openning port for battle.net with iptables

How do I open port for battle.net with iptables.
I searched the internet and can't find the answer

need to open these

port 4000 TCP,UDP in and out
port 6113-6119 TCP,UDP in and out

On Fri, 02 Apr 2010 04:55:59 +0100, Mark Hobley wrote:

> Owner <(E-Mail Removed)> wrote:
>> How do I open port for battle.net with iptables. port 4000 TCP,UDP in
>> and out
>> port 6113-6119 TCP,UDP in and out

my fault that correct open ports needed are 6112-6119


> Are you forwarding to the battlenet server, or does it run on the same
> machine as iptables?

forwarding to the battle.net server


> Basically, you need to either accept traffic for those ports on the
> input chain or forward the traffic to the destination server (via the
> forward chain).
>
> To accept traffic on the input chain:
>
> iptables -A INPUT -p tcp --dport 4000 -jACCEPT iptables -A INPUT -p udp
> --dport 4000 -jACCEPT
>
> (Do the same for ports 6113-6119)
>
> If you are blocking outbound traffic you need to also apply the rules to
> the output chain, or again forward to output (if you are forwarding).
>
> These rules must be above the blocking rules in the chain (ie, you must
> accept before you block).
>
> Mark.

On Fri, 02 Apr 2010 16:36:26 +0100, Mark Hobley wrote:

> Owner <(E-Mail Removed)> wrote:
>> forwarding to the battle.net server
>
> Right. My notes were for accepting as input. Because you are forwarding, you
> need to add rules to the forward chain.
>
> Remember that you will need to add rules for both incoming traffic and
> outgoing traffic.
>
> Mark.

ok i figured these commands open the ports on linux box but problem is
now I can't connect to battle.net server

is something wrong with these commands to open the port and play game at battle.net?
How come this works with bittorrent but not with battle.net server?

iptables -t nat -A PREROUTING -p tcp --dport 4000 -j DNAT --to-destination 10.1.1.52
iptables -t nat -A PREROUTING -p udp --dport 4000 -j DNAT --to-destination 10.1.1.52
iptables -A FORWARD -s 10.1.1.52 -p tcp --dport 4000 -j ACCEPT
iptables -A FORWARD -s 10.1.1.52 -p udp --dport 4000 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 6112:6119 -j DNAT --to-destination 10.1.1.52
iptables -t nat -A PREROUTING -p udp --dport 6112:6119 -j DNAT --to-destination 10.1.1.52
iptables -A FORWARD -s 10.1.1.52 -p tcp --dport 6112:6119 -j ACCEPT
iptables -A FORWARD -s 10.1.1.52 -p udp --dport 6112:6119 -j ACCEPT

btw set up is

internet -- linuxbox ( which i'm configuring ) -- access point -- my laptop

here's my current setting
I opened port 59527 read from tutorial on the web.

# Generated by iptables-save v1.4.0 on Fri Apr 2 09:31:11 2010
*nat
:PREROUTING ACCEPT [392:56543]
:POSTROUTING ACCEPT [4:244]
:OUTPUT ACCEPT [4:244]
-A PREROUTING -p tcp -m tcp --dport 59527 -j DNAT --to-destination 10.1.1.52
-A POSTROUTING -s 10.1.1.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Fri Apr 2 09:31:11 2010
# Generated by iptables-save v1.4.0 on Fri Apr 2 09:31:11 2010
*filter
:INPUT ACCEPT [971:234521]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [408:58162]
-A FORWARD -s 10.1.1.0/24 -o eth0 -j ACCEPT
-A FORWARD -d 10.1.1.0/24 -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

-A FORWARD -s 10.1.1.52/32 -p tcp -m tcp --dport 59527 -j ACCEPT
COMMIT
# Completed on Fri Apr 2 09:31:11 2010

and also result from iptables -L

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 10.1.1.0/24 anywhere
ACCEPT all -- anywhere 10.1.1.0/24 state RELATED,ESTAB
LISHED
ACCEPT tcp -- 10.1.1.52 anywhere tcp dpt:59527

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Hello,

Owner a écrit :
>
> iptables -t nat -A PREROUTING -p tcp --dport 4000 -j DNAT --to-destination 10.1.1.52
> iptables -t nat -A PREROUTING -p udp --dport 4000 -j DNAT --to-destination 10.1.1.52
> iptables -A FORWARD -s 10.1.1.52 -p tcp --dport 4000 -j ACCEPT
> iptables -A FORWARD -s 10.1.1.52 -p udp --dport 4000 -j ACCEPT
> iptables -t nat -A PREROUTING -p tcp --dport 6112:6119 -j DNAT --to-destination 10.1.1.52
> iptables -t nat -A PREROUTING -p udp --dport 6112:6119 -j DNAT --to-destination 10.1.1.52
> iptables -A FORWARD -s 10.1.1.52 -p tcp --dport 6112:6119 -j ACCEPT
> iptables -A FORWARD -s 10.1.1.52 -p udp --dport 6112:6119 -j ACCEPT

I don't know how Battle.net works, but I'd suggest to replace -s with -d
in the FORWARD rules in order to be consistent with the DNAT rules :
10.1.1.52 is the destination, not the source.

