SRCDS Steam group


Issues With Using IP Tables For Port Redirection
#1
I am the system administrator of my clan's server, and I am having issues getting port redirection to work properly. The main issue is the fact that our hosting provider was initially blocking port 27015 for some unknown reason, and so that port was unavailable for SRCDS to receive packets on. To counteract this I configured our servers (we have 4 in all) to run on port 27016. This works fine except for certain clan members who go to universities where they have 27016 blocked. After a few weeks of pestering I was able to get our service provider to open up port 27015, but only to UDP connections. Because of this if a server is hosted on port 27015 we are unable to issue RCON commands, and we are forced to use sourcemod calls to execute configs and make changes to the server. The other issue is that we have a relatively large existing client base, and we do not want to force all of them change their bookmarks to reflect our port changes. After discussing the matter with another administrator I decided it would be best to leave all of our servers on the existing port, 27016, and just try to redirect packets to that port from any users that need to connect from port 27015.

To do this I recompiled our kernel (we are running CentOS 5.1, with an optimized version of kernel 2.6.24 loaded) with the inclusions for NAT and netfilter. I have set our iptables to accept all incoming traffic for the required ports and I have added the following NAT routing commands to the iptables config file for all 4 of our servers.

Quote:# TFS1 UDP
-A PREROUTING -p udp -m udp -d XXX.XXX.XXX.XXX --dport 27015 -j DNAT --to-destination XXX.XXX.XXX.XXX:27016

I also have tried using redirects, but this seemed to get the best results for what I wanted. Using HLSW I can see the server on port 27015, but it is not visible to the in game server browser. When trying to manually connect to the server the connection stalls out, and does not get beyond the connecting to server dialog.

I have a serviceable knowledge of linux/iptables, but I am in no way, any sort of expert. Given what I know I am guessing that the client is initially able to contact the server on port 27016, but the server is blind to the client's connection port, and so it is sending all of its responses back to to port 27015. When the client fails to get a response on the expected port, it just times out.

I am hoping that someone here will be able to help me fix this issue, or at least give me a nudge in the right direction for a possible fix. I thank you all in advance for reading through my incredibly lengthy post, and for any advice you may be able to provide. (I do not think that this is a repost of any sort of earlier topic, I did a couple of topic searches, and nothing really seemed to match my criteria.)
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)