iptables & hlds

duvel

<div class="IPBDescription">can't add master servers</div>hi folks!

first of all thanks to Vadakill for the FAQ! <img src="style_emoticons/<#EMO_DIR#>/smile-fix.gif" style="vertical-align:middle" emoid=":)" border="0" alt="smile-fix.gif" />

I'm trying to run a NS-hlds on a linux box, hlds is running fine but I still
have a problem with my iptables script.
If the script is down the hlds is vissible in the steam server list.
The hlds is running on the firewall, not on a 2nd machine behind it.

It seems to have trouble adding the master servers and i'm out of ideas.

I did not run any server since TFC like 8-9 years ago so forgive me if I miss something <img src="style_emoticons/<#EMO_DIR#>/smile-fix.gif" style="vertical-align:middle" emoid=":)" border="0" alt="smile-fix.gif" />

THE PORTS:

TCP/UDP - INPUT/OUTPUT : PORT 1200 > STEAM
TCP/UDP - INPUT/OUTPUT : PORT 1723 > PROTOCOL 47
TCP/UDP - INPUT/OUTPUT : PORT 6003 > HL1
TCP/UDP - INPUT/OUTPUT : PORT 7001 > HL1
TCP/UDP - INPUT/OUTPUT : PORT 7002 > HLDS
TCP/UDP - INPUT/OUTPUT : PORT 27005:27050 > HL1

THE OUTPUT:

Auto detecting CPU
Using Pentium II Optimised binary.
Auto-restarting the server on crash

Console initialized.
scandir failed:/home/hlds/hlds_l/./platform/SAVE
Protocol version 47
Exe version 1.1.2.0/Stdio (valve)
Exe build: 20:02:49 Oct 24 2006 (3651)
STEAM Auth Server
couldn't exec language.cfg
Server IP address 88.147.20.54:27015
scandir failed:/home/hlds/hlds_l/./platform/SAVE

No masters loaded
Using default master
Connection to Steam servers successful.
VAC secure mode is activated.

(don't mind the other errors, it's beta since today <img src="style_emoticons/<#EMO_DIR#>/smile-fix.gif" style="vertical-align:middle" emoid=":)" border="0" alt="smile-fix.gif" /> )

duvel

After restarting the hlds multiple times I filtered this out, so it seems the hlds is cycling
from random port to port trying to add the master servers from 1 to 9 (177.11 > 177.19)

tcp 0 1 88.147.10.62:42026 207.173.177.11:27030 SYN_SENT 3905/hlds_i686
tcp 0 1 88.147.10.62:42030 207.173.177.11:27030 SYN_SENT 3952/hlds_i686
tcp 0 1 88.147.10.62:42032 207.173.177.11:27030 SYN_SENT 3971/hlds_i686
tcp 0 1 88.147.10.62:35775 207.173.177.11:27030 SYN_SENT 3992/hlds_i686
tcp 0 1 88.147.10.62:35777 207.173.177.11:27030 SYN_SENT 4020/hlds_i686
tcp 0 1 88.147.10.62:35779 207.173.177.11:27030 SYN_SENT 4042/hlds_i686
tcp 0 1 88.147.10.62:41993 207.173.177.11:27030 SYN_SENT 4070/hlds_i686
tcp 0 1 88.147.10.62:41995 207.173.177.11:27030 SYN_SENT 4085/hlds_i686
tcp 0 1 88.147.10.62:54915 207.173.177.11:27030 SYN_SENT 4123/hlds_i686
tcp 0 1 88.147.10.62:54917 207.173.177.11:27030 SYN_SENT 4140/hlds_i686
tcp 0 1 88.147.10.62:54919 207.173.177.11:27030 SYN_SENT 4165/hlds_i686
tcp 0 1 88.147.10.62:57776 207.173.177.11:27030 SYN_SENT 4186/hlds_i686
tcp 0 1 88.147.10.62:57778 207.173.177.11:27030 SYN_SENT 4208/hlds_i686
tcp 0 1 88.147.10.62:57780 207.173.177.11:27030 SYN_SENT 4227/hlds_i686
tcp 0 1 88.147.10.62:57782 207.173.177.11:27030 SYN_SENT 4249/hlds_i686
tcp 0 1 88.147.10.62:37020 207.173.177.11:27030 SYN_SENT 4268/hlds_i686
tcp 0 1 88.147.10.62:37024 207.173.177.11:27030 SYN_SENT 4303/hlds_i686

Anyone knows how I can force hlds's portrange?

If not, well, tnx anyway <img src="style_emoticons/<#EMO_DIR#>/smile-fix.gif" style="vertical-align:middle" emoid=":)" border="0" alt="smile-fix.gif" />

duvel

I added these protocols to my (homemade-household) script, those are the servers
that where blocked at incoming/outgoing requests, like everyting else from da internet.
I don’t know and did not find any other servers, and those I found I barely know
What they do or serve for.

This has nothing to do with opening ports for/or packet forwarding to your client pc running steam or a half-life game, it’s only for packet traffic from and to generated by the firewall/server that is running
hlds with an iptables script.