Owner wrote:

> ok i figured these commands open the ports on linux box but problem is
> now I can't connect to battle.net server
>
> is something wrong with these commands to open the port and play game at battle.net?
> How come this works with bittorrent but not with battle.net server?

Your problem is that you only need to DNAT packets that are coming in
from the internet, so you need to add -i eth0 to the nat rule.

It works for bittorrent by luck as only connections from you to port
59527 will fail and mostly that port won't be the one other peers are
listening on.

>
> iptables -t nat -A PREROUTING -p tcp --dport 4000 -j DNAT --to-destination 10.1.1.52
> iptables -t nat -A PREROUTING -p udp --dport 4000 -j DNAT --to-destination 10.1.1.52
> iptables -A FORWARD -s 10.1.1.52 -p tcp --dport 4000 -j ACCEPT
> iptables -A FORWARD -s 10.1.1.52 -p udp --dport 4000 -j ACCEPT

These should be -d 10.1.1.52 not -s but looking at your listing I don't
see DROP anywhere so if that's what you see normally then you are not
running a firewall anyway.

If you want to submit iptables outputs I prefer to see output from

iptables -L -vn
iptables -L -vnt nat
iptables -L -vnt mangle

If you are using --state RELATED,ESTABLISHED you don't need to do
anything for outbound traffic it gets through automatically. You could
also consider adding --state NEW to the rules for the ports you allow
through the firewall in FORWARD.

On Fri, 02 Apr 2010 12:39:22 -0400, Owner wrote:

fixed! with this input

iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 6112 -j DNAT
--to-destination 10.1.1.52:6112

Thank you everybody!

> On Fri, 02 Apr 2010 16:36:26 +0100, Mark Hobley wrote:
>
>> Owner <(E-Mail Removed)> wrote:
>>> forwarding to the battle.net server
>>
>> Right. My notes were for accepting as input. Because you are forwarding, you
>> need to add rules to the forward chain.
>>
>> Remember that you will need to add rules for both incoming traffic and
>> outgoing traffic.
>>
>> Mark.
>
> ok i figured these commands open the ports on linux box but problem is
> now I can't connect to battle.net server
>
> is something wrong with these commands to open the port and play game at battle.net?
> How come this works with bittorrent but not with battle.net server?
>
> iptables -t nat -A PREROUTING -p tcp --dport 4000 -j DNAT --to-destination 10.1.1.52
> iptables -t nat -A PREROUTING -p udp --dport 4000 -j DNAT --to-destination 10.1.1.52
> iptables -A FORWARD -s 10.1.1.52 -p tcp --dport 4000 -j ACCEPT
> iptables -A FORWARD -s 10.1.1.52 -p udp --dport 4000 -j ACCEPT
> iptables -t nat -A PREROUTING -p tcp --dport 6112:6119 -j DNAT --to-destination 10.1.1.52
> iptables -t nat -A PREROUTING -p udp --dport 6112:6119 -j DNAT --to-destination 10.1.1.52
> iptables -A FORWARD -s 10.1.1.52 -p tcp --dport 6112:6119 -j ACCEPT
> iptables -A FORWARD -s 10.1.1.52 -p udp --dport 6112:6119 -j ACCEPT
>
> btw set up is
>
> internet -- linuxbox ( which i'm configuring ) -- access point -- my laptop
>
> here's my current setting
> I opened port 59527 read from tutorial on the web.
>
> # Generated by iptables-save v1.4.0 on Fri Apr 2 09:31:11 2010
> *nat
> :PREROUTING ACCEPT [392:56543]
> :POSTROUTING ACCEPT [4:244]
> :OUTPUT ACCEPT [4:244]
> -A PREROUTING -p tcp -m tcp --dport 59527 -j DNAT --to-destination 10.1.1.52
> -A POSTROUTING -s 10.1.1.0/24 -o eth0 -j MASQUERADE
> COMMIT
> # Completed on Fri Apr 2 09:31:11 2010
> # Generated by iptables-save v1.4.0 on Fri Apr 2 09:31:11 2010
> *filter
> :INPUT ACCEPT [971:234521]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [408:58162]
> -A FORWARD -s 10.1.1.0/24 -o eth0 -j ACCEPT
> -A FORWARD -d 10.1.1.0/24 -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
>
> -A FORWARD -s 10.1.1.52/32 -p tcp -m tcp --dport 59527 -j ACCEPT
> COMMIT
> # Completed on Fri Apr 2 09:31:11 2010
>
> and also result from iptables -L
>
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
> ACCEPT all -- 10.1.1.0/24 anywhere
> ACCEPT all -- anywhere 10.1.1.0/24 state RELATED,ESTAB
> LISHED
> ACCEPT tcp -- 10.1.1.52 anywhere tcp dpt:59527
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination