iptables and hlsw

[Sortilegeqc]

hi all,
i have dedicaced server and secure by iptables and fail2ban.
Well all ports are close and just open that port i need.
When i run my firewall scripts i can't log in on rcon, ingame and with hlsw.

Does exist udp and tcp port specific for rcon login ?

That if my iptables rules.


#!/bin/sh

# Vider toutes les tables actuelles
iptables -t filter -F

# vider les rèes personnelles
iptables -t filter -X

# tout interdire
iptables -t filter -P INPUT DROP
#iptables -t filter -p FORWARD ACCEPT
iptables -t filter -P OUTPUT ACCEPT

# Ne pas casser les connexions etablies
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Autoriser loopback
iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A OUTPUT -o lo -j ACCEPT

# ICMP (Ping)
iptables -t filter -A INPUT -p icmp -j ACCEPT
iptables -t filter -A OUTPUT -p icmp -j ACCEPT

#####################################################--SSH--##################################################################


# SSH entrant
iptables -t filter -A INPUT -p tcp --dport XXX -j ACCEPT

# SSH sortant
iptables -t filter -A OUTPUT -p tcp --dport XXX -j ACCEPT

#####################################################--NTP--##################################################################

iptables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT

######################################################--HTTP--################################################################

# HTTP + HTTPS sortant
iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT

# HTTP + HTTPS entrant
iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 8443 -j ACCEPT


#######################################################--FTP--################################################################

# FTP sortant
iptables -t filter -A OUTPUT -p tcp --dport 20:21 -j ACCEPT

# FTP entrant
#modprobe ip_conntrack_ftp
#modprobe ip_nat_ftp
iptables -t filter -A INPUT -p tcp --dport 20:21 -j ACCEPT
iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#######################################################--MAIL--################################################################
# Mail SMTP:25
iptables -t filter -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 25 -j ACCEPT

# Mail POP3:110
iptables -t filter -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 110 -j ACCEPT

# Mail IMAP:143
iptables -t filter -A INPUT -p tcp --dport 143 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 143 -j ACCEPT

# Mail POP3S:995
iptables -t filter -A INPUT -p tcp --dport 995 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 995 -j ACCEPT

#######################################################--CSS--################################################################

# CREATION REJET FLOOD UDP 28
iptables -N REJECT_FLOOD28
iptables -A REJECT_FLOOD28 -j LOG --log-prefix 'IPTABLES-FLOOD LENGHT 28:' --log-level info
iptables -A REJECT_FLOOD28 -j DROP

# CREATION REJET FLOOD UDP 46
iptables -N REJECT_FLOOD46
iptables -A REJECT_FLOOD46 -j LOG --log-prefix 'IPTABLES-FLOOD LENGHT 46:' --log-level info
iptables -A REJECT_FLOOD46 -j DROP

# Regles SRCDS.COM
#iptables -A INPUT -p udp --dport 27000:27039 -j ACCEPT
#iptables -A INPUT -p tcp --dport 27000:27039 -j ACCEPT
iptables -A INPUT -p udp --dport 27005 -j ACCEPT
iptables -A OUTPUT -p udp --dport 27005 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 6003 -j ACCEPT
iptables -A OUTPUT -p udp --dport 27011 -j ACCEPT
iptables -A INPUT -p tcp --sport 5273 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 5273 -j ACCEPT
iptables -A INPUT -p udp --dport 27012 -j ACCEPT
iptables -A OUTPUT -p udp --dport 27012 -j ACCEPT

# HLSW
iptables -A INPUT -p udp --dport 7130 -j ACCEPT
iptables -A OUTPUT -p udp --dport 7130 -j ACCEPT
iptables -A INPUT -p udp --dport 1200 -j ACCEPT
iptables -A OUTPUT -p udp --dport 1200 -j ACCEPT

# DROP DES FLOOD SUR UDP

# Serveur 1
# REGLES SRV
iptables -A INPUT -i eth0 -p udp --dport 27015 -m length --length 28 -j REJECT_FLOOD28
iptables -A INPUT -i eth0 -p udp --dport 27015 -m length --length 46 -j REJECT_FLOOD46
iptables -t filter -A INPUT -p udp --dport 27015 -j ACCEPT
iptables -t filter -A OUTPUT -p udp --dport 27015 -j ACCEPT
iptables -t filter -A INPUT -p tcp --sport 27015 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --sport 27015 -j ACCEPT

[BehaartesEtwas]

just open the game server port (27015 usually) also for tcp.

[Sortilegeqc]

iptables -t filter -A INPUT -p tcp --sport 27015 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --sport 27015 -j ACCEPT

i did it but it doesn't work
With the last update, well i need rcon for hlsw so i disable all firewall rules. i need to find issue ...

[jheiv]

I think you want --dport 27015 .

Also, AFAIK RCON is only tcp.

But you'd want rules like:
# For RCON
iptables -A INPUT -p tcp --dport 27015 -j ACCEPT
# For Gameserver
iptables -A INPUT -p udp --dport 27015 -j ACCEPT

Lastly, why are you filtering your output connections? This is probably not necessary.

[Sortilegeqc]

Hi all,
my thread is old now, and all work i just add to accept only my ip.

For fpsmeter i have the same problem fpsmeter can't log with rcon, i think it's my iptables rules who stop query.
what is the query port about query ?

[BehaartesEtwas]

if you only want to open rcon for specific IPs you will have to add an additional rule just for the fpsmeter allowing its IP to connect to the tcp port 27015. the fpsmeter uses the same IP for the rcon queries as for the web stuff, so you can use the domain fpsmeter.org as the source address.

[Sortilegeqc]

Non-authoritative answer:
Name: fpsmeter.org
Address: 193.192.58.189

i'll add this ip
i'll give you the results

---

it's ok but i just can monitor 1 server