Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[Resolved] IPTables config/bootup script location?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Jonathan_Casey
n00b
n00b


Joined: 02 Oct 2010
Posts: 13

PostPosted: Sat Oct 02, 2010 1:03 am    Post subject: [Resolved] IPTables config/bootup script location? Reply with quote

Hi all,

My brother setup our gentoo machine to act as the server for our LAN. I'm trying to play Diablo 2 online and can't connect on my machine due to 2 ports being blocked by the iptables on the gentoo machine.

I've spent several hours trying to learn how to work with the iptables and hit a bit of a problem, my brother who setup it all up lives in Sweden now and I can't seem to contact him at the moment. I'm trying to find the script which is run at bootup that configures the iptables so I can add 2 new commands which will allow me to use the ports on my machine (internally on 10.0.0.67, the gentoo server is 10.0.0.250).

Does anyone know where the config file my brother would have written is likely to reside on the server? Is there a default location?

All I seem to be able to do is save (atleast thats what i think i'm doing) to the file the current state of the iptables with:
/etc/init.d/iptables save

I hope someone out there is awake... :)

p.s. I just graduated with my master's in computer science so don't be affraid to get complicated :)


Last edited by Jonathan_Casey on Sun Oct 03, 2010 1:39 am; edited 1 time in total
Back to top
View user's profile Send private message
d2_racing
Bodhisattva
Bodhisattva


Joined: 25 Apr 2005
Posts: 13047
Location: Ste-Foy,Canada

PostPosted: Sat Oct 02, 2010 1:09 am    Post subject: Reply with quote

Hi, can you post this :

Code:

# rc-status
# iptables -L
Back to top
View user's profile Send private message
Jonathan_Casey
n00b
n00b


Joined: 02 Oct 2010
Posts: 13

PostPosted: Sat Oct 02, 2010 1:12 am    Post subject: Reply with quote

Code:
brains init.d # rc-status
 ...
brains init.d # iptables -L
 ...
brains init.d #


Last edited by Jonathan_Casey on Sun Oct 03, 2010 6:27 am; edited 3 times in total
Back to top
View user's profile Send private message
cach0rr0
Bodhisattva
Bodhisattva


Joined: 13 Nov 2008
Posts: 4123
Location: Houston, Republic of Texas

PostPosted: Sat Oct 02, 2010 1:28 am    Post subject: Re: IPTables config/bootup script location? Reply with quote

Jonathan_Casey wrote:
so I can add 2 new commands which will allow me to use the ports on my machine (internally on 10.0.0.67, the gentoo server is 10.0.0.250).


Shouldn't be any need to hand edit it. iptables -I <somechain> therestoftherule then /etc/init.d/iptables save so that the rule loads next time you boot the machine

Have a gander at man iptables for the behaviour of -I

Code:

-I, --insert chain [rulenum] rule-specification
              Insert one or more rules in the selected chain as the given rule number.  So, if the rule number is 1, the rule  or  rules  are
              inserted at the head of the chain.  This is also the default if no rule number is specified.


having said that, not sure how familiar you are with gentoo's conf structure, but if you find yourself tinkering with it in the future, most every service configuration is found in /etc/conf.d/servicename

in this case, if you have a gander at /etc/conf.d/iptables:

Code:

# /etc/conf.d/iptables

# Location in which iptables initscript will save set rules on
# service shutdown
IPTABLES_SAVE="/var/lib/iptables/rules-save"

# Options to pass to iptables-save and iptables-restore
SAVE_RESTORE_OPTIONS="-c"

# Save state on stopping iptables
SAVE_ON_STOP="yes"


of course, you look at /var/lib/iptables/rules-save, and its syntax is a bit cryptic :) So instead of bothering with that, just do your iptables -I with whatever rule you need, then /etc/init.d/iptables save

hope that helps

NB: long as there aren't any hostnames or public/routable IP's in what you post, you'r revealing nothing useful anyway should someone have nefarious motives ;)
_________________
Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash
Back to top
View user's profile Send private message
Jonathan_Casey
n00b
n00b


Joined: 02 Oct 2010
Posts: 13

PostPosted: Sat Oct 02, 2010 1:32 am    Post subject: Reply with quote

Thanks a lot ! :)

I was using -A and was reading:
http://www.gentoo.org/doc/en/home-router-howto.xml
and tring to work out why it sometimes used -I but couldn't work it out.