Dunno if there are errors in it but it works for me, someone plz correct me then!
I hope it’s of some use to others <img src="style_emoticons/<#EMO_DIR#>/smile-fix.gif" style="vertical-align:middle" emoid=":)" border="0" alt="smile-fix.gif" />

After flushing the chains and allowing internal traffic it’s best to place the following commands
on top of your script.

# ADDING STEAM1.STEAMPOWERED.COM > STEAM9.STEAMPOWERED.COM (x9)
iptables -A INPUT -i $INETDEV -s 207.173.177.11 -d 0/0 -p tcp --dport 1024:65535 -j ACCEPT
iptables -A OUTPUT -o $INETDEV -s 0/0 -d 207.173.177.11 -p tcp --dport 1024:65535 -j ACCEPT
iptables -A INPUT -i $INETDEV -s 207.173.177.12 -d 0/0 -p tcp --dport 1024:65535 -j ACCEPT
iptables -A OUTPUT -o $INETDEV -s 0/0 -d 207.173.177.12 -p tcp --dport 1024:65535 -j ACCEPT
iptables -A INPUT -i $INETDEV -s 207.173.177.13 -d 0/0 -p tcp --dport 1024:65535 -j ACCEPT
iptables -A OUTPUT -o $INETDEV -s 0/0 -d 207.173.177.13 -p tcp --dport 1024:65535 -j ACCEPT
iptables -A INPUT -i $INETDEV -s 207.173.177.14 -d 0/0 -p tcp --dport 1024:65535 -j ACCEPT
iptables -A OUTPUT -o $INETDEV -s 0/0 -d 207.173.177.14 -p tcp --dport 1024:65535 -j ACCEPT
iptables -A INPUT -i $INETDEV -s 207.173.177.15 -d 0/0 -p tcp --dport 1024:65535 -j ACCEPT
iptables -A OUTPUT -o $INETDEV -s 0/0 -d 207.173.177.15 -p tcp --dport 1024:65535 -j ACCEPT
iptables -A INPUT -i $INETDEV -s 207.173.177.16 -d 0/0 -p tcp --dport 1024:65535 -j ACCEPT
iptables -A OUTPUT -o $INETDEV -s 0/0 -d 207.173.177.16 -p tcp --dport 1024:65535 -j ACCEPT
iptables -A INPUT -i $INETDEV -s 207.173.177.17 -d 0/0 -p tcp --dport 1024:65535 -j ACCEPT
iptables -A OUTPUT -o $INETDEV -s 0/0 -d 207.173.177.17 -p tcp --dport 1024:65535 -j ACCEPT
iptables -A INPUT -i $INETDEV -s 207.173.177.18 -d 0/0 -p tcp --dport 1024:65535 -j ACCEPT
iptables -A OUTPUT -o $INETDEV -s 0/0 -d 207.173.177.18 -p tcp --dport 1024:65535 -j ACCEPT
iptables -A INPUT -i $INETDEV -s 207.173.177.19 -d 0/0 -p tcp --dport 1024:65535 -j ACCEPT
iptables -A OUTPUT -o $INETDEV -s 0/0 -d 207.173.177.19 -p tcp --dport 1024:65535 -j ACCEPT

# STEAM BOOTSTRAPPER (1 ?)
iptables -A INPUT -i $INETDEV -s 69.28.151.178 -d 0/0 -p tcp --dport 1024:65535 -j ACCEPT
iptables -A OUTPUT -o $INETDEV -s 0/0 -d 69.28.151.178 -p tcp --dport 1024:65535 -j ACCEPT

# STEAM UPDATE SERVER (1 ?)
iptables -A INPUT -i $INETDEV -s 91.121.114.54 -d 0/0 -p tcp --dport 1024:65535 -j ACCEPT
iptables -A OUTPUT -o $INETDEV -s 0/0 -d 91.121.114.54 -p tcp --dport 1024:65535 -j ACCEPT

# STEAM MASTER SERVERS (x3 ?)
iptables -A INPUT -i $INETDEV -s 68.142.72.250 -d 0/0 -p tcp --dport 1024:65535 -j ACCEPT
iptables -A OUTPUT -o $INETDEV -s 0/0 -d 68.142.72.250 -p tcp --dport 1024:65535 -j ACCEPT
iptables -A INPUT -i $INETDEV -s 69.28.151.162 -d 0/0 -p tcp --dport 1024:65535 -j ACCEPT
iptables -A OUTPUT -o $INETDEV -s 0/0 -d 69.28.151.162 -p tcp --dport 1024:65535 -j ACCEPT
iptables -A INPUT -i $INETDEV -s 72.165.61.189 -d 0/0 -p tcp --dport 1024:65535 -j ACCEPT
iptables -A OUTPUT -o $INETDEV -s 0/0 -d 72.165.61.189 -p tcp --dport 1024:65535 -j ACCEPT

grtz

duvel

added:

# auth2.valvesoftware.com
207.173.176.161

# steam.verygames.net
91.121.114.54

# some valve updaters
79.141.163.3
79.141.163.2
193.34.49.6
79.141.167.4
69.28.153.82

Own server kicks me after 5 seconds with 'Error verifying STEAM UserID Ticket(server was
unable to contact the authentication server)'
I had this problem before, must be something with the nat routing...