[lug] More iptables...

Mr Viggy LittleViggy at alum.manhattan.edu
Thu Dec 26 19:50:44 MST 2002

Okay, I've looked, and I've played, and this Linux iptables firewall 
thing is just too good!  I need help!!!

Basically, I'm now trying to punch holes in my firewall to play (GULP!) 
Direct X games on the Internet.  I've tried the following:

iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 47624 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 2300:2400 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -p udp --dport 2300:2400 -j ACCEPT


iptables -t nat -A PREROUTING -p tcp --dport 47624 -j DNAT 
iptables -t nat -A PREROUTING -p tcp --dport 2300:2400 -j DNAT 
iptables -t nat -A PREROUTING -p udp --dport 2300:2400 -j DNAT 

where eth0 is the "external" interface (it goes to my Cisco 678, which 
has everything routed to the Linux box), and eth1 is my internal LAN 

But, this doesn't let me play my DirectX enabled games on the Internet. 
  I cannot connect to any games.

For giggles, I tried the same rules, but removed the --dport, and 
changed '-p tcp/udp' to '-p icmp'.  Then I pinged my external IP addy, 
and it worked (I got ping responses).  Before modifying the rules, I 
would get NO ping responses, so the packets are being DNAT'd to my computer.

So then, I removed the above rules, and added:

iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 21 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -p udp --dport 21 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 21 -j DNAT --to-destination
iptables -t nat -A PREROUTING -p udp --dport 21 -j DNAT --to-destination

Then I tried ftp'ing to my external IP address.  However, I get a 
"Connection timed out" error (before adding the rules, I got a 
"Connection refused" error).  Watching packets, I see the FTP conenction 
packets going out, but nothing comming back on my LAN.  When I put 
chains in for logging (in iptables), I can see the packets being 
forwarded, but again, they never appear on my LAN.

Am I missing a few rules here?  I have some universal rules in the 
iptables chains that basically allow all packets to leave.


More information about the LUG mailing list