Jump to content



Photo

iptables rules

iptables

  • Please log in to reply
9 replies to this topic

#1 pinprick

pinprick

    Neowinian

  • Joined: 10-October 06
  • Location: localhost

Posted 22 July 2012 - 12:17

I want to create a game server in debian linux and control it through an ssh session. I run my current server on windows 7 and it sometimes stops responding and eats up too much ram so I decided to opt for something stable and way more secure. One other problem that I found is that with windows 7 I cannot set up different mount points for /var or /var/log this is a problem because bots may enter the server, spam, fill the disk and crash the system. (I only have one disk :D so symbolic links have no use here)

I have some set of rules in comodo firewall that work pretty well for my game server and ssh but I have no clue about how to adapt them to iptables.

Game server
Allow udp in: source address any;  destination address any; source address any; destination port 27015
The following rules are needed for authentication, anti-cheat and updates. I analysed the packets and set up these rules.
Allow udp out: source address any;  destination address any; source address 26900; destination port any
Allow tcp out: source address any;  destination address any; source address any; destination port 27030-27039
Allow udp in: source address any;  destination address any; source address any; destination port 26900
Allow tco out:source address any;  destination address any; source address any; destination port 80

ssh server
For the ssh I need to accept incoming tcp connections to port 22 and outgoing tcp connection from port 22 right ?

If none of those rules are triggered I want to have the packets dropped. For instance, if the incoming packet is a response to a certain request from my computer it should be accepted.

I would also like to run my game server as a daemon, set the game server with high priority so that its (cpu) requests have precedence (just like a priority queue), and maybe chroot/sandbox so that if the application, that has priviliges, gets compromised hackers can not inject code and damage the system. Is there anything else that I should consider?

I do this on windows 7 with comodo which comes with a sandbox and packet filtering, and the task manager. So command line environment is a bit hard for me.

Thanks.


#2 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 84
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 22 July 2012 - 13:03

What is this suppose to mean?

source address 26900;

Is that support to be the source port? Very strange to see source port rules. Most applications don't use a fixed source port. Only thing I can think of sometimes do is active ftp session server uses source port 20, and dns can sometimes be setup to use 53 as source as well as destination.

Other than those rules are pretty straight forward. As to your game server - is this server directly exposed to the public net? Are you not behind a nat router? You would setup those rules at the router than, not the firewall on the host.

As to ssh, yes 22 is standard port - does not have to be that port, you can use whatever port you want. As to outbound - that would be the source port of who connected, that is going to be random.

the outbound connections would be handled by the state table, if you allow inbound 22 - then it would automatic allow the return connection.

There are quite a few iptables frontends to choose from, you don't have to do it from the command line if your lacking in that skill set. I would prob suggest shorewall as get started one - here is info http://wiki.debian.org/HowTo/shorewall

You could also go with webmin, makes for a nice gui to control your linux box from. http://www.webmin.com/ and has firewall control features.

I am confused about your mount points comment for windows 7?? You can mount disks to whatever folder you want? So yes it would be quite possible to have disk/partition mounted as var folder.

Again -- how is this game server connected to the internet? It has a public IP? Or is its ip 10.x.x.x, 192.168.x.x, 172.16-31.x.x ?

#3 OP pinprick

pinprick

    Neowinian

  • Joined: 10-October 06
  • Location: localhost

Posted 22 July 2012 - 14:14

It has a public IP. ye its supposed to be the source port ( is there a way to change it xD i can't edit it now ). It is a half life dedicated server, I don't really know why they need all those connections maybe its to validate a server as a valid steam server ( because there exists cracked versions of it), vac anti-cheat update, masterserver update to show my ip in the internet server list in the game, and server update port 80. I used whois on several ip addresses that the firewall logged and it was from valve so it must be needed. I don't really know why this is needed:
Allow udp in: source address any;  destination address any; source port any; destination port 26900
I did whois on the ip that requested that connection and it was a valve registered one, so I added it to firewall.

