How does Linux NAT work ?

A friend asked me to replace his motorola router with
a linux box this weekend, which I did. He wants to
play online games from his internal LAN (c&c Generals)
as well, and I guess this is going to require some
studying.

Arent these online games going to think he is actually
using the NAT box to play (IP in the packet), when he's
really playing on some internal LAN machine on some 192.x.x.x
IP address ?

Is this what pre-routing/post-routing is all about in
iptables ?


Thanks
bl8n8r

> Arent these online games going to think he is actually
> using the NAT box to play (IP in the packet), when he's
> really playing on some internal LAN machine on some 192.x.x.x
> IP address ?

Yes, the game servers will see his only real IP address. But with network
address translation the linux kernel will make sure that all packets coming
from the games will reach his internal LAN machine.

There shouldn't be much of a problem with linux NAT and online gaming,
unless his machine is acting as a server.

Jem Berkes <(E-Mail Removed)> wrote in message

<snip>

> There shouldn't be much of a problem with linux NAT and online gaming,
> unless his machine is acting as a server.

Yeah he's going to be serving.
From what I understand (which isn't all that much) Linux keeps
track of outgoing natted packets so when replies come back, it
knows where to route them (on the internal lan).

Incoming ones are going to be problematic because the nat box
has no idea where it's supposed to route the incoming packet
too.

I think this is where pre/post routing rules come in, but
I'm not sure.

Thanks for the reply Jem.

>> There shouldn't be much of a problem with linux NAT and online gaming,
>> unless his machine is acting as a server.
>
> Yeah he's going to be serving.
> From what I understand (which isn't all that much) Linux keeps
> track of outgoing natted packets so when replies come back, it
> knows where to route them (on the internal lan).

Well you're right, serving doesn't work unless you set it explicitly. The
NAT machine has to know which packets (which destination port) to forward,
and must know where to forward them internally. You're also correct about
the replies coming back to the internal host, that's iptables using
stateful filtering.

Assuming you're using iptables, here is the solution. Assuming eth0 is your
external interface, eth1 is your internal interface, the server in question
uses UDP port 6666, and 192.168.0.10 is the LAN host.

# I think these have to be the first rules in FORWARD and PREROUTING
iptables -A FORWARD -i eth0 -o eth1 -p udp --dport 6666 -j ACCEPT
# This should be one line, of course
iptables -t nat -A PREROUTING -i eth0 -p udp -j DNAT \
--dport 6666 --to 192.168.0.10

bad_knee wrote:

> From what I understand (which isn't all that much) Linux keeps
> track of outgoing natted packets so when replies come back, it
> knows where to route them (on the internal lan).
>
> Incoming ones are going to be problematic because the nat box
> has no idea where it's supposed to route the incoming packet
> too.
>

All NAT systems do pretty much the same. They not only keep track of the
connections, most will allow you to specify which computer behind the
firewall handles an incoming connection.

--

Fundamentalism is fundamentally wrong.

To reply to this message, replace everything to the left of "@" with
james.knott.

Jem Berkes <(E-Mail Removed)> wrote in message
<snip>

> Assuming you're using iptables, here is the solution. Assuming eth0 is your
> external interface, eth1 is your internal interface, the server in question
> uses UDP port 6666, and 192.168.0.10 is the LAN host.
>
> # I think these have to be the first rules in FORWARD and PREROUTING
> iptables -A FORWARD -i eth0 -o eth1 -p udp --dport 6666 -j ACCEPT
> # This should be one line, of course
> iptables -t nat -A PREROUTING -i eth0 -p udp -j DNAT \
> --dport 6666 --to 192.168.0.10



Thanks again Jem. I will plug this in and give a try in a couple
days (going to be away from the box).

