newb needs help with port forwarding and securing the system

Home Page Forums Network Management ZeroShell newb needs help with port forwarding and securing the system

This topic contains 7 replies, has 0 voices, and was last updated by  mulea 9 years ago.

Viewing 9 posts - 1 through 9 (of 9 total)
  • Author
    Posts
  • #42381

    mulea
    Member

    Good evening,

    I’ve got zeroshell up and running pretty well with only two small problems.

    The issues:

    1. The options to disable the administration console access outside my LAN don’t seem to work. I’ve tried setup->https Allow access only from 10.0.0.0/24 on ETH0 ( my LAN subnet and the interface it’s on ). I can still pull up the admin console from the external ETH1 address.

    2. We’d like to host a network game. We need to allow some ports through to a specific machine which is NAT’ed. I tried setting it up as a virtual server:
    Interface / IP Address Protocol Local Port Real Servers
    ETH01 / ANY TCP 47624,2300-2400 10.0.0.4:47624,2300-2400
    ETH01 / ANY UDP 2300-2400 10.0.0.4:2300-2400

    I also tried adding firewall rules to both input and forward chains. Didn’t work either.

    My setup:

    wan = ETH01 = cable modem with dhcp
    Lan = EHT00 = static IP addresses

    NAT is enabled. Captive portal is not.

    Any suggestions?

    #50244

    ppalias
    Member

    Hello there!
    Post here the output of commands

    iptables -L -v
    iptables -t nat -L -v
    ifconfig
    #50245

    mulea
    Member

    root@cerebrus root> iptables -L -v
    Chain INPUT (policy DROP 3522 packets, 873K bytes)
    pkts bytes target prot opt in out source destination
    9871 1775K SYS_INPUT all — any any anywhere anywhere
    6 615 SYS_HTTPS tcp — any any anywhere anywhere tcp dpt:http
    1222 126K SYS_HTTPS tcp — any any anywhere anywhere tcp dpt:https
    89 8404 SYS_SSH tcp — any any anywhere anywhere tcp dpt:ssh
    2533 297K ACCEPT all — ETH00 any anywhere anywhere
    1 96 ACCEPT all — any any anywhere anywhere state RELATED,ESTABLISHED
    0 0 ACCEPT udp — any any anywhere anywhere udp dpt:directplaysrvr
    0 0 ACCEPT tcp — any any anywhere anywhere tcp dpt:directplaysrvr
    0 0 ACCEPT udp — any any anywhere anywhere udp dpts:cvmmon:opequus-server
    0 0 ACCEPT tcp — any any anywhere anywhere tcp dpts:cvmmon:opequus-server

    Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    112K 74M ACCEPT all — any any anywhere anywhere
    0 0 ACCEPT all — any any anywhere anywhere state RELATED,ESTABLISHED
    0 0 ACCEPT tcp — any any anywhere anywhere tcp dpts:cvmmon:opequus-server
    0 0 ACCEPT udp — any any anywhere anywhere udp dpts:cvmmon:opequus-server
    0 0 ACCEPT tcp — any any anywhere anywhere tcp dpt:directplaysrvr
    0 0 ACCEPT udp — any any anywhere anywhere udp dpt:directplaysrvr

    Chain OUTPUT (policy ACCEPT 43341 packets, 12M bytes)
    pkts bytes target prot opt in out source destination
    48874 13M SYS_OUTPUT all — any any anywhere anywhere

    Chain SYS_HTTPS (2 references)
    pkts bytes target prot opt in out source destination
    0 0 ACCEPT all — lo any anywhere anywhere
    5930 436K ACCEPT all — ETH00 any 10.0.0.0/24 anywhere
    4 196 DROP all — any any anywhere anywhere

    Chain SYS_INPUT (1 references)
    pkts bytes target prot opt in out source destination
    522 43667 ACCEPT all — lo any anywhere anywhere
    3494 670K ACCEPT udp — any any anywhere anywhere udp spt:domain state ESTABLISHED
    255 293K ACCEPT tcp — any any anywhere anywhere tcp spt:http state ESTABLISHED
    0 0 ACCEPT tcp — any any anywhere anywhere tcp spt:8245 state ESTABLISHED
    1103 83828 ACCEPT udp — any any anywhere anywhere udp spt:ntp state ESTABLISHED
    48276 6239K RETURN all — any any anywhere anywhere

    Chain SYS_OUTPUT (1 references)
    pkts bytes target prot opt in out source destination
    522 43667 ACCEPT all — any lo anywhere anywhere
    3574 268K ACCEPT udp — any any anywhere anywhere udp dpt:domain
    329 18396 ACCEPT tcp — any any anywhere anywhere tcp dpt:http
    0 0 ACCEPT tcp — any any anywhere anywhere tcp dpt:8245
    1108 84208 ACCEPT udp — any any anywhere anywhere udp dpt:ntp
    43341 12M RETURN all — any any anywhere anywhere

    Chain SYS_SSH (1 references)
    pkts bytes target prot opt in out source destination
    0 0 ACCEPT all — lo any anywhere anywhere
    89 8404 ACCEPT all — any any 10.0.0.0/24 anywhere
    0 0 DROP all — any any anywhere anywhere
    root@cerebrus root> iptables -t nat -L -v
    Chain PREROUTING (policy ACCEPT 12317 packets, 1783K bytes)
    pkts bytes target prot opt in out source destination
    0 0 DNAT tcp — ETH01 any anywhere anywhere tcp dpt:directplaysrvr to:10.0.0.4:47624
    0 0 DNAT tcp — ETH01 any anywhere anywhere tcp dpts:cvmmon:opequus-server to:10.0.0.4:2300-2400
    0 0 DNAT udp — ETH01 any anywhere anywhere udp dpts:cvmmon:opequus-server to:10.0.0.4:2300-2400
    0 0 DNAT tcp — ETH01 any anywhere anywhere tcp dpt:47623 to:10.0.0.8:47623
    0 0 DNAT udp — ETH01 any anywhere anywhere udp dpt:47623 to:10.0.0.8:47623

    Chain POSTROUTING (policy ACCEPT 2339 packets, 297K bytes)
    pkts bytes target prot opt in out source destination
    13978 1209K SNATVS all — any any anywhere anywhere
    11632 912K MASQUERADE all — any ETH01 anywhere anywhere

    Chain OUTPUT (policy ACCEPT 9059 packets, 924K bytes)
    pkts bytes target prot opt in out source destination

    Chain SNATVS (1 references)
    pkts bytes target prot opt in out source destination
    root@cerebrus root> ifconfig
    ETH00 Link encap:Ethernet HWaddr 00:80:5F:EA:00:E4
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:196135 errors:0 dropped:0 overruns:0 frame:0
    TX packets:296438 errors:2 dropped:0 overruns:0 carrier:2
    collisions:0 txqueuelen:1000
    RX bytes:21953930 (20.9 Mb) TX bytes:355346788 (338.8 Mb)
    Interrupt:11 Base address:0xec00

    ETH00:00 Link encap:Ethernet HWaddr 00:80:5F:EA:00:E4
    inet addr:10.0.0.1 Bcast:10.0.0.255 Mask:255.255.255.0
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    Interrupt:11 Base address:0xec00

    ETH01 Link encap:Ethernet HWaddr 00:50:DA:18:47:83
    inet addr:74.87.224.117 Bcast:255.255.255.255 Mask:255.255.255.128
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:1977774 errors:0 dropped:0 overruns:0 frame:0
    TX packets:172505 errors:0 dropped:0 overruns:0 carrier:0
    collisions:3346 txqueuelen:1000
    RX bytes:449325861 (428.5 Mb) TX bytes:19855771 (18.9 Mb)
    Interrupt:10 Base address:0xe000

    VPN99 Link encap:Ethernet HWaddr 00:FF:53:B6:85:19
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:0 errors:0 dropped:0 overruns:0 frame:0
    TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

    VPN99:00 Link encap:Ethernet HWaddr 00:FF:53:B6:85:19
    inet addr:192.168.250.254 Bcast:192.168.250.255 Mask:255.255.255.0
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

    dummy1 Link encap:Ethernet HWaddr E2:5A:84:C0:CB:FB
    inet addr:192.168.142.142 Bcast:192.168.142.255 Mask:255.255.255.255
    UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
    RX packets:0 errors:0 dropped:0 overruns:0 frame:0
    TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

    lo Link encap:Local Loopback
    inet addr:127.0.0.1 Mask:255.0.0.0
    UP LOOPBACK RUNNING MTU:16436 Metric:1
    RX packets:573 errors:0 dropped:0 overruns:0 frame:0
    TX packets:573 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:46985 (45.8 Kb) TX bytes:46985 (45.8 Kb)

    root@cerebrus root>

    #50246

    ppalias
    Member

    1) Try to remove the network interface from the form, just use the network subnet. Be careful not to remove everything, which would lock you out.
    2) The rules are ok, but there seem to be no hits at all, which means that no packets have arrived.

    #50247

    mulea
    Member

    @ppalias wrote:

    1) Try to remove the network interface from the form, just use the network subnet..

    I’m sorry, I don’t understand. Which form?

    Thank you for the help

    #50248

    mulea
    Member

    Putting in the virtual server entries without the interface solved the issue.
    Thanks for the help!

    #50249

    mulea
    Member

    There’s only one small problem.

    The game seems to want a unique ip address for every player. Can I cause it to route my packets through the NAT, but also to the game system as if from another IP address? Perhaps some tricks with a virtual adapter?

    #50250

    ppalias
    Member

    If you are behind nat I can only see one solution for your server rejecting connections from the same IP. Create a vpn server and each client connects to you and is assigned a unique IP from a dedicate VPN subnet. So each client will connect on the server through the VPN.

    #50251

    mulea
    Member

    Thanks for the idea.

Viewing 9 posts - 1 through 9 (of 9 total)

You must be logged in to reply to this topic.