No Subject

Subject: iptables with Quake?
Lines: 28
Date: Tue, 27 Jan 2004 03:36:47 GMT
NNTP-Posting-Host: 65.40.198.126
X-Complaints-To: abuse@earthlink.net
X-Trace: newsread3.news.atl.earthlink.net 1075174607 65.40.198.126 (Mon, 26 Jan 2004 19:36:47 PST)
NNTP-Posting-Date: Mon, 26 Jan 2004 19:36:47 PST
Xref: intern1.nntp.aus1.giganews.com comp.os.linux.networking:436380

For quite some time now, I've been using a 2.2.20 box for Internet
connection sharing. The drive in that machine is dying, so I added a
couple new drives and installed Slack 9.0 from scratch.

With 2.2.x and ipchains, connecting to Quake servers (the original Quake
1) was not a problem.

I plan on using either 2.4 or 2.6 as the kernel version, which means
iptables.

With iptables, however, connections to Quake servers do not work. The
initial connection succeeds, but no futher traffic is received from the
server.

I've searched Google quite a bit for answers, but all I've seen are
messages asking how to get it working, and messages saying it works fine
with no special modifications (which isn't true).

So how does one get Quake (and similar protocols - Quake 3, Wolf ET, etc.)
working properly with iptables?


--
- Mike

Remove 'spambegone.net' and reverse to send e-mail.

Subject: Re: iptables with Quake?
Lines: 25
Date: Fri, 30 Jan 2004 19:22:55 GMT
NNTP-Posting-Host: 65.40.198.126
X-Complaints-To: abuse@earthlink.net
X-Trace: newsread2.news.pas.earthlink.net 1075490575 65.40.198.126 (Fri, 30 Jan 2004 11:22:55 PST)
NNTP-Posting-Date: Fri, 30 Jan 2004 11:22:55 PST
Xref: intern1.nntp.aus1.giganews.com comp.os.linux.networking:436586

On 28 Jan 2004 18:51:52 -0800, Jim wrote:

>"Mike Ruskai" <spamten.knilhtrae@begonedynnaht.net> wrote in message news:<gunaalqrneguyvaxarg.hs4nfe0.pminews@news.eas t.earthlink.net>...
><Bobbit>
>> With iptables, however, connections to Quake servers do not work. The
>> initial connection succeeds, but no futher traffic is received from the
>> server.
>
>I know nothing about Quake protocols but I'm not about to let that
>stop me from replying. It sounds like this is using a connection
>methodology similar to ftp, i.e. initiate a control session on one
>port and then spawn data connections on another.
[snip]

Quake uses UDP. As it turns out, some versions of it do work, and some
don't. The one I was testing with does not, but the one I mostly use
does, so it's no longer a problem.


--
- Mike

Remove 'spambegone.net' and reverse to send e-mail.

"Mike Ruskai" <spamten.knilhtrae@begonedynnaht.net> wrote in message news:<gunaalqrneguyvaxarg.hs4nfe0.pminews@news.eas t.earthlink.net>...
<Bobbit>
> With iptables, however, connections to Quake servers do not work. The
> initial connection succeeds, but no futher traffic is received from the
> server.

I know nothing about Quake protocols but I'm not about to let that
stop me from replying. It sounds like this is using a connection
methodology similar to ftp, i.e. initiate a control session on one
port and then spawn data connections on another.

Make sure you have the ip_conntrack module loaded: as root 'modprobe
ip_conntrack'

I assume you have a rule similar to the following already as you don't
know what ports Quake is using but you're still getting an initial
connection to the server:

iptables -t filter -A FORWARD -i ethx -o ethy -j ACCEPT

Where ethx is your private network and ethy is the public interface,
this allows you to connect to any host on the internet on any port.

