Thread: No Subject
View Single Post

  #3 (permalink)  
Old 01-29-2004
Jim
 
Posts: n/a
Default Re: iptables with Quake?
"Mike Ruskai" <spamten.knilhtrae@begonedynnaht.net> wrote in message news:<gunaalqrneguyvaxarg.hs4nfe0.pminews@news.eas t.earthlink.net>...
<Bobbit>
> With iptables, however, connections to Quake servers do not work. The
> initial connection succeeds, but no futher traffic is received from the
> server.

I know nothing about Quake protocols but I'm not about to let that
stop me from replying. It sounds like this is using a connection
methodology similar to ftp, i.e. initiate a control session on one
port and then spawn data connections on another.

Make sure you have the ip_conntrack module loaded: as root 'modprobe
ip_conntrack'

I assume you have a rule similar to the following already as you don't
know what ports Quake is using but you're still getting an initial
connection to the server:

iptables -t filter -A FORWARD -i ethx -o ethy -j ACCEPT

Where ethx is your private network and ethy is the public interface,
this allows you to connect to any host on the internet on any port.

You could try complimenting that with the Hail Mary of forward rules:
iptables -t filter -I FORWARD -i ethy -o ethx -m state --STATE
EXTABLISHED -j ACCEPT
iptables -t filter -I FORWARD -i ethy -o ethx -m state --STATE RELATED
-j ACCEPT

(Note the use of -I instead of -A above, this inserts the rules at the
head of the chain making them the very first ones in the filter
FORWARD chain to evaluate a packet inbound to your private network
from the internet. Do consider the implications of that before using
them.)

If you add those two lines anywhere in your iptables script you'll
probably find that everything works fine (as you mentioned that some
people are reporting no problems). However, you'll also be opening up
some big holes.

If adding these rules does work, you should then add a logging rule
right before them specifying the destination address as the internal
ip address of your machine and capture packets for 20 minutes or so.
Then go through the logs and see what ports are being used. If you're
lucky it'll only be a few ports and you can add rules for each of them
in the FORWARD table specifying the established and related states.

<Bobbit>
> So how does one get Quake (and similar protocols - Quake 3, Wolf ET, etc.)
> working properly with iptables?

Dump packets from a functioning quake connection, figure out how the
protocol works by looking at the captured packets, write iptables
rules to support the protocol.

Good Luck,

Jim
Reply With Quote