[Vanilla Devel] Firewalling a netrek server

Wed May 14 10:40:45 CDT 2003

	If you are doing NAT then you have to disable RSA, I havnt looked into that...

iptables rules are below, you should be able to grab ports from them.

	My servers fail to contact the metaservers

the server must be able to do dns (udp and tcp 53) auth (tcp 113) and 
whatever game ports that you run on. not my forwarding rule actually allow 
all ports over 1024 in an attempt to get metaserver working (possibly 
incoming udp connections 1024 +  needed for portswap?). These rules were 
under construction when I decided - good enough

Dave

$IPTABLES -N verify_netrekout_for
$IPTABLES -N verify_netrekin_for

# Allow serving of game server ports to world

$IPTABLES -A verify_netrekout_for -p TCP --sport 113 -j tcp_verify
$IPTABLES -A verify_netrekout_for -p TCP --sport 2592 -j tcp_verify
$IPTABLES -A verify_netrekout_for -p UDP --sport 2592 -j ACCEPT
$IPTABLES -A verify_netrekout_for -p TCP --sport 2593 -j tcp_verify
$IPTABLES -A verify_netrekout_for -p UDP --sport 2593 -j ACCEPT
$IPTABLES -A verify_netrekout_for -p TCP --sport 4566 -j tcp_verify
$IPTABLES -A verify_netrekout_for -p UDP --sport 4566 -j ACCEPT
$IPTABLES -A verify_netrekout_for -p TCP --sport 4577 -j tcp_verify
$IPTABLES -A verify_netrekout_for -p UDP --sport 4577 -j ACCEPT
$IPTABLES -A verify_netrekout_for -p TCP --sport 4000 -j tcp_verify
$IPTABLES -A verify_netrekout_for -p UDP --sport 4000 -j ACCEPT
$IPTABLES -A verify_netrekout_for -p TCP --sport 5000 -j tcp_verify
$IPTABLES -A verify_netrekout_for -p UDP --sport 5000 -j ACCEPT

# Metaserver and client verification

$IPTABLES -A verify_netrekout_for -p TCP --dport 1024: -j tcp_verify
$IPTABLES -A verify_netrekout_for -p UDP --dport 1024: -j ACCEPT

# Allow serving of game server ports to world

$IPTABLES -A verify_netrekin_for -p TCP --dport 113 -j tcp_verify
$IPTABLES -A verify_netrekin_for -p TCP --dport 2592 -j tcp_verify
$IPTABLES -A verify_netrekin_for -p UDP --dport 2592 -j ACCEPT
$IPTABLES -A verify_netrekin_for -p TCP --dport 2593 -j tcp_verify
$IPTABLES -A verify_netrekin_for -p UDP --dport 2593 -j ACCEPT
$IPTABLES -A verify_netrekin_for -p TCP --dport 4566 -j tcp_verify
$IPTABLES -A verify_netrekin_for -p UDP --dport 4566 -j ACCEPT
$IPTABLES -A verify_netrekin_for -p TCP --dport 4577 -j tcp_verify
$IPTABLES -A verify_netrekin_for -p UDP --dport 4577 -j ACCEPT
$IPTABLES -A verify_netrekin_for -p TCP --dport 4000 -j tcp_verify
$IPTABLES -A verify_netrekin_for -p UDP --dport 4000 -j ACCEPT
$IPTABLES -A verify_netrekin_for -p TCP --dport 5000 -j tcp_verify
$IPTABLES -A verify_netrekin_for -p UDP --dport 5000 -j ACCEPT
$IPTABLES -A verify_netrekin_for -p UDP --dport 1024: -j ACCEPT

# Metaserver

$IPTABLES -A verify_netrekin_for -p TCP --sport 3521 -j tcp_verify
$IPTABLES -A verify_netrekin_for -p UDP --sport 3521 -j ACCEPT
$IPTABLES -A verify_netrekin_for -p TCP --sport 3530 -j tcp_verify
$IPTABLES -A verify_netrekin_for -p UDP --sport 3530 -j ACCEPT

_______________________________________________
vanilla-devel mailing list
vanilla-devel at us.netrek.org
https://mailman.real-time.com/mailman/listinfo/vanilla-devel