[Vanilla Devel] Firewalling a netrek server

[E. Hietbrink]

Hi,

As a followup on this old thread I'd like to report success in setting
up my own server (nl.netrek.org). Unfortunately I could not use a nifty
iptable firewall, but was limited to the DSL-built-in NAT-firewall. Very
limited indeed. The main problem was that I could not open entire port
ranges to the world. Only single port rules. As a result hardly anyone
was able to get UDP working in the game ;-)

I imagine there will potentially be more people with this issue so I
fixed this by patching the file ntserv/socket.c

   ehb > diff socket.c socket.c_original
   2301,2302c2300
   <     /* Use static range of UDP portnumbers. Easier for opening up firewalls */
   <     addr.sin_port = 3333 + me->p_no;
   ---
   >     addr.sin_port = 0;

It will now use local port numbers 3333..3348 for players, rather than
the random numbers before. What I now have opened for initial INCOMING
traffic in my firewall is this:

   2591   TCP   Player list (can be used by metaserver)
   2592   TCP   Player game port
   2593   TCP   Observer game port
   4566   TCP   Home player INL port (nothing listening now)
   4577   TCP   Away player INL port (nothing listening now)
   4000   TCP   Home observer INL port (nothing listening now)
   5000   TCP   Away observer INL port (nothing listening now)
   3333   UDP   Netrek Player 0
   ..
   3348   UDP   Netrek Player 15
   (observers should be able to live on TCP only. tired of typing)

When typing this I just realized that running both INL as pickup will bring
myself in problems using this scheme... Ahh well. Fixing that later ;-)

Also I have not yet looked into the RSA stuff yet.


The ideal solution I would like to have implemented is every client using
one and the same UDP port, namely 2592. That portnumber is no nicely
reserved for netrek. Clients should send PDU's with an additional 4 byte,
server assigned ID which the server uses to distribute stuff among daemonII
processes. Relying on source ip address won't be sufficient in all cases.

I know it will be hard and there will probably be pitfalls, but i'm bored
and like to try. So I ask you vanilla veterans: is there any reason I
should not do this?

Greetx, Erik



David Watson wrote:
> 
>     If you are doing NAT then you have to disable RSA, I havnt looked 
> into that...
> 
> iptables rules are below, you should be able to grab ports from them.
> 
>     My servers fail to contact the metaservers
> 
> 
> the server must be able to do dns (udp and tcp 53) auth (tcp 113) and 
> whatever game ports that you run on. not my forwarding rule actually 
> allow all ports over 1024 in an attempt to get metaserver working 
> (possibly incoming udp connections 1024 +  needed for portswap?). These 
> rules were under construction when I decided - good enough
> 
> Dave
> 
> $IPTABLES -N verify_netrekout_for
> $IPTABLES -N verify_netrekin_for
> 
> # Allow serving of game server ports to world
> 
> $IPTABLES -A verify_netrekout_for -p TCP --sport 113 -j tcp_verify
> $IPTABLES -A verify_netrekout_for -p TCP --sport 2592 -j tcp_verify
> $IPTABLES -A verify_netrekout_for -p UDP --sport 2592 -j ACCEPT
> $IPTABLES -A verify_netrekout_for -p TCP --sport 2593 -j tcp_verify
> $IPTABLES -A verify_netrekout_for -p UDP --sport 2593 -j ACCEPT
> $IPTABLES -A verify_netrekout_for -p TCP --sport 4566 -j tcp_verify
> $IPTABLES -A verify_netrekout_for -p UDP --sport 4566 -j ACCEPT
> $IPTABLES -A verify_netrekout_for -p TCP --sport 4577 -j tcp_verify
> $IPTABLES -A verify_netrekout_for -p UDP --sport 4577 -j ACCEPT
> $IPTABLES -A verify_netrekout_for -p TCP --sport 4000 -j tcp_verify
> $IPTABLES -A verify_netrekout_for -p UDP --sport 4000 -j ACCEPT
> $IPTABLES -A verify_netrekout_for -p TCP --sport 5000 -j tcp_verify
> $IPTABLES -A verify_netrekout_for -p UDP --sport 5000 -j ACCEPT
> 
> # Metaserver and client verification
> 
> $IPTABLES -A verify_netrekout_for -p TCP --dport 1024: -j tcp_verify
> $IPTABLES -A verify_netrekout_for -p UDP --dport 1024: -j ACCEPT
> 
> 
> # Allow serving of game server ports to world
> 
> $IPTABLES -A verify_netrekin_for -p TCP --dport 113 -j tcp_verify
> $IPTABLES -A verify_netrekin_for -p TCP --dport 2592 -j tcp_verify
> $IPTABLES -A verify_netrekin_for -p UDP --dport 2592 -j ACCEPT
> $IPTABLES -A verify_netrekin_for -p TCP --dport 2593 -j tcp_verify
> $IPTABLES -A verify_netrekin_for -p UDP --dport 2593 -j ACCEPT
> $IPTABLES -A verify_netrekin_for -p TCP --dport 4566 -j tcp_verify
> $IPTABLES -A verify_netrekin_for -p UDP --dport 4566 -j ACCEPT
> $IPTABLES -A verify_netrekin_for -p TCP --dport 4577 -j tcp_verify
> $IPTABLES -A verify_netrekin_for -p UDP --dport 4577 -j ACCEPT
> $IPTABLES -A verify_netrekin_for -p TCP --dport 4000 -j tcp_verify
> $IPTABLES -A verify_netrekin_for -p UDP --dport 4000 -j ACCEPT
> $IPTABLES -A verify_netrekin_for -p TCP --dport 5000 -j tcp_verify
> $IPTABLES -A verify_netrekin_for -p UDP --dport 5000 -j ACCEPT
> $IPTABLES -A verify_netrekin_for -p UDP --dport 1024: -j ACCEPT
> 
> # Metaserver
> 
> $IPTABLES -A verify_netrekin_for -p TCP --sport 3521 -j tcp_verify
> $IPTABLES -A verify_netrekin_for -p UDP --sport 3521 -j ACCEPT
> $IPTABLES -A verify_netrekin_for -p TCP --sport 3530 -j tcp_verify
> $IPTABLES -A verify_netrekin_for -p UDP --sport 3530 -j ACCEPT
> 
> 
> _______________________________________________
> vanilla-devel mailing list
> vanilla-devel at us.netrek.org
> https://mailman.real-time.com/mailman/listinfo/vanilla-devel
> 



_______________________________________________
vanilla-devel mailing list
vanilla-devel at us.netrek.org
https://mailman.real-time.com/mailman/listinfo/vanilla-devel