/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! /* ALSO: Don't quote this header. It makes you look lame :-) */ Werner, Notice the protocol type 17 which is UDP. So your rule would look like: ipchains -A output -p udp -s 0/0 61000:61500 -j ACCEPT ipchains -A input -p udp -s 0/0 61000:61500 -j ACCEPT Note that most masq implementations tend to use 61000:65535 for NAT traffic so you should really allow that full range to ensure proper NAT operation. Larry Lamb, CCNP, CCDP, MCSE, MCP+I -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Werner Joss Sent: Sunday, July 15, 2001 7:04 AM To: [EMAIL PROTECTED] Subject: [Masq] counterstrike not working behind firewall /* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! /* ALSO: Don't quote this header. It makes you look lame :-) */ Hi list, I apologize if this has been discussed before, I'm new to this list and could not find approriate help in the HOWTO nor could I read/find the list archive... here is the problem: i have setup a linux (kernel 2.2.14) router with ipchains firewall as described in the firewall HOWTO, it works ok. for most apps, but it refuses to let a win98 client to play counterstrike via internet. my /var/log/messages contains lines like this: Jul 14 21:19:46 router kernel: Packet log: output REJECT ppp0 PROTO=17 62.96.171.207:61011 216.52.220.16:27010 L=33 S=0x00 I=40449 F=0x0000 T=127 (#33) from which I can see that there are packets for port 61011 and 27010 which are rejected. I also noticed, that the corresponding IP adresses change randomly, so it would not be useful setting up rules for certain IP adresses. in addition, port adresses vary from 61000 to 61500, 27010 seems to be fixed. to reflect this, I have tried the following lines in my firewall script: # ---------------- ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ --destination-port 61000:61500 -j ACCEPT # ---------------- ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ --destination-port 61000:61500 -j ACCEPT and the same for the 27010 ports, but it doesn't work either. any hints would be appreciated. werner _______________________________________________ Masq maillist - [EMAIL PROTECTED] Admin requests can be handled at http://www.indyramp.com/masq-list/ -- THIS INCLUDES UNSUBSCRIBING! or email to [EMAIL PROTECTED] PLEASE read the HOWTO and search the archives before posting. You can start your search at http://www.indyramp.com/masq/ Please keep general linux/unix/pc/internet questions off the list. _______________________________________________ Masq maillist - [EMAIL PROTECTED] Admin requests can be handled at http://www.indyramp.com/masq-list/ -- THIS INCLUDES UNSUBSCRIBING! or email to [EMAIL PROTECTED] PLEASE read the HOWTO and search the archives before posting. You can start your search at http://www.indyramp.com/masq/ Please keep general linux/unix/pc/internet questions off the list.