I'll have another go and then do the save command (something I was not doing before) and let you know how it goes :)

Cheers again,
Back to top
View user's profile Send private message
cach0rr0
Bodhisattva
Bodhisattva


Joined: 13 Nov 2008
Posts: 4123
Location: Houston, Republic of Texas

PostPosted: Sat Oct 02, 2010 1:44 am    Post subject: Reply with quote

Jonathan_Casey wrote:
Thanks a lot ! :)

I was using -A and was reading:
http://www.gentoo.org/doc/en/home-router-howto.xml
and tring to work out why it sometimes used -I but couldn't work it out.

I'll have another go and then do the save command (something I was not doing before) and let you know how it goes :)

Cheers again,


This is the bit you need to focus on: http://www.gentoo.org/doc/en/home-router-howto.xml#doc_chap6

the port forwarding rather

you have no prerouting rules set up that i can see.

You'd probably want to do something like:

Code:

iptables -A PREROUTING -i ethN -p tcp --dport <portnum> -j DNAT --to 10.0.0.67:<portnum>
iptables -I PREROUTING -i ethN -p tcp --dport <otherport> -j DNAT --to 10.0.0.67:<otherport>


where ethN is the network interface on your router that receives traffic from the WAN (internet)

So for SSH and HTTP, as an example, where my WAN interface is eth0

Code:

iptables -A PREROUTING -i eth0 -p tcp --dport 22 -j DNAT --to 10.0.0.67:22
iptables -I PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 10.0.0.67:80


Fire off those commands, but before you save the rules, test! If they don't work as you like, simply issuing /etc/init.d/iptables restart will return the rules to the state they were at when someone last issued an /etc/init.d/iptables save

If the rules DO work, then you yourself can do the above 'save' command im too lazy to retype even though typing that requires more keystrokes. heh.
_________________
Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash
Back to top
View user's profile Send private message
Jonathan_Casey
n00b
n00b


Joined: 02 Oct 2010
Posts: 13

PostPosted: Sat Oct 02, 2010 1:59 am    Post subject: still no success... :( Reply with quote

Not had much success unfortunatly :(

I'm a little affraid of typing too many commands incase i'm slowly messing up all my brother settings... Am I right in thinking when I do "/etc/init.d/iptables save" its permanently saving the changes (so they'll persist after a reboot?).

So far I've tried (since i started messing with this):

Code:

 iptables -t nat -A PREROUTING -p tcp --dport 6112 -i vlan4 -j DNAT --to 10.0.0.67
 iptables -t nat -A PREROUTING -p tcp --dport 4000 -i vlan4 -j DNAT --to 10.0.0.67
 /etc/init.d/iptables save
 iptables -t nat -I PREROUTING -p tcp --dport 4000 -i vlan4 -j DNAT --to 10.0.0.67
 /etc/init.d/iptables save
 iptables -t nat -I PREROUTING 1 -p tcp --dport 4000 -i vlan4 -j DNAT --to 10.0.0.67
 /etc/init.d/iptables save


I'm using this website to see if the port is still closed:
http://www.whatsmyip.org/ports/games/

and also testing it with the game which consistently says it can't connect.

my own machine is XP with no firewall running.


out of sheer interest, i had a look at the rules-save file and found the changes i had made saved in there;

(i don't know if its a bad idea to post this so let me know if it is and i'll remove it...)

Code:

