Greetings all, I''m having a slight configuration inflamation. My situation is that I have two sites both behind shorewall 1.2.12 running an ipsec connection between them. We play various and sundry games over this connection and it works quite well. The quandry I am having is when we play LAN based games, all is well. When we play externally administrated games (Gamespy, Westwood online, Battlenet, etc.), what happens is that one of us creates the game and the other tries to attach to it via the game admin. The game gets the external addr from the admin and tries to connect that way. Now connections coming in through the front door are correctly routed to the game creator. But when I try to connect to this game, I''m also told to connect to his external IP but because of the tunnel, my connection does not go to his front door but rather directly to his fw box through the tunnel and is thus not routed correctly and I can''t join. :-( Now I have a workaround for this which was to include a rule that took connections coming in off the gateway (ipsec tunnel) destined for the game ports and forwarded to the creators IP. That works fine too if a little restrictive but that''s okay for the few times we actually go out that way. But when we switch back to lan gaming, the workaround rule has broken lan gaming if the game creator is at a different (local) IP than the one the rule is forwarding to because the workaround rule is picking up ANY destination, not just the destination being the FW and forwarding them. The rule I have is as follows: ACCEPT gw:192.168.1.0/24 local:192.168.2.2 udp <portlist> - all The directions say that "all" should only be used for port forwarding from external ips but I haven''t found anything that works quite right without specifying all. What I would ideally like is a rule that says connections from the gateway for the game ports that END ON the firewall (i.e. on the external IP) should be forwarded to local:xxxx but connections from the gateway (for the game ports) with a destination other than the firewall should be left alone and routed per normal. I tried specifying $FW where "all" is but that did not work (message from iptables 1.2.5 that host/network ''fw'' was not found). I could perhaps hardcode my external IP instead of all but I can''t see that really improving the configuration situation. I also thought about having parameterized rules so these rules could be easily turned off/on by a script. My thought was to use a parameter for the ACCEPT and have it either be ACCEPT or "#" to conditionally apply or not the rule but a looksee at the code seemed to indicate that would not work as the actual command itself does not seem to be parameterized, only the arguments -- course I''m not an expert at shell language so I could be misreading that. If anyone has any ideas I''m all ears.. Thanks.. Steve
On Sat, 27 Apr 2002, Steve Estes wrote:> Now I have a workaround...Why don''t you simply turn the tunnel off when you want to play one of these prolematic games? -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
On Sun, 28 Apr 2002, Tom Eastep wrote:> On Sat, 27 Apr 2002, Steve Estes wrote: > > > Now I have a workaround... > > Why don''t you simply turn the tunnel off when you want to play one of > these prolematic games?Make that problematic -- -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Because while the tunnel is used to play games, that is not *all* it is used for. Suffice to say that taking the tunnel up and down for games is not an option. Steve ----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "Steve Estes" <estess@comcast.net> Cc: <shorewall-users@shorewall.net> Sent: Sunday, April 28, 2002 7:09 PM Subject: Re: [Shorewall-users] redirecting pseudo-internal traffic> On Sun, 28 Apr 2002, Tom Eastep wrote: > > > On Sat, 27 Apr 2002, Steve Estes wrote: > > > > > Now I have a workaround... > > > > Why don''t you simply turn the tunnel off when you want to play one of > > these prolematic games? > > Make that problematic -- > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > AIM: tmeastep \ http://www.shorewall.net > ICQ: #60745924 \ teastep@shorewall.net > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users
Benoit Bouchard
2002-Apr-29 06:15 UTC
[Shorewall-users] redirecting pseudo-internal traffic
REMOVE ME FROM YOUR MAILING LIST ! -----Original Message----- From: shorewall-users-admin@shorewall.net [mailto:shorewall-users-admin@shorewall.net] On Behalf Of Steve Estes Sent: Sunday, April 28, 2002 9:42 PM To: shorewall-users@shorewall.net Subject: Re: [Shorewall-users] redirecting pseudo-internal traffic> ---------- > From: Steve Estes[SMTP:ESTESS@COMCAST.NET] > Sent: Sunday, April 28, 2002 9:41:43 PM > To: shorewall-users@shorewall.net > Subject: Re: [Shorewall-users] redirecting pseudo-internaltraffic> Auto forwarded by a Rule >Because while the tunnel is used to play games, that is not *all* it is used for. Suffice to say that taking the tunnel up and down for games is not an option. Steve ----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "Steve Estes" <estess@comcast.net> Cc: <shorewall-users@shorewall.net> Sent: Sunday, April 28, 2002 7:09 PM Subject: Re: [Shorewall-users] redirecting pseudo-internal traffic> On Sun, 28 Apr 2002, Tom Eastep wrote: > > > On Sat, 27 Apr 2002, Steve Estes wrote: > > > > > Now I have a workaround... > > > > Why don''t you simply turn the tunnel off when you want to play oneof> > these prolematic games? > > Make that problematic -- > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > AIM: tmeastep \ http://www.shorewall.net > ICQ: #60745924 \ teastep@shorewall.net > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users_______________________________________________ Shorewall-users mailing list Shorewall-users@shorewall.net http://www.shorewall.net/mailman/listinfo/shorewall-users