I don't really know why they fixed the 26900 port. I remember it had something to do with, vac - connection to steam servers. I say this cause whenever I remove that rule it printed out that it could not connect to steam servers.

the outbound connections would be handled by the state table, if you allow inbound 22 - then it would automatic allow the return connection.

Didn't understand this part. I know there are many tables in iptables like: filter, mangle, nat, raw. All those tables are read when a packet is received to determine its faith. Is there a tutorial online or book I can buy so that I can learn that stuff? Didn't find anything good on google.

Is there a way to sandbox hlds ? Thanks, budman you're always very helpful. I already have the 26900, 22 and 27015 ports opened on my router.

By the way is there a way to add filtering rules to a specific application rather than to the whole system ( Global rules vs Application rules ) and is it possible for the game server to have precendence over other software in regards to the cpu priority queue, in windows there is a thing called priority.

#4 OP pinprick

pinprick

    Neowinian

  • Joined: 10-October 06
  • Location: localhost

Posted 22 July 2012 - 14:21

AH I think I know why they have this rule:

Allow udp in: source address any;  destination address any; source port any; destination port 26900

There is something called rcon, which is basically something like ssh that enables admins to mess with the half life dedicated server commands remotely, like change map, etc.

My point about windows 7 was that, as far as I know, there is not something like var which can be mounted in a separate partition where all variable data is stored ( files are scattered all over the system); if a bot attacked my server and created many logs the disk would get full and consequently crash the OS. I think it would be stupid to create symbolic links for every server software in windows for hlds, ssh, etc and store the logs in another partition. (lots of work)

#5 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 84
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 22 July 2012 - 14:44

'I already have the 26900, 22 and 27015 ports opened on my router."

So your forwarding ports on your router, so I have to ask how this box is on public IP? "It has a public IP" <--- do you mean your router has a pubic IP and you forward traffic to this game server?

If your having to forward/allow ports on the router - I have to assume its natting, so your box would not actually have a public IP?

So this server your running has NO Private IP address?

If your game server is behind a NAT router - then you have little need of setting up firewall rules on the box itself. Unless its connected to some hostile local network?

Please layout how you have this server your running connected to the network/internet.

so for example - here is my ubuntu server, that I ssh too all the time from the public internet, as you can see it has no IPv4 public IP on it..

budman@ubuntu:~$ ifconfig
eth0	  Link encap:Ethernet  HWaddr 00:0c:29:97:69:07
		  inet addr:192.168.1.7  Bcast:192.168.1.255  Mask:255.255.255.0
		  inet6 addr: fe80::20c:29ff:fe97:6907/64 Scope:Link
		  inet6 addr: 2001:470:snipped:snipped::777/64 Scope:Global
		  UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
		  RX packets:59076 errors:0 dropped:70 overruns:0 frame:0
		  TX packets:10007 errors:0 dropped:0 overruns:0 carrier:0
		  collisions:0 txqueuelen:1000
		  RX bytes:71881060 (71.8 MB)  TX bytes:956773 (956.7 KB)


Could you please post the output of your ifconfig

As you can see I am not doing any special anything with its host firewall. I can access its http server, etc. from my local lan - but not the internet, I run inbound traffic (input) through sshguard chain is all, this will block bruteforce attacks on my ssh server to keep my logs cleaner to look at. They never going to get past the public key auth only. But they do fill up the logs if you don't block them after a few hits.

iptables -L
Chain INPUT (policy ACCEPT)
target	 prot opt source			   destination
sshguard   all  --  anywhere			 anywhere

Chain FORWARD (policy ACCEPT)
target	 prot opt source			   destination

Chain OUTPUT (policy ACCEPT)
target	 prot opt source			   destination

Chain sshguard (1 references)
target	 prot opt source			   destination


These are all the ports that are open/listening on the box, but only ssh is open from the public internet.

