thr3ads.net - Shorewall users - [Shorewall-users] Problems with running a MOH server from the loc network and UDP traffic [Jun 2002]

If this information is useful, please help other people find it:
Share via:

Steve Sobka

2002-Jun-21 05:34 UTC

[Shorewall-users] Problems with running a MOH server from the loc network and UDP traffic

I don''t really know how to ask this question, but I will do my best to
explain the problem I am having and maybe someone knows of a good solution?

In my shorewall ''rules'' file, I have a rule to allow traffic
to one of the
computers on our local lan that runs a Medal of Honor game server. 
It''s
very similar to running a Quake 3 Server.

Now according to the specifications for the server program, I need to open
UDP Ports 12000,12201,12202,12203,12210,12300.

When I add rules as such in hopes of covering all the bases, even though I
don''t need all of these ports open:

# MOH Game Server
#
ACCEPT                  net     loc             tcp     12000:12300
ACCEPT                  net     loc             udp     12000:12300
#
ACCEPT                  loc     net             tcp     12000:12300
ACCEPT                  loc     net             udp     12000:12300
#
#
DNAT            net     loc:192.168.1.1 udp     12000:12300
DNAT            net     loc:192.168.1.1 tcp     12000:12300

This should allow even more ports (12000 thru 12300) than necessary and
everything ''seems'' to work ok, but there is a problem.

The problem is that after about 4 to 6 people get on the server, everyone
else who trys to connect is not really rejected, but kept in some kind of
''connecting....connecting...connecting...'' loop.   Their
computers just sit
there and never time out trying to connect, yet they never get into the
game.

Now if there''s only a few people in the game, you can conect just fine,
but
it seems to happen once more than 6 people join the server.
There''s plenty of bandwidth and slots availible, and the server runs
fine
when moved outside the firewall, so I am kind of at a loss as to whats
wrong.

What stats, output, etc, can I look at in my logs to help me diagnose this
problem?

Here''s a current snapshot of: shorewall show connections

You can see all of the connections, yet most dont make it to server, they
just sit there...

(Note, this is only a small sample)

