Very Computer

Hi Everyone,
I am running redhat 7 with kernel 2.4.2 on my home network.  This
linux has 2 NICs is doing NAT for my Windows machines sitting
behind the linux box.  I would like to be able to play the StarCraft
game on my Microsoft Windows machine.  What do I need to
modify the rc.firewall script rule set for this to work?  I understand
that in kernel 2.2.x you have to run the loose UDP but I am running
kernel 2.4.2 now.  Please help....

Here is my rc.firewall script

#********************
#!/bin/bash
#
# This is a sample firewall for ip_tables, the tool for doing firewalling
# and masquerading under the 2.3.x/2.4.x series of kernels.
#
# Be warned, this is a very restrictive set of firewall rules (and they
# should be, for proper security). Anything that you do not _specifically_
# allow is logged and dropped into /dev/null, so if you're wondering why
# something isn't working, check /var/log/messages.
#
# This is about as close as you get to a 'secure' firewall. It's *,
# it's harsh, and it will make your machine nearly invisible to the rest
# of the internet world. Have fun.
#
# To run this script you must 'chmod 700 iptables-script' and then execute
# it. To stop it from running, run 'iptables -F'

#Point this to your copy of ip_tables.  This step must be done to ensure
#that iptables is loaded properly.
IPT="/sbin/iptables"

#Load the module.
modprobe ip_tables

#Enable IP Forwarding on the Linux box.  This step ensures that NAT will
#be handled properly.
$IPT -P FORWARD ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward

#Flush old rules, delete the firewall chain if it exists
$IPT -F
$IPT -F -t nat
$IPT -X firewall

#Setup Masquerading. Change the IP to your internal network and uncomment
#this in order to enable it.
$IPT -A POSTROUTING -t nat -s 172.16.1.0/24  -j MASQUERADE

#Set up the firewall chain
$IPT -N firewall
$IPT -A firewall -j LOG --log-level info --log-prefix "Firewall:"
$IPT -A firewall -j DROP

#Accept ourselves
$IPT -A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
#If you're using IP Masquerading, change this IP to whatever your internal
#IP addres is and uncomment it
#$IPT -A INPUT -s 172.16.1.0/24 -d 0/0 -j ACCEPT

#Accept DNS, 'cause it's warm and friendly
$IPT -A INPUT -p udp --source-port 53 -j ACCEPT
$IPT -A INPUT -p tcp --source-port 113 -j ACCEPT
$IPT -A INPUT -p tcp --destination-port 113 -j ACCEPT

#Allow ftp to send data back and forth.
$IPT -A INPUT -p tcp ! --syn --source-port 20 --destination-port 1024:65535 -j ACC
EPT

#These rules block two particular types of "malformed" packets. Nmap,
#a popular and powerful port scanner, uses these types of packets to get through
#ordinary packet filtering routers and some "non-stateful" firewalls.
# Block XMAS packets
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP
# Block NULL packets
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP

#Accept SSH. Duh.
$IPT -A INPUT -p tcp --destination-port 22 -j ACCEPT

#Send everything else ot the firewall.
$IPT -A INPUT -p icmp -j firewall
$IPT -A INPUT -p tcp --syn -j firewall
$IPT -A INPUT -p udp -j firewall
#*******************

Quote:> kernel 2.4.2 now.  Please help....

Quote:> $IPT -A INPUT -p udp -j firewall

Quote:> #Set up the firewall chain
> $IPT -N firewall
> $IPT -A firewall -j LOG --log-level info --log-prefix "Firewall:"
> $IPT -A firewall -j DROP

Here is an example:
--> cut <--
# Connection tracking: only allow connections from inside!
iptables -A INPUT -i $extint -m state --state NEW,INVALID \
        -j LOG --log-ip-options \
        --log-prefix "CONNECTION " --log-level warn \
        --match limit --limit 10/minute
# Log connections from outside...
iptables -A INPUT -i $extint -m state --state NEW,INVALID -j DROP
# And DROP them!

iptables -A INPUT -p udp -j udp_in
# Handle UDP.
--> cut <--

You got the idea. Rearrange the example to match your needs!

--
CU Dmitri Barski
--
email: dmitri at barski dot org