IPTables configs for College system, need assistance please!

[Kristina]

Hi everyone! Sorry that my second post on these forums is to ask for help. I did use the "search" function first, but failed to find anything there that could help

Background: I recently moved into College accomodation, and the firewall blocks most things. I asked the ITOfficer to allow some IP addresses for a game I play, but he hasn't got round to it.

Specifics:
What is needed:

Patch Application:
A TCP connection is initiated from the player's PC (using ports numbered >1023) to patch.everquest.com, port 7000. There are multiple IP addresses for the patch.everquest.com clusters, and they may change as the network demands, so check often using a DNS lookup tool if you provide a specific firewall rule for patching.

EverQuest client:
UDP datagrams are sent to/from the player's PC (using ports numbered >1023) from/to the EverQuest servers (using ports numbered >1023). Additionally, ICMP Unreachables (ICMP type 3) are sent to/from the player's PC from/to the EverQuest servers.

The EverQuest server IP addresses are on the subnets:
64.37.148.* , 64.37.156.* , 195.33.133.*, 199.108.3.* 199.108.4*, 199.108.5*, 199.108.9*, 199.108.15*

Please note that EverQuest opens a random UDP data port from the player's PC every time EverQuest is run. Thus, the need to have all ports >1023 available.

I first suggested:

Code:

 iptables -A INPUT -i inside ip address -d 0/0 -j ACCEPT

but this would allow everyone in my subnet access to any outside computer, and even though we sign an agreement not to access things we're not supposed to, this was not an acceptable solution

He gave me an example based on some rules he already had:

Code:

/sbin/iptables -t filter -A outbound-unpriv-external-udp -p udp -d 64.
37.148.0/24 --dport 1024:65535 -j ACCEPT

/sbin/iptables -t filter -A inbound-unpriv-external-udp -p udp -s 64.37.
148.?? --sport 1024:65535 --dport 1024:65535 -j ACCEPT

from which I then deduced that for the above I would need:

Code:

/sbin/iptables -t filter -A outbound-unpriv-external-udp -p udp -d 64.37.148.0/24 --dport 1024:65535 -j ACCEPT
/sbin/iptables -t filter -A inbound-unpriv-external-udp -p udp -s 64.37.148.0/24 --sport 1024:65535 --dport 1024:65535 -j ACCEPT
 
/sbin/iptables -t filter -A outbound-unpriv-external-udp -p udp -d 64.37.156.0/24 --dport 1024:65535 -j ACCEPT
/sbin/iptables -t filter -A inbound-unpriv-external-udp -p udp -s 64.37.156.0/24 --sport 1024:65535 --dport 1024:65535 -j ACCEPT
 
/sbin/iptables -t filter -A outbound-unpriv-external-udp -p udp -d 195.33.133.0/24 --dport 1024:65535 -j ACCEPT
/sbin/iptables -t filter -A inbound-unpriv-external-udp -p udp -s 194.33.133.0/24 --sport 1024:65535 --dport 1024:65535 -j ACCEPT
 
/sbin/iptables -t filter -A outbound-unpriv-external-udp -p udp -d 199.108.3.0/24 --dport 1024:65535 -j ACCEPT
/sbin/iptables -t filter -A inbound-unpriv-external-udp -p udp -s 199.108.3.0/24 --sport 1024:65535 --dport 1024:65535 -j ACCEPT
 
/sbin/iptables -t filter -A outbound-unpriv-external-udp -p udp -d 199.108.0.0/16 --dport 1024:65535 -j ACCEPT
/sbin/iptables -t filter -A inbound-unpriv-external-udp -p udp -s 199.108.0.0/16 --sport 1024:65535 --dport 1024:65535 -j ACCEPT

However, this doesn't seem to work

Someone has suggested these alternatives, but I would be very grateful if people here would let me have any suggestions before I pass them on to the ITOfficer again, since I suspect he'll get tired of me before long:

Code:

