SRCDS Steam group


iptables problem
#1
Hello,

As I wrote in title my server I have a iptables configuration problem.

I'm using Slackware + iptables

When I open all tables in iptables:
Code:
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
I have no problem.

When I put:
Code:
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

and
Code:
iptables -A OUTPUT -p udp --sport 1200 -j ACCEPT
iptables -A INPUT -p udp --dport 1200 -j ACCEPT
iptables -A OUTPUT -p udp --sport 27000:27020 -j ACCEPT
iptables -A INPUT -p udp --dport 27000:27020 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 27015 -j ACCEPT
iptables -A INPUT -p tcp --dport 27015 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 27030:27039 -j ACCEPT
iptables -A INPUT -p tcp --dport 27030:27039 -j ACCEPT
It's don't work.

So what is the good configuration?

Thanks!
Reply
#2
Slackware! Great!! Smile

Try it easier. Set policy for all incoming connections to DROP. Then allow forwarding and output because they're not going to do any harm for you. Then set incoming connections to ports 27000 - 27039 allowed.

Code:
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

iptables -A INPUT -p udp --dport 27000:27039 -j ACCEPT
iptables -A INPUT -p tcp --dport 27000:27039 -j ACCEPT

Then one de facto rule to iptables is following. This accepts all connections initiated by you.
Code:
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

Try these and if it still doesn't work, post more information what kind of error message you get and how you test it etc.
Reply
#3
Hello CSS

Thanks for your IPTABLES rules, it works.

But Source Server is only a little fun part of the Slackware server (IPTABLES, proxy etc.) I'm trying to create (hard to learn), I and would like to have a very very secure server. So have all OUTPUT and FORWARD set to DROP, to have full control of my LAN users.

If We are sure of ports using by srcds. I think we can create very secure rules in IPTABLES.

Do you using Slackware for your servers CSS?

Thanks

(sorry for my english, I'm french)
Reply
#4
I've been using Slackware for many years. It's the best choice for proxy etc. stuff just as you said. You can be sure there aren't any weird startup scripts or "intelligent" auto-detection systems changing your configs between reboots. It's so easy to install and practically just bunch of files put together. There are no package dependencies or "intelligent" package managers telling you that the software you want to install is conflicting with something else. It's so good system that you can use different library versions without breaking the package manager system - obviously because the packages are practically just bunch of files. It's so ingenious.

Unfortunately I'm not using Slackware for the CSS server. It's partly because the CSS server is quite simple system, and partly because Slackware isn't probably easy to set up from remote connection as Debian from clean install. With Debian it's easy to just write "apt-get install foo" and you get somewhat new version of foo. If I were to install real secure and "static" system, I would definitely go for Slackware. Even with my CSS server with web server and mysql I've couple times been puzzled why mysql loses connection - and it's because some weird script somewhere on Debian apparently deletes old "stale" files from /tmp/ every six months or so - removing critical /tmp/mysqld.sock in the process.


Here are couple good tips for resolving network problems. These are something that I've found useful through the times.

Print all network data except SSH:
Code:
tcpdump -n 'port not ssh'
When you're debugging protocols (or just sniffing passwords Smile), you can boost it with HEX+ASCII dump of packets:
Code:
tcpdump -n -s 0 -XX 'port not ssh'
In this case you might be interested only in UDP traffic to port 27015:
Code:
tcpdump -n 'udp and port 27015'
...or maybe you're interested only about what your server is sending:
Code:
tcpdump -n 'udp and port 27015 and src my-own-server-ip'
Sometimes the server sends data internally to itself, so make sure you sniff interface "lo" if that's the case:
Code:
tcpdump -i lo -n 'udp and port 27015 and src my-own-server-ip'


Here are couple for iptables.

Maybe you want to just log some packet data to syslog and go through the data later (note, it's TCP traffic so it's RCON connections):
Code:
iptables -I INPUT -p tcp --dport 27015 -j LOG

Or maybe you want to create real secure Slackware box like I've done, and use something like this:

Code:
TABLES=/usr/local/sbin/iptables

# log dropped connections chain
$TABLES -N LOGDROP
$TABLES -F LOGDROP
$TABLES -A LOGDROP -j LOG --log-level 5 --log-tcp-sequence --log-tcp-options --log-ip-options
$TABLES -A LOGDROP -j DROP

#... Other rules like BitTorrent (I've got around 15 of these)
$TABLES -A FORWARD -p tcp --dport 6881:6890      -j ACCEPT

# LAST ENTRY
# log+drop everything that doesn't match
$TABLES -A FORWARD -j LOGDROP

Now with this you've got cool system where you allow only those connections that you specify. If there's ever case when somebody tries to connect to port which you haven't allowed, you get log line to /var/log/syslog. Or you could specify to /etc/syslog.conf a line to output the iptables rules to separate /var/log/netfilter log file:
Code:
kern.notice                                                     /var/log/netfilter

If you've got physical access to the server, then this is MUST HAVE to syslog.conf. Set this to syslog.conf, restart syslogd and then press ALT-F12 (or CTRL-ALT-F12 from X):
Code:
*.*;mark.none;kern.!=notice                                             /dev/tty12

Another MUST HAVE for all physical access (or maybe even remote) servers is linux_logo banner utility. I've got this old logo, but I've modified the letters and dots away from the picture. I had it like that on my first Slackware. It's classic.

I hope you get it from here. PM me if you've got questions about Slackware. I don't think other forum users really know how to appreciate the simplicity of Slackware Wink.

Here's picture:
[Image: slacktuxvp8.jpg]
[Image: w300.png]
Reply
#5
Very very interresting .

I will see this tomorrow, it's night for me now.
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)