Steve Estes wrote:> ... > My situation is that I have two sites both behind shorewall 1.2.12 > running an ipsec connection between them. We play various and sundry > games over this connection and it works quite well. The quandry I am > having is when we play LAN based games, all is well. When we play > externally administrated games (Gamespy, Westwood online, Battlenet, > etc.), what happens is that one of us creates the game and the other > tries to attach to it via the game admin. The game gets the external > addr from the admin and tries to connect that way. Now connections > coming in through the front door are correctly routed to the game > creator. But when I try to connect to this game, I''m also told to > connect to his external IP but because of the tunnel, my connection > does not go to his front door but rather directly to his fw box > through the tunnel and is thus not routed correctly and I can''t > join. :-( Now I have a workaround for this which was to include a > rule that took connections coming in off the gateway (ipsec tunnel) > destined for the game ports and forwarded to the creators IP. That > works fine too if a little restrictive but that''s okay for the few > times we actually go out that way. But when we switch back to lan > gaming, the workaround rule has broken lan gaming if the game > creator is at a different (local) IP than the one the rule is > forwarding to because the workaround rule is picking up ANY > destination, not just the destination being the FW and forwarding > them.I''m not sure if i''m understanding your configuration here, properly, Steve, but it seems to me that the solution to these problems is not firewall rules, but a little creative routing. Tell me if i''ve got this right: * Your setup is: o an external game server, say 1.1.1.1 o your IP, say 2.2.2.2 external and 10.1.1.1 internal o your peer''s IP, say 3.3.3.3 external and 10.2.1.1 internal o your LAN clients, say 10.1.10.* o your peer''s LAN clients, say 10.2.10.* * Your situation is: o connections work between 10.1.10.* and 10.2.10.* fine o when you use the external game server, your connections between 10.1.10.* and 3.3.3.3 don''t work without an extra rule Have i understood this right? Assuming it is right, i think what you need to do is add a host route from 10.1.1.1 to 3.3.3.3 via 10.2.1.1 when your IPsec link comes up. There may be dynamic routing daemons that will do this for you automatically - i''m not very familiar with them. Another option could be using some sort of bridging across your IPsec link - don''t know much about that either. :-) Another cause of your problem could be that the game in question is actually sending the local system''s IP address in the contents of its packets. If that''s the case, there''s not much you can do without an application-level proxy. Paul http://paulgear.webhop.net
On Sat, 27 Apr 2002, Steve Estes wrote:> Greetings all, > > Now I have a workaround for this which was to include a rule that took > connections coming in off the gateway (ipsec tunnel) destined for the > game ports and forwarded to the creators IP. That works fine too if a > little restrictive but that''s okay for the few times we actually go out > that way. But when we switch back to lan gaming, the workaround rule has > broken lan gaming if the game creator is at a different (local) IP than > the one the rule is forwarding to because the workaround rule is picking > up ANY destination, not just the destination being the FW and forwarding > them. > > The rule I have is as follows: > > ACCEPT gw:192.168.1.0/24 local:192.168.2.2 udp <portlist> - all >Why don''t you just specify the external IP rather than "all" -- "all" means "I don''t care what the destination IP is on the incoming packet, I want the packet forwarded to 192.128.2.2.> The directions say that "all" should only be used for port forwarding > from external ips but I haven''t found anything that works quite right > without specifying all. What I would ideally like is a rule that says > connections from the gateway for the game ports that END ON the firewall > (i.e. on the external IP) should be forwarded to local:xxxx but > connections from the gateway (for the game ports) with a destination > other than the firewall should be left alone and routed per normal.That is exacly what you will get if you replace "all" with the external IP.> I tried specifying $FW where "all" is but that did not work (message > from iptables 1.2.5 that host/network ''fw'' was not found). I could > perhaps hardcode my external IP instead of all but I can''t see that > really improving the configuration situation. >Did you try it? -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net