openning port for battle.net with iptables
in [Linux Networking]
|
Prev: After set master mode can't see essid from other laptop
Next: Packet forwarding for Battle.net port 4000 6112-6119
From: Pascal Hambourg on 3 Apr 2010 05:36 Hello, Owner a �crit : > > iptables -t nat -A PREROUTING -p tcp --dport 4000 -j DNAT --to-destination 10.1.1.52 > iptables -t nat -A PREROUTING -p udp --dport 4000 -j DNAT --to-destination 10.1.1.52 > iptables -A FORWARD -s 10.1.1.52 -p tcp --dport 4000 -j ACCEPT > iptables -A FORWARD -s 10.1.1.52 -p udp --dport 4000 -j ACCEPT > iptables -t nat -A PREROUTING -p tcp --dport 6112:6119 -j DNAT --to-destination 10.1.1.52 > iptables -t nat -A PREROUTING -p udp --dport 6112:6119 -j DNAT --to-destination 10.1.1.52 > iptables -A FORWARD -s 10.1.1.52 -p tcp --dport 6112:6119 -j ACCEPT > iptables -A FORWARD -s 10.1.1.52 -p udp --dport 6112:6119 -j ACCEPT I don't know how Battle.net works, but I'd suggest to replace -s with -d in the FORWARD rules in order to be consistent with the DNAT rules : 10.1.1.52 is the destination, not the source.
From: Andy Furniss on 3 Apr 2010 06:11 Owner wrote: > ok i figured these commands open the ports on linux box but problem is > now I can't connect to battle.net server > > is something wrong with these commands to open the port and play game at battle.net? > How come this works with bittorrent but not with battle.net server? Your problem is that you only need to DNAT packets that are coming in from the internet, so you need to add -i eth0 to the nat rule. It works for bittorrent by luck as only connections from you to port 59527 will fail and mostly that port won't be the one other peers are listening on. > > iptables -t nat -A PREROUTING -p tcp --dport 4000 -j DNAT --to-destination 10.1.1.52 > iptables -t nat -A PREROUTING -p udp --dport 4000 -j DNAT --to-destination 10.1.1.52 > iptables -A FORWARD -s 10.1.1.52 -p tcp --dport 4000 -j ACCEPT > iptables -A FORWARD -s 10.1.1.52 -p udp --dport 4000 -j ACCEPT These should be -d 10.1.1.52 not -s but looking at your listing I don't see DROP anywhere so if that's what you see normally then you are not running a firewall anyway. If you want to submit iptables outputs I prefer to see output from iptables -L -vn iptables -L -vnt nat iptables -L -vnt mangle If you are using --state RELATED,ESTABLISHED you don't need to do anything for outbound traffic it gets through automatically. You could also consider adding --state NEW to the rules for the ports you allow through the firewall in FORWARD.
From: Owner on 3 Apr 2010 10:49
On Fri, 02 Apr 2010 12:39:22 -0400, Owner wrote: fixed! with this input iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 6112 -j DNAT --to-destination 10.1.1.52:6112 Thank you everybody! > On Fri, 02 Apr 2010 16:36:26 +0100, Mark Hobley wrote: > >> Owner <Owner(a)owner-pc.com> wrote: >>> forwarding to the battle.net server >> >> Right. My notes were for accepting as input. Because you are forwarding, you >> need to add rules to the forward chain. >> >> Remember that you will need to add rules for both incoming traffic and >> outgoing traffic. >> >> Mark. > > ok i figured these commands open the ports on linux box but problem is > now I can't connect to battle.net server > > is something wrong with these commands to open the port and play game at battle.net? > How come this works with bittorrent but not with battle.net server? > > iptables -t nat -A PREROUTING -p tcp --dport 4000 -j DNAT --to-destination 10.1.1.52 > iptables -t nat -A PREROUTING -p udp --dport 4000 -j DNAT --to-destination 10.1.1.52 > iptables -A FORWARD -s 10.1.1.52 -p tcp --dport 4000 -j ACCEPT > iptables -A FORWARD -s 10.1.1.52 -p udp --dport 4000 -j ACCEPT > iptables -t nat -A PREROUTING -p tcp --dport 6112:6119 -j DNAT --to-destination 10.1.1.52 > iptables -t nat -A PREROUTING -p udp --dport 6112:6119 -j DNAT --to-destination 10.1.1.52 > iptables -A FORWARD -s 10.1.1.52 -p tcp --dport 6112:6119 -j ACCEPT > iptables -A FORWARD -s 10.1.1.52 -p udp --dport 6112:6119 -j ACCEPT > > btw set up is > > internet -- linuxbox ( which i'm configuring ) -- access point -- my laptop > > here's my current setting > I opened port 59527 read from tutorial on the web. > > # Generated by iptables-save v1.4.0 on Fri Apr 2 09:31:11 2010 > *nat > :PREROUTING ACCEPT [392:56543] > :POSTROUTING ACCEPT [4:244] > :OUTPUT ACCEPT [4:244] > -A PREROUTING -p tcp -m tcp --dport 59527 -j DNAT --to-destination 10.1.1.52 > -A POSTROUTING -s 10.1.1.0/24 -o eth0 -j MASQUERADE > COMMIT > # Completed on Fri Apr 2 09:31:11 2010 > # Generated by iptables-save v1.4.0 on Fri Apr 2 09:31:11 2010 > *filter > :INPUT ACCEPT [971:234521] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [408:58162] > -A FORWARD -s 10.1.1.0/24 -o eth0 -j ACCEPT > -A FORWARD -d 10.1.1.0/24 -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT > > -A FORWARD -s 10.1.1.52/32 -p tcp -m tcp --dport 59527 -j ACCEPT > COMMIT > # Completed on Fri Apr 2 09:31:11 2010 > > and also result from iptables -L > > Chain INPUT (policy ACCEPT) > target prot opt source destination > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > ACCEPT all -- 10.1.1.0/24 anywhere > ACCEPT all -- anywhere 10.1.1.0/24 state RELATED,ESTAB > LISHED > ACCEPT tcp -- 10.1.1.52 anywhere tcp dpt:59527 > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination |