newb needs help with port forwarding and securing the system

[mulea]

Good evening,

I’ve got zeroshell up and running pretty well with only two small problems.

The issues:

1. The options to disable the administration console access outside my LAN don’t seem to work. I’ve tried setup->https Allow access only from 10.0.0.0/24 on ETH0 ( my LAN subnet and the interface it’s on ). I can still pull up the admin console from the external ETH1 address.

2. We’d like to host a network game. We need to allow some ports through to a specific machine which is NAT’ed. I tried setting it up as a virtual server:
Interface / IP Address Protocol Local Port Real Servers
ETH01 / ANY TCP 47624,2300-2400 10.0.0.4:47624,2300-2400
ETH01 / ANY UDP 2300-2400 10.0.0.4:2300-2400

I also tried adding firewall rules to both input and forward chains. Didn’t work either.

My setup:

wan = ETH01 = cable modem with dhcp
Lan = EHT00 = static IP addresses

NAT is enabled. Captive portal is not.

Any suggestions?

[ppalias]

Hello there!
Post here the output of commands

iptables -L -v

iptables -t nat -L -v

ifconfig

[mulea]

root@cerebrus root> iptables -L -v
Chain INPUT (policy DROP 3522 packets, 873K bytes)
pkts bytes target prot opt in out source destination
9871 1775K SYS_INPUT all — any any anywhere anywhere
6 615 SYS_HTTPS tcp — any any anywhere anywhere tcp dpt:http
1222 126K SYS_HTTPS tcp — any any anywhere anywhere tcp dpt:https
89 8404 SYS_SSH tcp — any any anywhere anywhere tcp dpt:ssh
2533 297K ACCEPT all — ETH00 any anywhere anywhere
1 96 ACCEPT all — any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT udp — any any anywhere anywhere udp dpt:directplaysrvr
0 0 ACCEPT tcp — any any anywhere anywhere tcp dpt:directplaysrvr
0 0 ACCEPT udp — any any anywhere anywhere udp dpts:cvmmon:opequus-server
0 0 ACCEPT tcp — any any anywhere anywhere tcp dpts:cvmmon:opequus-server

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
112K 74M ACCEPT all — any any anywhere anywhere
0 0 ACCEPT all — any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT tcp — any any anywhere anywhere tcp dpts:cvmmon:opequus-server
0 0 ACCEPT udp — any any anywhere anywhere udp dpts:cvmmon:opequus-server
0 0 ACCEPT tcp — any any anywhere anywhere tcp dpt:directplaysrvr
0 0 ACCEPT udp — any any anywhere anywhere udp dpt:directplaysrvr

Chain OUTPUT (policy ACCEPT 43341 packets, 12M bytes)
pkts bytes target prot opt in out source destination
48874 13M SYS_OUTPUT all — any any anywhere anywhere

Chain SYS_HTTPS (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all — lo any anywhere anywhere
5930 436K ACCEPT all — ETH00 any 10.0.0.0/24 anywhere
4 196 DROP all — any any anywhere anywhere

Chain SYS_INPUT (1 references)
pkts bytes target prot opt in out source destination
522 43667 ACCEPT all — lo any anywhere anywhere
3494 670K ACCEPT udp — any any anywhere anywhere udp spt:domain state ESTABLISHED
255 293K ACCEPT tcp — any any anywhere anywhere tcp spt:http state ESTABLISHED
0 0 ACCEPT tcp — any any anywhere anywhere tcp spt:8245 state ESTABLISHED
1103 83828 ACCEPT udp — any any anywhere anywhere udp spt:ntp state ESTABLISHED
48276 6239K RETURN all — any any anywhere anywhere

Chain SYS_OUTPUT (1 references)
pkts bytes target prot opt in out source destination
522 43667 ACCEPT all — any lo anywhere anywhere
3574 268K ACCEPT udp — any any anywhere anywhere udp dpt:domain
329 18396 ACCEPT tcp — any any anywhere anywhere tcp dpt:http
0 0 ACCEPT tcp — any any anywhere anywhere tcp dpt:8245
1108 84208 ACCEPT udp — any any anywhere anywhere udp dpt:ntp
43341 12M RETURN all — any any anywhere anywhere

Chain SYS_SSH (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all — lo any anywhere anywhere
89 8404 ACCEPT all — any any 10.0.0.0/24 anywhere
0 0 DROP all — any any anywhere anywhere
root@cerebrus root> iptables -t nat -L -v
Chain PREROUTING (policy ACCEPT 12317 packets, 1783K bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp — ETH01 any anywhere anywhere tcp dpt:directplaysrvr to:10.0.0.4:47624
0 0 DNAT tcp — ETH01 any anywhere anywhere tcp dpts:cvmmon:opequus-server to:10.0.0.4:2300-2400
0 0 DNAT udp — ETH01 any anywhere anywhere udp dpts:cvmmon:opequus-server to:10.0.0.4:2300-2400
0 0 DNAT tcp — ETH01 any anywhere anywhere tcp dpt:47623 to:10.0.0.8:47623
0 0 DNAT udp — ETH01 any anywhere anywhere udp dpt:47623 to:10.0.0.8:47623

Chain POSTROUTING (policy ACCEPT 2339 packets, 297K bytes)
pkts bytes target prot opt in out source destination
13978 1209K SNATVS all — any any anywhere anywhere
11632 912K MASQUERADE all — any ETH01 anywhere anywhere

Chain OUTPUT (policy ACCEPT 9059 packets, 924K bytes)
pkts bytes target prot opt in out source destination

Chain SNATVS (1 references)
pkts bytes target prot opt in out source destination
root@cerebrus root> ifconfig
ETH00 Link encap:Ethernet HWaddr 00:80:5F:EA:00:E4
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:196135 errors:0 dropped:0 overruns:0 frame:0
TX packets:296438 errors:2 dropped:0 overruns:0 carrier:2
collisions:0 txqueuelen:1000
RX bytes:21953930 (20.9 Mb) TX bytes:355346788 (338.8 Mb)
Interrupt:11 Base address:0xec00

ETH00:00 Link encap:Ethernet HWaddr 00:80:5F:EA:00:E4
inet addr:10.0.0.1 Bcast:10.0.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:11 Base address:0xec00

ETH01 Link encap:Ethernet HWaddr 00:50:DA:18:47:83
inet addr:74.87.224.117 Bcast:255.255.255.255 Mask:255.255.255.128
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1977774 errors:0 dropped:0 overruns:0 frame:0
TX packets:172505 errors:0 dropped:0 overruns:0 carrier:0
collisions:3346 txqueuelen:1000
RX bytes:449325861 (428.5 Mb) TX bytes:19855771 (18.9 Mb)
Interrupt:10 Base address:0xe000

VPN99 Link encap:Ethernet HWaddr 00:FF:53:B6:85:19
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

VPN99:00 Link encap:Ethernet HWaddr 00:FF:53:B6:85:19
inet addr:192.168.250.254 Bcast:192.168.250.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

dummy1 Link encap:Ethernet HWaddr E2:5A:84:C0:CB:FB
inet addr:192.168.142.142 Bcast:192.168.142.255 Mask:255.255.255.255
UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:573 errors:0 dropped:0 overruns:0 frame:0
TX packets:573 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:46985 (45.8 Kb) TX bytes:46985 (45.8 Kb)

root@cerebrus root>

[ppalias]

1) Try to remove the network interface from the form, just use the network subnet. Be careful not to remove everything, which would lock you out.
2) The rules are ok, but there seem to be no hits at all, which means that no packets have arrived.

[mulea]

@ppalias wrote:

1) Try to remove the network interface from the form, just use the network subnet..

I’m sorry, I don’t understand. Which form?

Thank you for the help

[mulea]

Putting in the virtual server entries without the interface solved the issue.
Thanks for the help!

[mulea]

There’s only one small problem.

The game seems to want a unique ip address for every player. Can I cause it to route my packets through the NAT, but also to the game system as if from another IP address? Perhaps some tricks with a virtual adapter?

[ppalias]

If you are behind nat I can only see one solution for your server rejecting connections from the same IP. Create a vpn server and each client connects to you and is assigned a unique IP from a dedicate VPN subnet. So each client will connect on the server through the VPN.

[mulea]

Thanks for the idea.

[Author]

Posts