You could try complimenting that with the Hail Mary of forward rules:
iptables -t filter -I FORWARD -i ethy -o ethx -m state --STATE
EXTABLISHED -j ACCEPT
iptables -t filter -I FORWARD -i ethy -o ethx -m state --STATE RELATED
-j ACCEPT

(Note the use of -I instead of -A above, this inserts the rules at the
head of the chain making them the very first ones in the filter
FORWARD chain to evaluate a packet inbound to your private network
from the internet. Do consider the implications of that before using
them.)

If you add those two lines anywhere in your iptables script you'll
probably find that everything works fine (as you mentioned that some
people are reporting no problems). However, you'll also be opening up
some big holes.

If adding these rules does work, you should then add a logging rule
right before them specifying the destination address as the internal
ip address of your machine and capture packets for 20 minutes or so.
Then go through the logs and see what ports are being used. If you're
lucky it'll only be a few ports and you can add rules for each of them
in the FORWARD table specifying the established and related states.

<Bobbit>
> So how does one get Quake (and similar protocols - Quake 3, Wolf ET, etc.)
> working properly with iptables?

Dump packets from a functioning quake connection, figure out how the
protocol works by looking at the captured packets, write iptables
rules to support the protocol.

Good Luck,

Jim

Jim wrote:
> "Mike Ruskai" <spamten.knilhtrae@begonedynnaht.net> wrote in message news:<gunaalqrneguyvaxarg.hs4nfe0.pminews@news.eas t.earthlink.net>...
> <Bobbit>
>
>>With iptables, however, connections to Quake servers do not work. The
>>initial connection succeeds, but no futher traffic is received from the
>>server.
>
>
> I know nothing about Quake protocols but I'm not about to let that
> stop me from replying. It sounds like this is using a connection
> methodology similar to ftp, i.e. initiate a control session on one
> port and then spawn data connections on another.
>
> Make sure you have the ip_conntrack module loaded: as root 'modprobe
> ip_conntrack'
>
> I assume you have a rule similar to the following already as you don't
> know what ports Quake is using but you're still getting an initial
> connection to the server:
>
> iptables -t filter -A FORWARD -i ethx -o ethy -j ACCEPT
>
> Where ethx is your private network and ethy is the public interface,
> this allows you to connect to any host on the internet on any port.
>
> You could try complimenting that with the Hail Mary of forward rules:
> iptables -t filter -I FORWARD -i ethy -o ethx -m state --STATE
> EXTABLISHED -j ACCEPT
> iptables -t filter -I FORWARD -i ethy -o ethx -m state --STATE RELATED
> -j ACCEPT
>
> (Note the use of -I instead of -A above, this inserts the rules at the
> head of the chain making them the very first ones in the filter
> FORWARD chain to evaluate a packet inbound to your private network
> from the internet. Do consider the implications of that before using
> them.)
>
> If you add those two lines anywhere in your iptables script you'll
> probably find that everything works fine (as you mentioned that some
> people are reporting no problems). However, you'll also be opening up
> some big holes.
>
> If adding these rules does work, you should then add a logging rule
> right before them specifying the destination address as the internal
> ip address of your machine and capture packets for 20 minutes or so.
> Then go through the logs and see what ports are being used. If you're
> lucky it'll only be a few ports and you can add rules for each of them
> in the FORWARD table specifying the established and related states.
>
> <Bobbit>
>
>>So how does one get Quake (and similar protocols - Quake 3, Wolf ET, etc.)
>>working properly with iptables?
>
>
> Dump packets from a functioning quake connection, figure out how the
> protocol works by looking at the captured packets, write iptables
> rules to support the protocol.
>
> Good Luck,
>
> Jim
What are your iptables rules ?

try: iptables -v -L
and: iptables -t nat -v -L


What kind of network are you running? i.e. Do you need MASQ for a NAT'ed
box runing thru a gateway?

My system works well for quake 3 and UT so here is some info that might
help until we see your rules and network configuration.

First:

Quake is probably using UDP not TCP.

Second :

Make sure you have MASQ on the POSTROUTING chain.
check with: iptables -t nat -v -L