# Rules for the internet
# Rules for Everquest
  # patch server
  $IPTABLES -A FORWARD -p tcp -d 64.37.0.0/16 --dport 7000 -m state --state NEW,ESTABLISHED,RELATED -o $EXT_IF -j
ACCEPT
  $IPTABLES -A FORWARD -p tcp -s 64.37.0.0/16 --sport 7000 -m state --state ESTABLISHED,RELATED -i $EXT_IF -j ACCE
PT

  # World-Server
  # ACCEPT-Rules
  $IPTABLES -A FORWARD -p udp -d 64.37.148.0/22 --dport 1023:65535 -m state --state NEW,ESTABLISHED,RELATED -o $EX
T_IF -j ACCEPT
  $IPTABLES -A FORWARD -p udp -s 64.37.148.0/22 --sport 1023:65535 -m state --state ESTABLISHED,RELATED -i $EXT_IF
-j ACCEPT
  $IPTABLES -A FORWARD -p udp -d 64.37.156.0/23 --dport 1023:65535 -m state --state NEW,ESTABLISHED,RELATED -o $EX
T_IF -j ACCEPT
  $IPTABLES -A FORWARD -p udp -s 64.37.156.0/23 --sport 1023:65535 -m state --state ESTABLISHED,RELATED -i $EXT_IF
-j ACCEPT
  $IPTABLES -A FORWARD -p udp -d 64.241.40.0/22 --dport 1023:65535 -m state --state NEW,ESTABLISHED,RELATED -o $EX
T_IF -j ACCEPT
  $IPTABLES -A FORWARD -p udp -s 64.241.40.0/22 --sport 1023:65535 -m state --state ESTABLISHED,RELATED -i $EXT_IF
-j ACCEPT
  $IPTABLES -A FORWARD -p udp -d 195.33.132.0/24 --dport 1023:65535 -m state --state NEW,ESTABLISHED,RELATED -o $E
XT_IF -j ACCEPT
  $IPTABLES -A FORWARD -p udp -s 195.33.132.0/24 --sport 1023:65535 -m state --state ESTABLISHED,RELATED -i $EXT_I
F -j ACCEPT
  $IPTABLES -A FORWARD -p udp -d 195.33.108.0/24 --dport 1023:65535 -m state --state NEW,ESTABLISHED,RELATED -o $E
XT_IF -j ACCEPT
  $IPTABLES -A FORWARD -p udp -s 195.33.108.0/24 --sport 1023:65535 -m state --state ESTABLISHED,RELATED -i $EXT_I
F -j ACCEPT
  $IPTABLES -A FORWARD -p udp -s 199.108.1.0/24 --sport 1023:65535 -m state --state ESTABLISHED,RELATED -i $EXT_IF
-j ACCEPT
  $IPTABLES -A FORWARD -p udp -d 199.108.1.0/24 --sport 1023:65535 -m state --state NEW,ESTABLISHED,RELATED -o $EX
T_IF -j ACCEPT
  $IPTABLES -A FORWARD -p udp -s 199.108.2.0/24 --sport 1023:65535 -m state --state ESTABLISHED,RELATED -i $EXT_IF -j ACCEPT
  $IPTABLES -A FORWARD -p udp -d 199.108.2.0/24 --sport 1023:65535 -m state --state NEW,ESTABLISHED,RELATED -o $EX
T_IF -j ACCEPT
  $IPTABLES -A FORWARD -p udp -s 199.108.3.0/24 --sport 1023:65535 -m state --state ESTABLISHED,RELATED -i $EXT_IF
-j ACCEPT
  $IPTABLES -A FORWARD -p udp -d 199.108.3.0/24 --sport 1023:65535 -m state --state NEW,ESTABLISHED,RELATED -o $EX
T_IF -j ACCEPT
  $IPTABLES -A FORWARD -p udp -s 199.108.4.0/24 --sport 1023:65535 -m state --state ESTABLISHED,RELATED -i $EXT_IF
-j ACCEPT
  $IPTABLES -A FORWARD -p udp -d 199.108.4.0/24 --sport 1023:65535 -m state --state NEW,ESTABLISHED,RELATED -o $EX
T_IF -j ACCEPT
  $IPTABLES -A FORWARD -p udp -s 199.108.5.0/24 --sport 1023:65535 -m state --state ESTABLISHED,RELATED -i $EXT_IF
-j ACCEPT
  $IPTABLES -A FORWARD -p udp -d 199.108.5.0/24 --sport 1023:65535 -m state --state NEW,ESTABLISHED,RELATED -o $EX
T_IF -j ACCEPT
  $IPTABLES -A FORWARD -p udp -s 199.108.9.0/24 --sport 1023:65535 -m state --state ESTABLISHED,RELATED -i $EXT_IF
-j ACCEPT
  $IPTABLES -A FORWARD -p udp -d 199.108.9.0/24 --sport 1023:65535 -m state --state NEW,ESTABLISHED,RELATED -o $EX
T_IF -j ACCEPT
  $IPTABLES -A FORWARD -p udp -s 199.108.13.0/24 --sport 1023:65535 -m state --state ESTABLISHED,RELATED -i $EXT_I
F -j ACCEPT
  $IPTABLES -A FORWARD -p udp -d 199.108.13.0/24 --sport 1023:65535 -m state --state NEW,ESTABLISHED,RELATED -o $E
XT_IF -j ACCEPT
  $IPTABLES -A FORWARD -p udp -s 199.108.15.0/24 --sport 1023:65535 -m state --state ESTABLISHED,RELATED -i $EXT_I
F -j ACCEPT
  $IPTABLES -A FORWARD -p udp -d 199.108.15.0/24 --sport 1023:65535 -m state --state NEW,ESTABLISHED,RELATED -o $E
XT_IF -j ACCEPT
  $IPTABLES -A FORWARD -p udp -s 199.108.9.0/24 --sport 1023:65535 -m state --state ESTABLISHED,RELATED -i $EXT_IF
-j ACCEPT
  $IPTABLES -A FORWARD -p udp -d 199.108.9.0/24 --sport 1023:65535 -m state --state NEW,ESTABLISHED,RELATED -o $EX
T_IF -j ACCEPT

