> CS> It doesn't look like your modification to ipfilter.conf 'took' (or at
least it's not reflected in the rules above):
> DG: I was toggling between MASQ and ACCEPT in the filter line
and left it at MASQ when the ACCEPT command didn't work.
I needed to get the servers back online in some fashion,
so I reversed the previous change.
The exact line I used was:
$IPCH -A forward -j ACCEPT -p udp -s $DMZ_NET -d 0/0 -i $EXTERN_IF
<snip>
> CS> - You have 22 Denied packets in the forward chain...you might want to
log
these and see what they are...my guess is if you add proper rules to
DMZ_OPEN_DEST so these packets are accepted instead of denied (and change
the DMZ masq to allow), your game server will begin working.
> DG: Can you please explain the process to "log" these packet?
'member? I am
noob. :)
By "proper rules" do you mean my current ones are incorrect? They
are
the only service ports that the HL server is known to use, and they
do
the job when the MASQ function is operating. The problem still
exists
that client-initiated UDP traffic to port 27015 goes off into the
ether,
from the client user's perspective, and it does not appear that the
change from MASQ to ACCEPT alone is correcting that. Are there any
specific changes to the DMZ_OPEN_DEST rules you would recommend? I
have
Summarized them below.
Sorry...
Here's what I think is happening:
With UDP traffic masqueraded to the outside world, your game server starts
up, but the clients get confused due to the masquerading (clients send
packets to one IP, and get replies from another).
When you switch from masquerading (MASQ) to normal routing (ACCEPT) for
outbound UDP packets (the rule listed above), you also switch from the
security rules for the LRP box (defaults to accepting all high-port UDP
traffic) to the UDP rules created for the DMZ by DMZ_OPEN_DEST. This breaks
some ports required to get your server up & running.
What to do now:
If I'm correct, what you need to do is go back to the ACCEPT rule for
outbound UDP packets and enable all required inbound UDP traffic headed to
your game server machine. This is where the denied packets come in...they
are likely UDP packets that are not properly enabled in DMZ_OPEN_DEST, so
seeing what they are will help create the proper entries. To log packets
that make it to the end of the forward rule-chain, find the following
section of code in /etc/ipfilter.conf (it will be below the outbound UDP
rule you've been playing with):
<ipfilter.conf snippit>
$IPCH -A forward -j DENY -p all -s 0/0 -d 0/0
#
# EXTERNAL INTERFACE
#
</ipfilter.conf>
Tack a -l (dash-ell) on to the end of the rule to log the denied packets,
like so:
$IPCH -A forward -j DENY -p all -s 0/0 -d 0/0 -l
It's probably a good idea to keep this rule in place...since the forward
rule-chain controls access to your DMZ machines, this will let you see if
someone is trying to port-scan or otherwise improperly access your systems.
Once you've got some denied packets in your logs (/var/log/messages), you
can use the information to build more DMZ_OPEN_DEST entries, as required.
While the above technique will help you get exactly the right rules in
place, if your game server is reasonably secured (you're not running lots of
services you don't need), you may just want to allow all inbound UDP traffic
to the machine. This will at the very least get you up and running while
you try to narrow down the rules actually required. To do this, add the
following to DMZ_OPEN_DEST:
udp_game-server-IP_1024:
Which will allow all high-port UDP traffic to your game server. If this
still doesn't work, you can allow ALL UDP traffic (including low ports) with
the following:
udp_game-server-IP_:
Once you've got the system working, you can try adding additional UDP ports
to DMZ_OPEN_DEST, and remove the large UDP port-range entered above. If
everything still works, you got all the ports you need specifically entered
in DMZ_OPEN_DEST. If it breaks, you're still missing something...time to
check the logs for denied packets & make some more entries.
Good luck!
Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user
