You are not logged in.
Pages: 1
I'm trying to get Steam work with my iptables rules but even though I allow all traffic Steam needs I can't log in to it.
The only "problem" with my iptables rules is the OUTPUT chain. If I let it open Steam works. If I close it and open the ports Steam said it's needed, it doesn't.
My OUTPUT chain:
iptables -P OUTPUT DROP
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 25 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --sport 27000:27015 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --sport 27015:27030 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --sport 27014:27050 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 27015 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 3478 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 4379 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 4380 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 4380 -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate INVALID -j drop_invalid
iptables -A OUTPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK,PSH,URG SYN -m state --state NEW -j DROP
#drop everything else.
iptables -N RULE_13
iptables -A OUTPUT -j RULE_13
iptables -A INPUT -j RULE_13
iptables -A FORWARD -j RULE_13
iptables -A RULE_13 -j LOG --log-level info --log-prefix "RULE 13 -- DENY "
iptables -A RULE_13 -j DROP
https://support.steampowered.com/kb_art … -GLVN-8711
Solved:
Should have used "--dport" instead of "--sport".
Edit 2:
Games won't open.
I opened all ports requred by Counter Strike and yet it doesn't open.
1200
27000 through 27050
This is really making me get tired. Plus it's 3:23 AM, sorry for the lack of effort and details.
Next thing tomorrow I'll investigate it further.
Last edited by Amanda S (2014-10-14 15:12:18)
If it ain't broke, you haven't tweaked it enough...
Offline
Is this a router?
With all these OUTPUT rules and OUTPUT default to DROP it seems like your trying to protect the network from you rather than protecting you from the network.
You probably need some INPUT ACCEPT rule for RELATED,ESTABLISHED connections as well (but maybe you already have that).
Last edited by TheSgtBilko (2014-10-14 09:39:04)
Offline
If you LOG before the DROP/REJECT, then you can just debug it yourself
E.g. logndrop.
Firewalls are usually to guard INPUT rather than OUTPUT - your setup is very weird.
Offline
Is this a router?
I am behind a router but it's my iptables rules that make Counter Strike not start. If I let the OUTPUT chain open the game starts.
UPDATE:
Somehow everythihg works today after I shutdown my PC last night. This is weird since I always restart iptables everytime I make a modification to it.
With all these OUTPUT rules and OUTPUT default to DROP it seems like your trying to protect the network from you rather than protecting you from the network.
Why not have it both ways? ;-)
I don't think me or Linux are invencible, it might happen someday that we're affected by a new kind of threat that spreads if we let it lose.
You probably need some INPUT ACCEPT rule for RELATED,ESTABLISHED connections as well (but maybe you already have that).
I do have them. Input wasn't the problem, only output.
If you LOG before the DROP/REJECT, then you can just debug it yourself
E.g. logndrop.
Oh yeah, haven't thought ot that. Thanks.
Firewalls are usually to guard INPUT rather than OUTPUT - your setup is very weird.
It might be weird for some people, but I like keeping other people if there's a problem on my end.
--------------------------------------------------------------------------------------
I'm letting the mods close this thread, but if someone also faces this issue here's my rules:
# Drop OUTPUT, except rules specified by us
iptables -P OUTPUT DROP
# Accept outbound stablished and related traffic
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# http, Mail, DNS and https accepted
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 25 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
# Steam
iptables -A OUTPUT -p udp --dport 27000:27015 -j ACCEPT
iptables -A OUTPUT -p udp --dport 27015:27030 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 27014:27050 -j ACCEPT
iptables -A OUTPUT -p udp --dport 3478 -j ACCEPT
iptables -A OUTPUT -p udp --dport 4379 -j ACCEPT
iptables -A OUTPUT -p udp --dport 4380 -j ACCEPT
iptables -A OUTPUT -p udp --dport 4380 -j ACCEPT
# Steam
# You can chose to drop everything after this
# but it's not a bad idea to drop invalid traffic and log it.
# Drop invalid
iptables -N drop_invalid
iptables -A OUTPUT -m conntrack --ctstate INVALID -j drop_invalid
iptables -A drop_invalid -j LOG --log-level info --log-prefix "drop_invalid -- DENY "
iptables -A drop_invalid -j DROP
# This shouldn't be necessary, but nevertheless a precaution
iptables -A OUTPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK,PSH,URG SYN -m state --state NEW -j DROP
# This ends my whole iptables rules.
# All traffic is now dropped and logged
iptables -N RULE_13
iptables -A OUTPUT -j RULE_13
iptables -A INPUT -j RULE_13
iptables -A FORWARD -j RULE_13
iptables -A RULE_13 -j LOG --log-level info --log-prefix "RULE 13 -- DENY "
iptables -A RULE_13 -j DROP
If it ain't broke, you haven't tweaked it enough...
Offline
Pages: 1