Starting Nmap 6.01 ( http://nmap.org ) at 2012-07-22 09:50 Central Daylight Time
Nmap scan report for ubuntu.local.lan (192.168.1.7)
Host is up (0.00063s latency).
Not shown: 95 closed ports

PORT	  STATE SERVICE
22/tcp	open  ssh
53/tcp	open  domain
80/tcp	open  http
443/tcp   open  https
10000/tcp open  snet-sensor-mgmt

MAC Address: 00:0C:29:97:69:07 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.20 seconds


#6 OP pinprick

pinprick

    Neowinian

  • Joined: 10-October 06
  • Location: localhost

Posted 22 July 2012 - 15:01

Yeah that's exactly it,

router has a pubic IP and you forward traffic to this game server

. My nat router is forwarding the "server stuff" to my server box which has a local/lan ip. The mask is 255.255.255.0, the router's ip address is 192.168.1.1 . The box has the following local ip 192.168.1.70. I edited the two last posts while you were writing yours can you please have a look at them? Sorry.

#7 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 84
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 22 July 2012 - 15:10

So your behind a NAT, so are there machines on your local machines that are hostile?? If not then you don't need any specific firewall rules on your game server. The rules for inbound are created on your router.

"Didn't understand this part."

So you don't understand what a state is? Yeah I would highly suggest you turn off the firewall on your game server, you clearly have no need of it! Just forward the ports you need to run your game server on your router and you will be fine.

#8 OP pinprick

pinprick

    Neowinian

  • Joined: 10-October 06
  • Location: localhost

Posted 22 July 2012 - 15:18

Like a state machine but applied to tables that iptables can use ? Nevermind I have much to read, I'll do just what you said. Thanks.

#9 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 84
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 22 July 2012 - 16:04

As in the state of the tcp connection. You don't know what a stateful firewall is? These have been the norm since early early 90's

Here is the thing, if you do not understand how to use a firewall, its only going to cause you grief - highly unlikely it will actually be configured in such a way that do anything more than what your nat router is already doing for you.

If you have no trust issues with the machines on your local network, if this machine does not leave this trusted local network - you have little need of a host firewall. Be it a windows machine, linux, bsd, os x, no matter what the OS is.

Your nat router currently blocks all unsolicited traffic to any box on your network. Your game server included. If you need to access specific ports from the public net without that connection being an answer to something you requested. For example me creating a session to your ssh server, this would be unsolicited traffic and unless you forward that on your router to your ssh server, I would never get to any machine on your network.

I would suggest if you want to run a game server, then read what ports you need to open up on your firewall on their website and set those up in your router. Turn off the local firewall on the game server, or set it to any any and setup sshguard if your going to be running ssh server on it. If your going to run ssh server to public net, I would HIGHLY suggest you turn off password auth and only allow public key! And depending on where you need access from, you might want to change the port to remove hits so your logs stay cleaner. A ssh server on the public net is like a buglight on your front porch -- your going to see traffic!

Jul 21 18:35:39 ubuntu sshguard[1117]: Blocking 37.123.96.242:4 for >630secs: 40 danger in 4 attacks over 4 seconds (all: 40d in 1 abuses over 4s).
Jul 22 03:12:55 ubuntu sshguard[1117]: Blocking 59.175.218.166:4 for >630secs: 40 danger in 4 attacks over 3 seconds (all: 40d in 1 abuses over 3s).
Jul 22 06:49:47 ubuntu sshguard[1117]: Blocking 201.17.51.69:4 for >630secs: 40 danger in 4 attacks over 158 seconds (all: 40d in 1 abuses over 158s)


#10 OP pinprick

pinprick

    Neowinian

  • Joined: 10-October 06
  • Location: localhost

Posted 22 July 2012 - 16:19

Thanks a lot for that info I'll check for more information on firewalls when I have time. One more thing to add to the to-do list. Thanks a lot, once again.



Click here to login or here to register to remove this ad, it's free!