If both his machines behind the nat box are engaged in a gaming session,
can the same packets be routed to two different internal IPs behind the
nat box? The destination machines should just ignore them if they arent'
expecting them, right?

eg:
iptables -t nat -A PREROUTING -i eth0 -p udp -j DNAT ... --to 192.168.1.1
iptables -t nat -A PREROUTING -i eth0 -p udp -j DNAT ... --to 192.168.1.2

bad_knee wrote:

> Jem Berkes <(E-Mail Removed)> wrote in message
> <snip>
>
> > Assuming you're using iptables, here is the solution. Assuming eth0 is
> > your external interface, eth1 is your internal interface, the server in
> > question uses UDP port 6666, and 192.168.0.10 is the LAN host.
> >
> > # I think these have to be the first rules in FORWARD and PREROUTING
> > iptables -A FORWARD -i eth0 -o eth1 -p udp --dport 6666 -j ACCEPT
> > # This should be one line, of course
> > iptables -t nat -A PREROUTING -i eth0 -p udp -j DNAT \
> > --dport 6666 --to 192.168.0.10
>
>
>
> Thanks again Jem. I will plug this in and give a try in a couple
> days (going to be away from the box).
>
> If both his machines behind the nat box are engaged in a gaming session,
> can the same packets be routed to two different internal IPs behind the
> nat box? The destination machines should just ignore them if they arent'
> expecting them, right?
>
> eg:
> iptables -t nat -A PREROUTING -i eth0 -p udp -j DNAT ... --to 192.168.1.1
> iptables -t nat -A PREROUTING -i eth0 -p udp -j DNAT ... --to 192.168.1.2

In the case of C&C generals - if it's like Tiberian sun, then you may get
away with doing nothing, because the game may be started through a central
server.

To run two games that need to accept incoming from strangers, you need to
set the games to use different ports and DNAT on the ports chosen.

Andy.

Andy Furniss <(E-Mail Removed)> wrote in message
> In the case of C&C generals - if it's like Tiberian sun, then you may get
> away with doing nothing, because the game may be started through a central
> server.
>
> To run two games that need to accept incoming from strangers, you need to
> set the games to use different ports and DNAT on the ports chosen.
>
> Andy.

Is there a way to view the PREROUTING rules?
(iptables -L -v -n is what I use to show IN,OUT and FORWARD)

C&C has a page on their site listing the
ports to open, and they also touch on the
FirewallOptionOverride which I think
is what you are talking about?

http://eatech.custhelp.com/cgi-bin/e...cGFnZT0x&p_li=

What it sounds like is that the two machines on
the 192.168.1.x internal lan will use (ummm..)
30000 for box1 and 30001 for box2 in the
FirewallOptionOverride.

The nat box then must do PREROUTING for:

incoming packet at nat box for port 30000 "preroutes" to 192.168.1.2
incoming packet at nat box for port 30001 "preroutes" to 192.168.1.3

Its not clear to me if the ports listed on the eatech site
are for outgoing or incoming packets, so I guess just to get it
working, I'll open them wide friggin open and forward everything
incoming on those ports to the machines behind the nat box just
to get things setup.

Thanks for the reply, Andy

PS: Anyone know of a GUI tool for iptables?

> Is there a way to view the PREROUTING rules?
> (iptables -L -v -n is what I use to show IN,OUT and FORWARD)

iptables -t nat -L

--
Jem Berkes
http://www.sysdesign.ca/

bad_knee wrote:

> Andy Furniss <(E-Mail Removed)> wrote in message
> > In the case of C&C generals - if it's like Tiberian sun, then you may
> > get away with doing nothing, because the game may be started through a
> > central server.
> >
> > To run two games that need to accept incoming from strangers, you need
> > to set the games to use different ports and DNAT on the ports chosen.
> >
> > Andy.
>
> Is there a way to view the PREROUTING rules?
> (iptables -L -v -n is what I use to show IN,OUT and FORWARD)
>
> C&C has a page on their site listing the
> ports to open, and they also touch on the
> FirewallOptionOverride which I think
> is what you are talking about?
>
>
http://eatech.custhelp.com/cgi-bin/e...cGFnZT0x&p_li=

That page says -

If your firewall does not allow outgoing packets to open ports to incoming
traffic....

My firewall does open on outgoing, so I still think in the case of C&C it
should work without doing anything.

Note - I am relying on the word of my kids that tib sun worked, when I
asked them to test it after I set up a gateway - they don't play it anymore.
Saying that, I can see why it should, because of the way you stay connected
to a central server, rather than just get a list if addresses from it,
which is how most other games do it.

Andy.