brains init.d # cat /var/lib/iptables/rules-save
# Generated by iptables-save v1.4.9.1 on Sat Oct  2 02:48:58 2010
*mangle
:PREROUTING ACCEPT [1326540644:1277701438976]
:INPUT ACCEPT [851519904:933537431845]
:FORWARD ACCEPT [469320801:343830336002]
:OUTPUT ACCEPT [1256668731:998956217201]
:POSTROUTING ACCEPT [1726536677:1342940125773]
[1042935:66570483] -A PREROUTING -p udp -m udp --dport 53 -j TOS --set-tos 0x10/0xff
[5573577:4831724381] -A PREROUTING -p tcp -m tcp --sport 22 -j TOS --set-tos 0x10/0xff
[135898627:181312720731] -A PREROUTING -p tcp -m tcp --sport 80 -j TOS --set-tos 0x08/0xff
[2507328:124103902] -A PREROUTING -p tcp -m tcp --dport 4899 -j TOS --set-tos 0x10/0xff
[7019780:4723928121] -A PREROUTING -p tcp -m tcp --sport 4899 -j TOS --set-tos 0x10/0xff
[0:0] -A PREROUTING -p tcp -m tcp --sport 6699 -j TOS --set-tos 0x08/0xff
[0:0] -A PREROUTING -p tcp -m tcp --dport 6699 -j TOS --set-tos 0x08/0xff
[432:46616] -A PREROUTING -p udp -m udp --sport 6257 -j TOS --set-tos 0x08/0xff
[12:1885] -A PREROUTING -p udp -m udp --dport 6257 -j TOS --set-tos 0x08/0xff
[1042935:66570483] -A PREROUTING -p udp -m udp --dport 53 -j TOS --set-tos 0x10/0xff
[5573577:4831724381] -A PREROUTING -p tcp -m tcp --sport 22 -j TOS --set-tos 0x10/0xff
[135898627:181312720731] -A PREROUTING -p tcp -m tcp --sport 80 -j TOS --set-tos 0x08/0xff
[2507328:124103902] -A PREROUTING -p tcp -m tcp --dport 4899 -j TOS --set-tos 0x10/0xff
[7019780:4723928121] -A PREROUTING -p tcp -m tcp --sport 4899 -j TOS --set-tos 0x10/0xff
[0:0] -A PREROUTING -p tcp -m tcp --sport 6699 -j TOS --set-tos 0x08/0xff
[0:0] -A PREROUTING -p tcp -m tcp --dport 6699 -j TOS --set-tos 0x08/0xff
[432:46616] -A PREROUTING -p udp -m udp --sport 6257 -j TOS --set-tos 0x08/0xff
[12:1885] -A PREROUTING -p udp -m udp --dport 6257 -j TOS --set-tos 0x08/0xff
[2825509:141953640] -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Sat Oct  2 02:48:58 2010
# Generated by iptables-save v1.4.9.1 on Sat Oct  2 02:48:58 2010
*nat
:PREROUTING ACCEPT [3:285]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
[0:0] -A PREROUTING -i vlan4 -p tcp -m tcp --dport 4000 -j DNAT --to-destination 10.0.0.67
[1:64] -A PREROUTING -i vlan4 -p tcp -m tcp --dport 4000 -j DNAT --to-destination 10.0.0.67
[121:5808] -A PREROUTING -s x.x.x.x/32 -p tcp -m tcp --dport 443 -j DNAT --to-destination x.x.x.x:22
[13:780] -A PREROUTING -s x.x.x.x/24 -p tcp -m tcp --dport 22 -j ACCEPT
[228:13924] -A PREROUTING -d x.x.x.x/32 -p tcp -m tcp --dport 60065 -j DNAT --to-destination 10.0.0.88:60065
[516:25840] -A PREROUTING -d x.x.x.x/32 -p tcp -m tcp --dport 21 -j DNAT --to-destination 10.0.0.88:4899
[12:616] -A PREROUTING -p tcp -m tcp --dport 48990 -j DNAT --to-destination 10.0.0.88:4899
[952:50948] -A PREROUTING ! -s 10.0.0.0/24 -p tcp -m tcp --dport 22 -j DNAT --to-destination x.x.x.x:2
[770:52520] -A PREROUTING -d x.x.x.x/32 -p tcp -m tcp --dport 29 -j DNAT --to-destination x.x.x.x:22
[21:1024] -A PREROUTING -p tcp -m tcp --dport 60069 -j DNAT --to-destination 10.0.0.69:4899
[4:256] -A PREROUTING -i vlan4 -p tcp -m tcp --dport 6112 -j DNAT --to-destination 10.0.0.67
[2:128] -A PREROUTING -i vlan4 -p tcp -m tcp --dport 4000 -j DNAT --to-destination 10.0.0.67
[9911672:1602198947] -A POSTROUTING -o vlan4 -j MASQUERADE
[453414:26999532] -A POSTROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Sat Oct  2 02:48:58 2010
# Generated by iptables-save v1.4.9.1 on Sat Oct  2 02:48:58 2010
*filter
:INPUT ACCEPT [761647239:825741323885]
:FORWARD ACCEPT [443312352:319106134248]
:OUTPUT ACCEPT [1256668054:998956138617]
[8676:469947] -A INPUT -i vlan4 -p tcp -m tcp --dport 445 -j DROP
[0:0] -A INPUT -i vlan4 -p udp -m udp --dport 445 -j DROP
[52036:11668282] -A INPUT -i vlan4 -p udp -m udp --dport 135:139 -j DROP
[11890:702292] -A INPUT -i vlan4 -p tcp -m tcp --dport 135:139 -j DROP
[152709:21803017] -A INPUT -m state --state INVALID -j DROP
[963:51672] -A INPUT -d x.x.x.x/32 -p tcp -m tcp --dport 2 -j DROP
[89646401:107761413356] -A INPUT -i lo -j ACCEPT
[2825509:141963900] -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
[43351:21663115] -A FORWARD -m state --state INVALID -j DROP
[4:240] -A FORWARD -i vlan4 -p tcp -m tcp --dport 135:139 -j DROP
[0:0] -A FORWARD -i vlan4 -p udp -m udp --dport 135:139 -j DROP
[0:0] -A FORWARD -i vlan4 -p udp -m udp --dport 445 -j DROP
[4:200] -A FORWARD -i vlan4 -p tcp -m tcp --dport 445 -j DROP
COMMIT
# Completed on Sat Oct  2 02:48:58 2010


