[ale] Firewall+Game+DNAT= ???

Robert L. Harris Robert.L.Harris at rdlg.net
Thu Aug 28 19:46:48 EDT 2003 


I'm trying to play allegiance (looks interesting at http://www.alleg.net/)
which appears to require the following rule:

$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --destination-port 2300:2400 -j DNAT --to-destination 192.168.0.3

I've put this in my firewall and I'm still getting this:

IPTables v4 Dropped: IN=eth0 OUT=eth1 SRC=67.11.229.37 DST=192.168.0.3
LEN=48 TOS=0x00 PREC=0x00 TTL=109 ID=86 DF PROTO=TCP SPT=1678 DPT=2300
WINDOW=16384 RES=0x00 SYN URGP=0


The relevant portions of my firewall look like this:

--------------------------------------------------------------------------

#! /bin/bash
#
IPTABLES=/sbin/iptables
IPADDR=24.241.190.29
IFACE1=eth0

#
# Lets flush em all
#
$IPTABLES -F
#
# Turn on forwarding
#
echo 1 > /proc/sys/net/ipv4/ip_forward

## Make sure NEW tcp connections are SYN packets
iptables -A INPUT -i $IFACE1 -p tcp ! --syn -m state --state NEW -j DROP 

# Refuse spoofed packets pretending to be from your IP address.
iptables -A INPUT  -i $IFACE1 -s $IPADDR -j DROP

# first chain is for allowing established and related connections 
$IPTABLES -N first
$IPTABLES -A first -m state --state ESTABLISHED,RELATED -j ACCEPT

# this is a rule to let all my local traffic through 
$IPTABLES -N local
$IPTABLES -A local -m state --state NEW -i ! $IFACE1 -j ACCEPT

# I'm using logging and reject with my cleanup rule, these are both
# optional modules
$IPTABLES -N cleanup
$IPTABLES -A cleanup -j LOG --log-level debug --log-prefix "IPTables v4 Dropped: "
$IPTABLES -A cleanup -j DROP

#
# Lets initialize the chain
#
$IPTABLES -A INPUT -j first

#
# Lets allow some good stuff
#
################
$IPTABLES -A INPUT -i $IFACE1 -p tcp --destination-port 2300:2400 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i $IFACE1 -p tcp --destination-port 2300:2400 -j DNAT --to-destination 192.168.0.3

#
# Finish the rules off
#
$IPTABLES -A INPUT -j local
$IPTABLES -A INPUT -j cleanup
$IPTABLES -P INPUT DROP

# FORWARD chain only allows local traffic
$IPTABLES -A FORWARD -j first
$IPTABLES -A FORWARD -j local
$IPTABLES -A FORWARD -j cleanup
$IPTABLES -P FORWARD DROP

# This is my nat rule for masquerading. notice the new table -t nat
$IPTABLES -A POSTROUTING -t nat -o $IFACE1 -j MASQUERADE

--------------------------------------------------------------------------



anyone have any thoughts?  I'd like to try this game out, it looks
really cool.



:wq!
---------------------------------------------------------------------------
Robert L. Harris                     | GPG Key ID: E344DA3B
                                         @ x-hkp://pgp.mit.edu
DISCLAIMER:
      These are MY OPINIONS ALONE.  I speak for no-one else.

Life is not a destination, it's a journey.
  Microsoft produces 15 car pileups on the highway.
    Don't stop traffic to stand and gawk at the tragedy.

 PGP signature

More information about the Ale mailing list