[lug] More iptables...

Mr Viggy LittleViggy at alum.manhattan.edu
Thu Dec 26 19:50:44 MST 2002 

Okay, I've looked, and I've played, and this Linux iptables firewall 
thing is just too good!  I need help!!!

Basically, I'm now trying to punch holes in my firewall to play (GULP!) 
Direct X games on the Internet.  I've tried the following:

iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 47624 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 2300:2400 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -p udp --dport 2300:2400 -j ACCEPT

and...

iptables -t nat -A PREROUTING -p tcp --dport 47624 -j DNAT 
--to-destination 172.16.2.101
iptables -t nat -A PREROUTING -p tcp --dport 2300:2400 -j DNAT 
--to-destination 172.16.2.101
iptables -t nat -A PREROUTING -p udp --dport 2300:2400 -j DNAT 
--to-destination 172.16.2.101

where eth0 is the "external" interface (it goes to my Cisco 678, which 
has everything routed to the Linux box), and eth1 is my internal LAN 
interface.

But, this doesn't let me play my DirectX enabled games on the Internet. 
  I cannot connect to any games.

For giggles, I tried the same rules, but removed the --dport, and 
changed '-p tcp/udp' to '-p icmp'.  Then I pinged my external IP addy, 
and it worked (I got ping responses).  Before modifying the rules, I 
would get NO ping responses, so the packets are being DNAT'd to my computer.

So then, I removed the above rules, and added:

iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 21 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -p udp --dport 21 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 21 -j DNAT --to-destination 
172.16.2.101
iptables -t nat -A PREROUTING -p udp --dport 21 -j DNAT --to-destination 
172.16.2.101

Then I tried ftp'ing to my external IP address.  However, I get a 
"Connection timed out" error (before adding the rules, I got a 
"Connection refused" error).  Watching packets, I see the FTP conenction 
packets going out, but nothing comming back on my LAN.  When I put 
chains in for logging (in iptables), I can see the packets being 
forwarded, but again, they never appear on my LAN.

Am I missing a few rules here?  I have some universal rules in the 
iptables chains that basically allow all packets to leave.

Viggy

More information about the LUG mailing list