Am I doing something obviously wrong?

btw, here is my ifconfig:

[/code]
brains init.d # ifconfig
eth0 Link encap:Ethernet HWaddr xxxxx
inet addr:10.0.0.1 Bcast:10.0.0.255 Mask:255.255.255.0
inet6 addr: xxx/64 Scope:Global
inet6 addr: xxxx/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:148297989 errors:0 dropped:0 overruns:0 frame:0
TX packets:148992917 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000

eth0:1 Link encap:Ethernet HWaddr xxxxx
inet addr:10.0.0.250 Bcast:10.0.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1543869 errors:0 dropped:0 overruns:0 frame:0
TX packets:1543869 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0

sixxs Link encap:IPv6-in-IPv4
inet6 addr: xxxx/64 Scope:Global
inet6 addr: xxxx/128 Scope:Link
UP POINTOPOINT RUNNING NOARP MTU:1280 Metric:1
RX packets:80607486 errors:0 dropped:0 overruns:0 frame:0
TX packets:54179464 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0

vlan4 Link encap:Ethernet HWaddr xxxx
inet addr: <external IP address> Bcast:xxx.xxx.xxx.255 Mask:255.255.248.0
inet6 addr: xxxx/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1496 Metric:1
RX packets:87031714 errors:0 dropped:0 overruns:0 frame:0
TX packets:60937372 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
[code]

btw, the gentoo server runs in a virtual machine on a windows xp machine (tho i don't think this should effect much, its all pretty seemless).


Last edited by Jonathan_Casey on Sun Oct 03, 2010 6:25 am; edited 1 time in total
Back to top
View user's profile Send private message
Jonathan_Casey
n00b
n00b


Joined: 02 Oct 2010
Posts: 13

PostPosted: Sat Oct 02, 2010 2:00 am    Post subject: Reply with quote

sorry, i just sent that last message before reading yours, i'll read yours now... :)
Back to top
View user's profile Send private message
Jonathan_Casey
n00b
n00b


Joined: 02 Oct 2010
Posts: 13

PostPosted: Sat Oct 02, 2010 2:04 am    Post subject: Reply with quote

cach0rr0 wrote:


Fire off those commands, but before you save the rules, test! If they don't work as you like, simply issuing /etc/init.d/iptables restart will return the rules to the state they were at when someone last issued an /etc/init.d/iptables save

If the rules DO work, then you yourself can do the above 'save' command im too lazy to retype even though typing that requires more keystrokes. heh.


Ah, I didn't realise the changes would take effect before saving... doh.

Anything in my above post that helps understand whats wrong? :)
Back to top
View user's profile Send private message
cach0rr0
Bodhisattva
Bodhisattva


Joined: 13 Nov 2008
Posts: 4123
Location: Houston, Republic of Texas

PostPosted: Sat Oct 02, 2010 2:05 am    Post subject: Reply with quote

FYI, if you mess up on a rule, use the -D switch to undo it

e.g.

Code:

iptables -t nat -A PREROUTING -p tcp --dport 6112 -i vlan4 -j DNAT --to 10.0.0.67


oh snap, we don't want that?

Code:

iptables -t nat -D prerouting -p tcp --dport 6112 -i vlan4 -j DNAT --to 10.0.0.0.67


to see what all you've typed:

Code:

history |grep iptables


I'll have to read through the rest of what you have after I get a few beers in me, I'm terrible at this sober. Hopefully you can figure 'er out or someone else will help between now and then
_________________
Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash
Back to top
View user's profile Send private message
Jonathan_Casey
n00b
n00b


Joined: 02 Oct 2010
Posts: 13

PostPosted: Sat Oct 02, 2010 2:14 am    Post subject: Reply with quote

hehe, i was just thinking the same thing. Will have a few drinks once i've finished cooking my dinner :)
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 15995

PostPosted: Sat Oct 02, 2010 2:44 am    Post subject: Reply with quote

cach0rr0 wrote:
you have no prerouting rules set up that i can see.
That is because someone told him to use the inferior method of iptables --list, which does not show rules in non-default tables. ;) Fortunately, a later post shows the saved rules, which is much more useful.

OP: posting the rules file could be considered bad if you value keeping details of your network secret, specifically either your public IP address or your firewall rules. We need to see at least a basic version of it to help you, though. Could you describe your general network topology? Specifically, how is it that a Gentoo machine running as a guest under Windows XP is important to your network connectivity? As a related point, what are you doing running Gentoo under Windows XP instead of the other way around? What protocols and ports do you need forwarded to make the game work? You said the game claims it cannot connect. What part of the game fails? Are you able to enter chat, but not play games? Are you unable to enter chat at all?
Back to top
View user's profile Send private message
Jonathan_Casey
n00b
n00b


Joined: 02 Oct 2010
Posts: 13

PostPosted: Sat Oct 02, 2010 3:01 am    Post subject: Reply with quote

Sorry, was just getting my dinner.

The game cannot connect at all to Battle.net, it fails almost instantly saying I should check my modem etc.
http://imagebin.ca/view/m6owgdG1.html

As for Gentoo on XP, It did used to be the other way round, but I suggested we switched it round as the "Server" machine is the only pc in our house we have on all the time and it made sense to use that as our media center too. As Gentoo doesn't require much processing power, windows is my prefered choice for my home cinema and having the gentoo server as a VM allows us to have a 'backup' gentoo server ready on any other xp machine in the house with relative ease.

From what I gather, we have a modem which plugs via ethernet into our hub (nothing facy, just a simple 16 port 1Gbit/s hub), which inturn connects to all our computers. The server is just like any other in the house except it has the virtual machine running with gentoo which (and this is where I get lost) magically claims the rights to the internet and apoints its self the ruler of it all and controls who/how all the other computers in our house can access the internet. I've asked my brother to explain how he made all that work but he's never really cared to. I can get some vauge idea but not a very difinitive one.

If the gentoo VM is shut down all our internet dies and unless the VM is started again (on any pc in the house) we will have no internet. I'm guessing my brother has setup the modem to only communicate with the virtual machine... no idea how it determines which one tho... :/

note - I did once try running the VM on 2 machines just to see what would happen... nothing much really, the internet worked. Didn't get round to working out which vm was calling the shots though...

I need port 4000 and 6112, both with TCP to my desktop (10.0.0.67).

Did that answer all your Q's? :)

btw, my brother did at some point setup the VM so our xbox can also connect to xbox live... that still works but I couldn't seem to find anywhere in all those print-outs anything refering to that... :/
there should also be some other rules in there allowing the outside to VNC into a few of our machines etc.
Back to top
View user's profile Send private message
Jonathan_Casey
n00b
n00b


Joined: 02 Oct 2010
Posts: 13

PostPosted: Sat Oct 02, 2010 4:37 am    Post subject: Reply with quote

Ok, i thought of trying a different realm to Europe and the others work to the point where I can atleast connect to the chat. I see another person on there and it says there are 100,000 people online but if i try to connect to a game or host one my self it says it failed to connect. I tried talking in the chat but it says "no one can here you."...