  # ICMP for EQ
  $IPTABLES -A FORWARD -d 64.37.148.0/22 -o $EXT_IF -p icmp --icmp-type 3 -j ACCEPT
  $IPTABLES -A FORWARD -s 64.37.148.0/22 -i $EXT_IF -p icmp --icmp-type 3 -j ACCEPT
  $IPTABLES -A FORWARD -d 64.37.156.0/23 -o $EXT_IF -p icmp --icmp-type 3 -j ACCEPT
  $IPTABLES -A FORWARD -s 64.37.148.0/22 -i $EXT_IF -p icmp --icmp-type 3 -j ACCEPT
  $IPTABLES -A FORWARD -d 64.241.40.0/22 -o $EXT_IF -p icmp --icmp-type 3 -j ACCEPT
  $IPTABLES -A FORWARD -s 64.241.40.0/22 -i $EXT_IF -p icmp --icmp-type 3 -j ACCEPT
  $IPTABLES -A FORWARD -d 195.33.132.0/24 -o $EXT_IF -p icmp --icmp-type 3 -j ACCEPT
  $IPTABLES -A FORWARD -s 195.33.132.0/24 -i $EXT_IF -p icmp --icmp-type 3 -j ACCEPT
  $IPTABLES -A FORWARD -d 195.33.108.0/24 -o $EXT_IF -p icmp --icmp-type 3 -j ACCEPT
  $IPTABLES -A FORWARD -s 195.33.108.0/24 -i $EXT_IF -p icmp --icmp-type 3 -j ACCEPT
  $IPTABLES -A FORWARD -d 195.108.1.0/24 -o $EXT_IF -p icmp --icmp-type 3 -j ACCEPT
  $IPTABLES -A FORWARD -s 195.108.1.0/24 -i $EXT_IF -p icmp --icmp-type 3 -j ACCEPT
  $IPTABLES -A FORWARD -d 195.108.2.0/24 -o $EXT_IF -p icmp --icmp-type 3 -j ACCEPT
  $IPTABLES -A FORWARD -s 195.108.2.0/24 -i $EXT_IF -p icmp --icmp-type 3 -j ACCEPT
  $IPTABLES -A FORWARD -d 195.108.3.0/24 -o $EXT_IF -p icmp --icmp-type 3 -j ACCEPT
  $IPTABLES -A FORWARD -s 195.108.3.0/24 -i $EXT_IF -p icmp --icmp-type 3 -j ACCEPT
  $IPTABLES -A FORWARD -d 195.108.4.0/24 -o $EXT_IF -p icmp --icmp-type 3 -j ACCEPT
  $IPTABLES -A FORWARD -s 195.108.4.0/24 -i $EXT_IF -p icmp --icmp-type 3 -j ACCEPT
  $IPTABLES -A FORWARD -d 195.108.5.0/24 -o $EXT_IF -p icmp --icmp-type 3 -j ACCEPT
  $IPTABLES -A FORWARD -s 195.108.5.0/24 -i $EXT_IF -p icmp --icmp-type 3 -j ACCEPT
  $IPTABLES -A FORWARD -d 195.108.13.0/24 -o $EXT_IF -p icmp --icmp-type 3 -j ACCEPT
  $IPTABLES -A FORWARD -s 195.108.13.0/24 -i $EXT_IF -p icmp --icmp-type 3 -j ACCEPT