udp      17 162 src=209.112.217.162 dst=64.81.34.152 sport=3401 dport=12300
src=192.168.1.1 dst=209.112.217.162 sport=12300 dport=3401 [ASSURED] use=1
udp      17 13 src=209.112.217.162 dst=64.81.34.152 sport=3402 dport=12300
src=192.168.1.1 dst=209.112.217.162 sport=12300 dport=3402 use=1
udp      17 166 src=209.112.217.162 dst=64.81.34.152 sport=3403 dport=12300
src=192.168.1.1 dst=209.112.217.162 sport=12300 dport=3403 [ASSURED] use=1
udp      17 16 src=209.112.217.162 dst=64.81.34.152 sport=3404 dport=12300
src=192.168.1.1 dst=209.112.217.162 sport=12300 dport=3404 use=1
udp      17 17 src=209.112.217.162 dst=64.81.34.152 sport=3405 dport=12300
src=192.168.1.1 dst=209.112.217.162 sport=12300 dport=3405 use=1
udp      17 169 src=209.112.217.162 dst=64.81.34.152 sport=3406 dport=12300
src=192.168.1.1 dst=209.112.217.162 sport=12300 dport=3406 [ASSURED] use=1
udp      17 20 src=209.112.217.162 dst=64.81.34.152 sport=3407 dport=12300
src=192.168.1.1 dst=209.112.217.162 sport=12300 dport=3407 use=1
udp      17 21 src=209.112.217.162 dst=64.81.34.152 sport=3408 dport=12300
src=192.168.1.1 dst=209.112.217.162 sport=12300 dport=3408 use=1
udp      17 22 src=209.112.217.162 dst=64.81.34.152 sport=3409 dport=12300
src=192.168.1.1 dst=209.112.217.162 sport=12300 dport=3409 use=1
udp      17 23 src=209.112.217.162 dst=64.81.34.152 sport=3410 dport=12300
src=192.168.1.1 dst=209.112.217.162 sport=12300 dport=3410 use=1
udp      17 24 src=209.112.217.162 dst=64.81.34.152 sport=3411 dport=12300
src=192.168.1.1 dst=209.112.217.162 sport=12300 dport=3411 use=1
udp      17 24 src=209.112.217.162 dst=64.81.34.152 sport=3412 dport=12300
src=192.168.1.1 dst=209.112.217.162 sport=12300 dport=3412 use=1
udp      17 25 src=209.112.217.162 dst=64.81.34.152 sport=3413 dport=12300
src=192.168.1.1 dst=209.112.217.162 sport=12300 dport=3413 use=1
udp      17 26 src=209.112.217.162 dst=64.81.34.152 sport=3414 dport=12300
src=192.168.1.1 dst=209.112.217.162 sport=12300 dport=3414 use=1
udp      17 26 src=209.112.217.162 dst=64.81.34.152 sport=3415 dport=12300
src=192.168.1.1 dst=209.112.217.162 sport=12300 dport=3415 use=1
udp      17 13 src=64.255.66.215 dst=64.81.34.152 sport=1058 dport=12300
src=192.168.1.1 dst=64.255.66.215 sport=12300 dport=1058 use=1
udp      17 24 src=68.13.173.229 dst=64.81.34.152 sport=4628 dport=12300
src=192.168.1.1 dst=68.13.173.229 sport=12300 dport=4628 [ASSURED] use=1
udp      17 27 src=209.112.217.162 dst=64.81.34.152 sport=3416 dport=12300
src=192.168.1.1 dst=209.112.217.162 sport=12300 dport=3416 use=1
udp      17 19 src=68.102.240.245 dst=64.81.34.152 sport=3848 dport=12300
src=192.168.1.1 dst=68.102.240.245 sport=12300 dport=3848 use=1
udp      17 116 src=203.218.154.121 dst=64.81.34.152 sport=1157 dport=12300
src=192.168.1.1 dst=203.218.154.121 sport=12300 dport=1157 [ASSURED] use=1
udp      17 16 src=207.148.161.102 dst=64.81.34.152 sport=1946 dport=12203
src=192.168.1.1 dst=207.148.161.102 sport=12203 dport=1946 use=1
udp      17 23 src=65.209.120.2 dst=64.81.34.152 sport=32782 dport=12300
src=192.168.1.1 dst=65.209.120.2 sport=12300 dport=32782 use=1
udp      17 0 src=24.162.138.15 dst=64.81.34.152 sport=2562 dport=12300
src=192.168.1.1 dst=24.162.138.15 sport=12300 dport=2562 use=1
udp      17 132 src=204.210.47.92 dst=64.81.34.152 sport=2248 dport=12300
src=192.168.1.1 dst=204.210.47.92 sport=12300 dport=2248 [ASSURED] use=1
udp      17 3 src=203.218.154.121 dst=64.81.34.152 sport=1197 dport=12300
src=192.168.1.1 dst=203.218.154.121 sport=12300 dport=1197 use=1
udp      17 9 src=62.238.108.254 dst=64.81.34.152 sport=1069 dport=12300
src=192.168.1.1 dst=62.238.108.254 sport=12300 dport=1069 use=1
udp      17 15 src=65.28.36.168 dst=64.81.34.152 sport=1160 dport=12300
src=192.168.1.1 dst=65.28.36.168 sport=12300 dport=1160 use=1
udp      17 16 src=68.13.173.229 dst=64.81.34.152 sport=4692 dport=12300
src=192.168.1.1 dst=68.13.173.229 sport=12300 dport=4692 use=1
udp      17 161 src=66.205.195.210 dst=64.81.34.152 sport=27243 dport=12203
src=192.168.1.1 dst=66.205.195.210 sport=12203 dport=27243 [ASSURED] use=1
udp      17 179 src=4.46.135.151 dst=64.81.34.152 sport=12203 dport=12203
src=192.168.1.1 dst=4.46.135.151 sport=12203 dport=12203 [ASSURED] use=1
udp      17 24 src=68.63.16.228 dst=64.81.34.152 sport=2913 dport=12300
src=192.168.1.1 dst=68.63.16.228 sport=12300 dport=2913 use=1
udp      17 51 src=203.218.93.233 dst=64.81.34.152 sport=1886 dport=12300
src=192.168.1.1 dst=203.218.93.233 sport=12300 dport=1886 [ASSURED] use=1
udp      17 21 src=68.41.161.74 dst=64.81.34.152 sport=1791 dport=12300
src=192.168.1.1 dst=68.41.161.74 sport=12300 dport=1791 use=1
udp      17 23 src=68.3.120.111 dst=64.81.34.152 sport=65243 dport=12300
src=192.168.1.1 dst=68.3.120.111 sport=12300 dport=65243 use=1
udp      17 26 src=24.65.128.231 dst=64.81.34.152 sport=23147 dport=12300
src=192.168.1.1 dst=24.65.128.231 sport=12300 dport=23147 use=1
udp      17 5 src=144.132.166.151 dst=64.81.34.152 sport=1214 dport=12300
src=192.168.1.1 dst=144.132.166.151 sport=12300 dport=1214 use=1
udp      17 8 src=65.92.186.194 dst=64.81.34.152 sport=2202 dport=12300
src=192.168.1.1 dst=65.92.186.194 sport=12300 dport=2202 use=1
udp      17 78 src=24.161.209.226 dst=64.81.34.152 sport=1916 dport=12300
src=192.168.1.1 dst=24.161.209.226 sport=12300 dport=1916 [ASSURED] use=1
udp      17 61 src=195.224.95.123 dst=64.81.34.152 sport=4840 dport=12300
src=192.168.1.1 dst=195.224.95.123 sport=12300 dport=4840 [ASSURED] use=1
udp      17 7 src=172.194.66.38 dst=64.81.34.152 sport=1088 dport=12300
src=192.168.1.