Anyway, back to the problem at hand, my feeling is the forwarding still isn't working (I gather the chat doesn't require a server port). The port checking website still says my port 4000 is closed.
Back to top
View user's profile Send private message
Jonathan_Casey
n00b
n00b


Joined: 02 Oct 2010
Posts: 13

PostPosted: Sat Oct 02, 2010 6:18 pm    Post subject: Reply with quote

ITT: OP who still hasn't got his port open :(

+5 internets to anyone who can help :)
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 15995

PostPosted: Sat Oct 02, 2010 6:43 pm    Post subject: Reply with quote

Jonathan_Casey wrote:
I need port 4000 and 6112, both with TCP to my desktop (10.0.0.67).
It appears that you have that covered already:
Code:
    34    [0:0] -A PREROUTING -i vlan4 -p tcp -m tcp --dport 4000 -j DNAT --to-destination 10.0.0.67
    35    [1:64] -A PREROUTING -i vlan4 -p tcp -m tcp --dport 4000 -j DNAT --to-destination 10.0.0.67
    44    [4:256] -A PREROUTING -i vlan4 -p tcp -m tcp --dport 6112 -j DNAT --to-destination 10.0.0.67
    45    [2:128] -A PREROUTING -i vlan4 -p tcp -m tcp --dport 4000 -j DNAT --to-destination 10.0.0.67
    53    :FORWARD ACCEPT [443312352:319106134248]
    64    [4:240] -A FORWARD -i vlan4 -p tcp -m tcp --dport 135:139 -j DROP
    65    [0:0] -A FORWARD -i vlan4 -p udp -m udp --dport 135:139 -j DROP
    66    [0:0] -A FORWARD -i vlan4 -p udp -m udp --dport 445 -j DROP
    67    [4:200] -A FORWARD -i vlan4 -p tcp -m tcp --dport 445 -j DROP

Overall, I think your firewall could use a fairly significant overhaul for security. It looks like it was written without a default-deny policy in mind.
Jonathan_Casey wrote:
there should also be some other rules in there allowing the outside to VNC into a few of our machines etc.
I do not see a rule that is obviously for that purpose, which is good. VNC is not a secure protocol, so allowing it to run directly over the Internet is a bad idea.

Jonathan_Casey wrote:
Ok, i thought of trying a different realm to Europe and the others work to the point where I can atleast connect to the chat. I see another person on there and it says there are 100,000 people online but if i try to connect to a game or host one my self it says it failed to connect. I tried talking in the chat but it says "no one can here you."...
Good. That means the chat component works fine, at least for that server.

I see nothing obviously wrong, so my next step would be to collect a tcpdump on both interfaces to confirm that you receive the incoming connection and that it is not forwarded to your client machine. At this point, you have not specified whether the Windows Firewall is configured properly. :)
Back to top
View user's profile Send private message
Jonathan_Casey
n00b
n00b


Joined: 02 Oct 2010
Posts: 13

PostPosted: Sat Oct 02, 2010 7:01 pm    Post subject: Reply with quote

My desktop has no firewall at all, I disabled the windows firewall etc.

Sorry, its not VNC we use, its a program called Remote Administrator ("Radmin") which we need to be able to control our internal machines from the internet (i.e. my brother in Sweden).
Code:
[516:25840] -A PREROUTING -d x.x.x.x/32 -p tcp -m tcp --dport 21 -j DNAT --to-destination 10.0.0.88:4899

that above line is for the "Radmin" server on the 10.0.0.88 XP machine.

As for the default-deny policy I'll check with my brother when I finally get to speak to him, I'm surprised, he's pretty security concious, I'de have thought he'd have done that...

how would I do the tcpdump? and would I do it on the host XP server, the guest Gentoo VM or my XP desktop? I didn't quite understand why you said I wanted to make sure its not forwarded to my client machine? by client machine I figure you mean my desktop (10.0.0.67) so why would I not want the connections forwarded to it?... :/


Last edited by Jonathan_Casey on Sun Oct 03, 2010 6:22 am; edited 1 time in total
Back to top
View user's profile Send private message
chiefbag
Guru
Guru


Joined: 01 Oct 2010
Posts: 542
Location: The Kingdom

PostPosted: Sat Oct 02, 2010 7:26 pm    Post subject: Reply with quote

This looks over complicated in general.
You really should just drop all on your input.
Then allow only ports open on your input that are necessary and obviously if your forwarding them then they should be locked down to dnat to a specific port depending on the service.
I would also recommend adding a related/established rule which will allow your connections back in if you have instigated the connection from internally
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 15995