In your (expert, certainly compared to me!) opinions, would these above things work? I'm a little worried since they look different to the way the ITOfficer's example did... and my knowledge of Linux isn't good enough to tell if it's all the same.

Apologies for the dense questions, any feedback is greatly appreciated.
- Kristina

[Dolda2000]

All that stateful matching seems like quite a waste to me. In fact, I cannot see anything wrong with the second block you suggested -- that is, this:

Code:

/sbin/iptables -t filter -A outbound-unpriv-external-udp -p udp -d 64.37.148.0/24 --dport 1024:65535 -j ACCEPT
/sbin/iptables -t filter -A inbound-unpriv-external-udp -p udp -s 64.37.148.0/24 --sport 1024:65535 --dport 1024:65535 -j ACCEPT
 
/sbin/iptables -t filter -A outbound-unpriv-external-udp -p udp -d 64.37.156.0/24 --dport 1024:65535 -j ACCEPT
/sbin/iptables -t filter -A inbound-unpriv-external-udp -p udp -s 64.37.156.0/24 --sport 1024:65535 --dport 1024:65535 -j ACCEPT
 
/sbin/iptables -t filter -A outbound-unpriv-external-udp -p udp -d 195.33.133.0/24 --dport 1024:65535 -j ACCEPT
/sbin/iptables -t filter -A inbound-unpriv-external-udp -p udp -s 194.33.133.0/24 --sport 1024:65535 --dport 1024:65535 -j ACCEPT
 
/sbin/iptables -t filter -A outbound-unpriv-external-udp -p udp -d 199.108.3.0/24 --dport 1024:65535 -j ACCEPT
/sbin/iptables -t filter -A inbound-unpriv-external-udp -p udp -s 199.108.3.0/24 --sport 1024:65535 --dport 1024:65535 -j ACCEPT
 
/sbin/iptables -t filter -A outbound-unpriv-external-udp -p udp -d 199.108.0.0/16 --dport 1024:65535 -j ACCEPT
/sbin/iptables -t filter -A inbound-unpriv-external-udp -p udp -s 199.108.0.0/16 --sport 1024:65535 --dport 1024:65535 -j ACCEPT

In my opinion, that should work providing that the packages reach the {out,in}bound-unpriv-external-udp chains. Maybe the problem is that it doesn't let the patch connection through? Or maybe your IT Officer isn't so sure about his own rules, and the packages never get to the {out,in}bound-unpriv-external-udp chains?

Where does the game fail? Is it when it wants to check the patch server, or when it checks the world server? Maybe you ought to run a packet capture program to see where your computer tries to send packets, and see if they really do match the rules, or if, by any chance, there are more necessary rules?

As for the ICMP rules -- are they really necessary? ICMP should be let through in either case, so if your IT Office doesn't already do that, he should, or he'd be breaking lots of RFCs.

On a side note, I really hate it when IT Officers do stuff like that... the Internet wouldn't be what it is if you wouldn't get the freedom to communicate freely over it. You should try having a philosophical discussion with him and draw out of that madness.