[SOLVED] Steam and iptables

Amanda S · 2014-10-14 04:51:28

I'm trying to get Steam work with my iptables rules but even though I allow all traffic Steam needs I can't log in to it.

The only "problem" with my iptables rules is the OUTPUT chain. If I let it open Steam works. If I close it and open the ports Steam said it's needed, it doesn't.

My OUTPUT chain:

iptables -P OUTPUT  DROP

iptables -A OUTPUT  -m conntrack --ctstate ESTABLISHED,RELATED  -j ACCEPT

iptables -A OUTPUT  -m conntrack --ctstate ESTABLISHED,RELATED  -j ACCEPT

iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 25 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT

iptables -A OUTPUT -p udp -m udp --sport 27000:27015 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --sport 27015:27030 -j ACCEPT

iptables -A OUTPUT -p tcp -m tcp --sport 27014:27050 -j ACCEPT

iptables -A OUTPUT -p udp -m udp --dport 27015 -j ACCEPT

iptables -A OUTPUT -p udp -m udp --dport 3478 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 4379 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 4380 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 4380 -j ACCEPT

iptables -A OUTPUT   -m conntrack --ctstate INVALID  -j drop_invalid

iptables -A OUTPUT  -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK,PSH,URG SYN -m state --state NEW -j DROP
#drop everything else.
iptables -N RULE_13
iptables -A OUTPUT  -j RULE_13
iptables -A INPUT  -j RULE_13
iptables -A FORWARD  -j RULE_13
iptables -A RULE_13  -j LOG  --log-level info --log-prefix "RULE 13 -- DENY "
iptables -A RULE_13  -j DROP

https://support.steampowered.com/kb_art … -GLVN-8711

Solved:
Should have used "--dport" instead of "--sport".

Edit 2:
Games won't open.

I opened all ports requred by Counter Strike and yet it doesn't open.

1200
27000 through 27050

This is really making me get tired. Plus it's 3:23 AM, sorry for the lack of effort and details.
Next thing tomorrow I'll investigate it further.

Last edited by Amanda S (2014-10-14 15:12:18)

TheSgtBilko · 2014-10-14 09:36:59

Is this a router?

With all these OUTPUT rules and OUTPUT default to DROP it seems like your trying to protect the network from you rather than protecting you from the network.

You probably need some INPUT ACCEPT rule for RELATED,ESTABLISHED connections as well (but maybe you already have that).

Last edited by TheSgtBilko (2014-10-14 09:39:04)

brebs · 2014-10-14 10:29:20

If you LOG before the DROP/REJECT, then you can just debug it yourself

E.g. logndrop.

Firewalls are usually to guard INPUT rather than OUTPUT - your setup is very weird.

Amanda S · 2014-10-14 15:11:49

TheSgtBilko wrote:

Is this a router?

I am behind a router but it's my iptables rules that make Counter Strike not start. If I let the OUTPUT chain open the game starts.

UPDATE:
Somehow everythihg works today after I shutdown my PC last night. This is weird since I always restart iptables everytime I make a modification to it.

TheSgtBilko wrote:

With all these OUTPUT rules and OUTPUT default to DROP it seems like your trying to protect the network from you rather than protecting you from the network.

Why not have it both ways? ;-)
I don't think me or Linux are invencible, it might happen someday that we're affected by a new kind of threat that spreads if we let it lose.

TheSgtBilko wrote:

You probably need some INPUT ACCEPT rule for RELATED,ESTABLISHED connections as well (but maybe you already have that).

I do have them. Input wasn't the problem, only output.

brebs wrote:

If you LOG before the DROP/REJECT, then you can just debug it yourself
E.g. logndrop.

Oh yeah, haven't thought ot that. Thanks.

brebs wrote:

Firewalls are usually to guard INPUT rather than OUTPUT - your setup is very weird.

It might be weird for some people, but I like keeping other people if there's a problem on my end.

--------------------------------------------------------------------------------------

I'm letting the mods close this thread, but if someone also faces this issue here's my rules:

# Drop OUTPUT, except rules specified by us
iptables -P OUTPUT  DROP

# Accept outbound stablished and related traffic
iptables -A OUTPUT  -m conntrack --ctstate ESTABLISHED,RELATED  -j ACCEPT

# http, Mail, DNS and https accepted
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 25 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT

# Steam
iptables -A OUTPUT -p udp --dport 27000:27015 -j ACCEPT
iptables -A OUTPUT -p udp --dport 27015:27030 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 27014:27050 -j ACCEPT
iptables -A OUTPUT -p udp --dport 3478 -j ACCEPT
iptables -A OUTPUT -p udp --dport 4379 -j ACCEPT
iptables -A OUTPUT -p udp --dport 4380 -j ACCEPT
iptables -A OUTPUT -p udp --dport 4380 -j ACCEPT
# Steam

# You can chose to drop everything after this
# but it's not a bad idea to drop invalid traffic and log it.

# Drop invalid
iptables -N drop_invalid 
iptables -A OUTPUT   -m conntrack --ctstate INVALID  -j drop_invalid
iptables -A drop_invalid -j LOG  --log-level info --log-prefix "drop_invalid -- DENY "
iptables -A drop_invalid -j DROP

# This shouldn't be necessary, but nevertheless a precaution
iptables -A OUTPUT  -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK,PSH,URG SYN -m state --state NEW -j DROP

# This ends my whole iptables rules. 
# All traffic is now dropped and logged
iptables -N RULE_13
iptables -A OUTPUT  -j RULE_13
iptables -A INPUT  -j RULE_13
iptables -A FORWARD  -j RULE_13
iptables -A RULE_13  -j LOG  --log-level info --log-prefix "RULE 13 -- DENY "
iptables -A RULE_13  -j DROP

Arch Linux

#1 2014-10-14 04:51:28

[SOLVED] Steam and iptables

#2 2014-10-14 09:36:59

Re: [SOLVED] Steam and iptables

#3 2014-10-14 10:29:20

Re: [SOLVED] Steam and iptables

#4 2014-10-14 15:11:49

Re: [SOLVED] Steam and iptables

Board footer