen on ports up through 27022. You can tighten those rules down to
allow only the ports you are using.
- Dave
David A. Parker wrote:
> Here's a script to set up iptables with the rules I use. This works
> pretty well on Debian Lenny. In essence, it allows most SSH and SRCDS
> traffic without logging, and logs all pings and dropped packets. My
> apologies if any of the lines get wrapped.
>
> - Dave
>
> #!/bin/bash
>
> IPTABLES="/sbin/iptables"
> IPADDR="xxx.xxx.xxx.xxx"
>
> # Flush existing iptables rules."
> iptables -F INPUT
> ${IPTABLES} -F OUTPUT
> ${IPTABLES} -F FORWARD
>
> # Set the default policies
> ${IPTABLES} -P INPUT DROP
> ${IPTABLES} -P FORWARD DROP
> ${IPTABLES} -P OUTPUT ACCEPT
>
> #
> #--- INPUT RULES ---
> #
>
> # DROP broadcast and multicast packets without logging
> ${IPTABLES} -A INPUT -m pkttype --pkt-type broadcast -j DROP
> ${IPTABLES} -A INPUT -d 224.0.0.0/24 -j DROP
>
> # ACCEPT localhost traffic without logging
> ${IPTABLES} -A INPUT -i lo -j ACCEPT
>
> # ACCEPT SSH packets without logging
> ${IPTABLES} -A INPUT -p tcp -d ${IPADDR} --dport 22 -j ACCEPT
>
> # ACCEPT srcds rcon connections (TCP) without logging
> ${IPTABLES} -A INPUT -p tcp -d ${IPADDR} --dport 27015:27022 -m state
> --state NEW,ESTABLISHED -j ACCEPT
>
> # ACCEPT srcds game connections (UDP) without logging
> ${IPTABLES} -A INPUT -p udp -d ${IPADDR} --dport 1200 -j ACCEPT
> ${IPTABLES} -A INPUT -p udp -d ${IPADDR} --dport 27000:27022 -j ACCEPT
>
> # ACCEPT all established/related connections without logging
> ${IPTABLES} -A INPUT -p tcp -d ${IPADDR} -m state --state
> ESTABLISHED,RELATED -j ACCEPT
> ${IPTABLES} -A INPUT -p udp -d ${IPADDR} -m state --state
> ESTABLISHED,RELATED -j ACCEPT
>
> # LOG and ACCEPT ICMP Types 8 and 0 (echo-request and echo-reply)
> ${IPTABLES} -A INPUT -p icmp --icmp-type echo-request -j LOG
> --log-prefix "--[INPUT (ECHO-REQUEST)]:-- "
> ${IPTABLES} -A INPUT -p icmp --icmp-type echo-reply -j LOG
> --log-prefix "--[INPUT (ECHO-REPLY)]:-- "
> ${IPTABLES} -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
> ${IPTABLES} -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
>
> # ACCEPT ICMP Type 3 (destination unreachable) without logging
> ${IPTABLES} -A INPUT -p icmp --icmp-type destination-unreachable -d
> ${IPADDR} -j ACCEPT
>
> # ACCEPT ICMP Type 11 (time exceeded) without logging
> ${IPTABLES} -A INPUT -p icmp --icmp-type time-exceeded -d ${IPADDR} -j
> ACCEPT
>
> # LOG everything else before it gets dropped by default policy
> ${IPTABLES} -A INPUT -j LOG --log-prefix "--[DROPPED (INPUT)]:-- "
>
>
> Crazy Canucks wrote:
>> I'm afraid I don't know anything about iptables, which was why I wanted
>> to use Firehol. I used to use Bastille, but that hasn't been updated
>> for Debian Lenny. Anyway, If you could post that, I'd be grateful. I
>> might have to cave in and teach myself about iptables...
>>
>> Drek
>>
>> David Parker wrote:
>>> I don't use Firehol, but I have a working ${IPTABLES} config if you would
>>> like that.
>>>
>>> - Dave
>>>
>>> ----- Original Message -----
>>> From: Crazy Canucks <[email protected]>
>>> Date: Thursday, September 10, 2009 7:51 pm
>>> Subject: [hlds_linux] Configuring Firehol for Steam/HLDS/SRCDS
>>> To: Valve Linux Server Mailing List <[email protected]>
>>>
>>>
>>>> I'm pulling my hair out over this one. Does anyone have a
>>>> working
>>>> configuration for Steam/HLDS/SRCDS for Firehol that they would
>>>> be
>>>> willing to share?
>>>>
>>>> Drek
>>>>
>>>> _______________________________________________
>>>> To unsubscribe, edit your list preferences, or view the list
>>>> archives, please visit:
>>>> http://list.valvesoftware.com/mailman/listinfo/hlds_linux
>>>>
>>> _______________________________________________
>>> To unsubscribe, edit your list preferences, or view the list archives,
>>> please visit:
>>> http://list.valvesoftware.com/mailman/listinfo/hlds_linux
>>>
>>>
>>
>> _______________________________________________
>> To unsubscribe, edit your list preferences, or view the list archives,
>> please visit:
>> http://list.valvesoftware.com/mailman/listinfo/hlds_linux
>>
>
--
Dave Parker
Utica College
Integrated Information Technology Services
(315) 792-3229
Registered Linux User #408177
_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives, please
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds_linux