Thanks for any help.

Steve Sobka
hickbot@fuzzylinux.net

Tom Eastep

2002-Jun-21 13:33 UTC

head link

[Shorewall-users] Problems with running a MOH server from the loc network and UDP traffic

On Thu, 20 Jun 2002, Steve Sobka wrote:
> 
> When I add rules as such in hopes of covering all the bases, even though I
> don''t need all of these ports open:
> 
> # MOH Game Server
> #
> ACCEPT                  net     loc             tcp     12000:12300
> ACCEPT                  net     loc             udp     12000:12300
> #
> ACCEPT                  loc     net             tcp     12000:12300
> ACCEPT                  loc     net             udp     12000:12300
> #
> #
> DNAT            net     loc:192.168.1.1 udp     12000:12300
> DNAT            net     loc:192.168.1.1 tcp     12000:12300
>
The only two rules you need are the last two -- the first four are 
superfluous.> game.
> 
> Now if there''s only a few people in the game, you can conect just
fine, but
> it seems to happen once more than 6 people join the server.
> There''s plenty of bandwidth and slots availible, and the server
runs fine
> when moved outside the firewall, so I am kind of at a loss as to whats
> wrong.
> 
> What stats, output, etc, can I look at in my logs to help me diagnose this
> problem?
Are you seeing messages from the conntrack module indicating that the 
connection tracking table is full?

If so, you can modify the third line of /etc/shorewall/modules:

	loadmodule ip_conntrack hashsize=n

Where n is 1/8 of the number of entries that you want in the table. You 
can see how many entries are in your table currently by:

	cat /proc/sys/net/ipv4/ip_conntrack_max

-Tom	
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

Shorewall users - Jun 2002 - Problems with running a MOH server from the loc network and UDP traffic

[Shorewall-users] Problems with running a MOH server from the loc network and UDP traffic

[Shorewall-users] Problems with running a MOH server from the loc network and UDP traffic