I run CS and DOD on a machine behind my NAT'd firewall.
This is a working example from my system, it is started from an "up"
line in /etc/network/interfaces. It's no different than routing for a
webserver (except UDP).
You should change the IP addresses as appropriate.
Now remember, you may not realize it's working when it actually is. I
usually send a "heartbeat" command from the server to make sure, then
check it with a windows client with all the filters turned off, except
the map that your server is currently running.
spanky:~# cat /etc/network/nat.sh
#############################################################
# NETWORK ADDRESS TRANSLATION / MASQUERADING #
#############################################################
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat --flush
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
GATEWAY_EXT=216.138.246.90
GATEWAY_INT=192.168.0.1
WEB_SERVER=192.168.0.2
HLDS_SERVER=192.168.0.3
# route internal or external requests from port 80 (HTTP) on the gateway
# to the internal web server
iptables -t nat -A PREROUTING -d $GATEWAY_EXT -p tcp --dport 80 -j DNAT
--to $WEB_SERVER
iptables -t nat -A PREROUTING -d $GATEWAY_INT -p tcp --dport 80 -j DNAT
--to $WEB_SERVER
# route internal or external requests from port 443 (HTTPS) on the
# gateway to the internal web server
iptables -t nat -A PREROUTING -d $GATEWAY_EXT -p tcp --dport 443 -j DNAT
--to $WEB_SERVER
iptables -t nat -A PREROUTING -d $GATEWAY_INT -p tcp --dport 443 -j DNAT
--to $WEB_SERVER
# If you are doing portforwarding back onto the same network, you need
# to make sure that both future packets and reply packets pass
through
# the NAT box (so they can be altered).
# The classic case is that internal staff try to access your `public'
# web server, which is actually DNAT'ed from the public address
# to an internal machine
# Have the NAT box also map the source IP address to
# its own for these connections, fooling the server into replying
# through it.
iptables -t nat -A POSTROUTING -d $WEB_SERVER -s 192.168.0.0/24 -p tcp
--dport 80 -j SNAT --to $GATEWAY_INT
iptables -t nat -A POSTROUTING -d $WEB_SERVER -s 192.168.0.0/24 -p tcp
--dport 443 -j SNAT --to $GATEWAY_INT
# lets the Halflife server get out to the Internet
iptables -t nat -A PREROUTING -d $GATEWAY_EXT -p udp --dport 27015 -j
DNAT --to $HLDS_SERVER
iptables -t nat -A PREROUTING -d $GATEWAY_INT -p udp --dport 27015 -j
DNAT --to $HLDS_SERVER
iptables -t nat -A POSTROUTING -d $HLDS_SERVER -s 192.168.0.0/24 -p udp
--dport 27015 -j SNAT --to $GATEWAY_INT
Cheers,
Jason
On Thu, 2002-05-30 at 08:11, Are Westby wrote:
Setting:
Got a CS-server on my LAN that I would like people on the outside to connect
to. I also have an iptables firewall on a DSL connection. The firewall has
two NICs, one for the lan (192.168.1.x) and the other connects to the DSL
router, which receives an official ip adress by means of DHCP.
I've run numerous searches through Google, but most examples just don't
work. [1] The cs-server gets authed with WON and all looks fine, but noone
can connect to my server.
I mean, there's gotta be someone out there who's done this.
Can anyone help, preferably by posting a ruleset that has been proven to
work properly in this scenario?
[1] The following example, taken from a private website, actually gets my
server WON authed, but still no connect from the outside:
IPADDR="my.external.ip.address"
INTERNAL_INTERFACE="eth0"
EXTERNAL_INTERFACE="eth1"
LOCAL_IP="firewall.lan.ip.address"
LOCALNET="localnet/24"
LOCAL_HL="cs-server.lan.ip.address"
HL_SERVERS="63.251.143.218 216.52.220.16 63.251.143.213"
PRIVPORTS="0:1023"
UNPRIVPORTS="1024:"
for ADDRESS in $HL_SERVERS
do
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp -s $ADDRESS --sport 6003 -d
$IPADDR --dport $UNPRIVPORTS -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp -s $ADDRESS --sport 7002 -d
$IPADDR --dport $UNPRIVPORTS -j ACCEPT
iptables -A FORWARD -i $EXTERNAL_INTERFACE -p tcp -s $ADDRESS --sport
6003 -d $LOCALNET --dport $UNPRIVPORTS -j ACCEPT
iptables -A FORWARD -i $EXTERNAL_INTERFACE -p tcp -s $ADDRESS --sport
7002 -d $LOCALNET --dport $UNPRIVPORTS -j ACCEPT
done
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp -d $IPADDR --dport 27015 -s
0/0 --sport $UNPRIVPORTS -j ACCEPT
iptables -A FORWARD -i $EXTERNAL_INTERFACE -p udp -d $LOCALNET --dport
27015 -s 0/0 --sport $UNPRIVPORTS -j ACCEPT
iptables -t nat -A PREROUTING -p udp --dport 27015 -j DNAT --to $LOCAL_HL
Rgds,
Are Westby