PostPosted: Sat Oct 02, 2010 10:39 pm    Post subject: Reply with quote

Jonathan_Casey wrote:
Sorry, its not VNC we use, its a program called Remote Administrator ("Radmin") which we need to be able to control our internal machines from the internet (i.e. my brother in Sweden).
I am not familiar with that program. On principle, I would tunnel such things over ssh unless I knew they had their own encryption.
Jonathan_Casey wrote:
how would I do the tcpdump? and would I do it on the host XP server, the guest Gentoo VM or my XP desktop? I didn't quite understand why you said I wanted to make sure its not forwarded to my client machine? by client machine I figure you mean my desktop (10.0.0.67) so why would I not want the connections forwarded to it?... :/
Run tcpdump on the Gentoo home router. Run two tcpdump instances, one for the external (WAN) interface and one for the internal (LAN) interface. A starting invocation would be tcpdump -i interface -n -p host remote-machine. I suggest restricting the capture based on the expected source address of the remote machine, so that you can capture all protocols, but avoid being spammed out by any normal network activity from other users on the local network. You want to ensure it is not forwarded, because if tcpdump shows us that the traffic is forwarded, then your Gentoo machine is behaving correctly and your problem is somewhere else in the network, where we may not be able to help you. If the Gentoo machine is the problem, we have a better chance of helping you. Yes, client machine refers to the system where you are running the game.
Back to top
View user's profile Send private message
Jonathan_Casey
n00b
n00b


Joined: 02 Oct 2010
Posts: 13

PostPosted: Sun Oct 03, 2010 1:35 am    Post subject: Reply with quote

Finally got it to work! :)

I decided to start from scratch. I removed all the port forwarding rules, looked at the rules my brother had setup for the Radmin program (yes, it does use encryption btw) and added rules that looked like his except for different ports for Radmin on my own machine, then I installed a radmin viewer on a machine at my old university and was able to connect so then changed the ports over to the ones for Diablo 2 and it works!! :) whoop, taken long enough haha. I'm so happy I feel like I actually understand the iptables a little bit now! yeeeeey!

an interesting point I noticed, the port checking website I was using:
http://www.whatsmyip.org/ports/games/
says the port is closed even if the iptables are forwarding it. You have to have a program lisstening on that port on the client machine for it to see it as open... I guess thats obviouse to you guys, I didn't realised that however.

Here are the final commands I used:

brains ~ # iptables -t nat -A PREROUTING -d x.x.x.x/32 -p tcp -m tcp --dport 4000 -j DNAT --to 10.0.0.67:4000
brains ~ # iptables -t nat -A PREROUTING -d x.x.x.x/32 -p tcp -m tcp --dport 6112 -j DNAT --to 10.0.0.67:6112

(note I added our external IP with "-d" instead of specifying the interface device using the "-i vlan4") - I'm not sure why this works and the other didn't, but its what my brother did anyway... Possibly something to do with how he's setup our network.

I'm wondering if it would be a bad idea to remove all the print outs I posted on this thread as I don't know if they will be of any help to someone else with a simliar problem... but i would feel a little happier than leaving all this stuff publicly available, i'm not entirly sure what half of it means so have no idea if it would be of much use to anyone wanting to mess with our system... :/

Anyway, thank you so much everyone, I wouldn't have been able to do it without you all!! :)

+5 Internets to everyon! :)


Last edited by Jonathan_Casey on Sun Oct 03, 2010 6:22 am; edited 1 time in total
Back to top
View user's profile Send private message
cach0rr0
Bodhisattva
Bodhisattva


Joined: 13 Nov 2008
Posts: 4123
Location: Houston, Republic of Texas

PostPosted: Sun Oct 03, 2010 4:44 am    Post subject: Reply with quote

just replace your IP with x.x.x.x, nothing else identifiable
_________________
Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash
Back to top
View user's profile Send private message
Jonathan_Casey
n00b
n00b


Joined: 02 Oct 2010
Posts: 13

PostPosted: Sun Oct 03, 2010 6:21 am    Post subject: Reply with quote

lol, my IP is everywhere... ah well :)
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum