|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Support::Linux Servers Support forum for Linux EQEMu users. |
04-03-2011, 10:03 AM
|
Fire Beetle
|
|
Join Date: Jun 2004
Posts: 18
|
|
Setting up Linux server...what ports to open?
I have the server running on a remote linux host, and I can see it in the server select, however when I try to connect to it, the client just hangs and there is no connecting being made to world. However, if I shut down my iptables, I can connect.
Note that I am running the world server on port 20900. Any help would be appreciated.
|
04-03-2011, 02:46 PM
|
|
Discordant
|
|
Join Date: Sep 2009
Posts: 269
|
|
What does your iptables script look like?
It is likely that your default policy is to deny, in which case you would need to add exceptions before the deny rule for applicable tables.
-I INPUT -p tcp --dport 20900 -j ACCEPT
|
04-03-2011, 03:10 PM
|
Fire Beetle
|
|
Join Date: Jun 2004
Posts: 18
|
|
I have these added:
-A INPUT -p tcp --dport 20900 -j ACCEPT
-A INPUT -p udp --dport 20900 -j ACCEPT
-A INPUT -p tcp --dport 5998 -j ACCEPT
-A INPUT -p tcp --dport 5999 -j ACCEPT
-A INPUT -p udp --dport 5998 -j ACCEPT
-A INPUT -p udp --dport 5999 -j ACCEPT
I haven't setup the zone stuff yet.
|
04-03-2011, 05:50 PM
|
|
Discordant
|
|
Join Date: Sep 2009
Posts: 269
|
|
Well, if it works when you shut off iptables, you have your culprit.
You may also need to add allowances for your output and (maybe?) forward chains, depending on their default policies.
|
04-03-2011, 07:43 PM
|
Fire Beetle
|
|
Join Date: Jun 2004
Posts: 18
|
|
Sorry If I do not understand..but well..i dont understand what you mean?
I realize the culprit is that I must not be setting up the firewall right due to the fact that if I turn it off, it works. As long as there are no other ports involved, I will have to continue to dig.
|
04-03-2011, 08:30 PM
|
|
Discordant
|
|
Join Date: Sep 2009
Posts: 269
|
|
To add accept rules for the other chains you would put in lines similar to the input rules.
-A INPUT -p tcp --dport 20900 -j ACCEPT
-A OUTPUT -p tcp --dport 20900 -j ACCEPT
-A FORWARD -p tcp --dport 20900 -j ACCEPT
If the firewall is doing NAT this gets more complicated.
Can you post your firewall script?
|
|
|
|
04-04-2011, 07:57 PM
|
Fire Beetle
|
|
Join Date: Jun 2004
Posts: 18
|
|
This is what i have:
*filter
# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
# Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allows all outbound traffic
# You can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT
# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
-A INPUT -p tcp --dport 8000 -j ACCEPT
# EQEMU
-A INPUT -p tcp --dport 20900 -j ACCEPT
-A INPUT -p udp --dport 20900 -j ACCEPT
-A INPUT -p tcp --dport 5998 -j ACCEPT
-A INPUT -p tcp --dport 5999 -j ACCEPT
-A INPUT -p udp --dport 5998 -j ACCEPT
-A INPUT -p udp --dport 5999 -j ACCEPT
# Allows SSH connections
#
# THE -dport NUMBER IS THE SAME ONE YOU SET UP IN THE SSHD_CONFIG FILE
#
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
# Reject all other inbound - default deny unless explicitly allowed policy
-A INPUT -j REJECT
-A FORWARD -j REJECT
|
|
|
|
04-05-2011, 09:46 AM
|
|
Discordant
|
|
Join Date: Sep 2009
Posts: 269
|
|
I'm not at a point where I can do a lot of testing right now, but there are a couple of things you can try.
Your
-A FORWARD -j REJECT
line probably isn't doing anything without NAT, but you might comment that out or set your action to ACCEPT and reload the firewall to see if it makes a difference.
It also looks like you're logging rejected requests. You could try logging in to the server and then grepping your logs for 'iptables denied'.
|
04-05-2011, 10:07 AM
|
Fire Beetle
|
|
Join Date: Jun 2004
Posts: 18
|
|
I did try checking /var/log/messages for anything, but nothing was in there. Is that the proper log file?
I am working now so I will have to try changing the firewall later tonight to see if it worked.
Thanks
|
04-05-2011, 12:01 PM
|
|
Discordant
|
|
Join Date: Sep 2009
Posts: 269
|
|
Log level 7 is debug, so it is most likely /var/log/debug.
When in doubt, grep [-r] iptables /var/log/*
|
04-05-2011, 12:51 PM
|
Fire Beetle
|
|
Join Date: Jun 2004
Posts: 18
|
|
Interestingly i do not have a /var/log/debug.
I tried the grep all files in /var/log for iptable and got nothing.
Not quite sure where its logging this stuff.
|
|
|
|
06-06-2011, 10:48 PM
|
|
Developer
|
|
Join Date: Mar 2003
Posts: 1,497
|
|
More on ports...
Well, got around to setting up a linux server remotely again on CentOS 5. Just need a little help understanding the ports and linux firewall. Most likely I am just too newb for this part. I am good with doing a Windoze setup.
The situation:
CentOS 5.6 with WHM/cPanel interface (still have full root access and use PuTTY to run everything remotely)
Dedicated server using shared ip 66.x.x.x on eth0
Dedicated ip address for this eq server account 205.x.x.x on eth4
Opened up INPUT/OUTPUT to 9000 tcp and 7000:7005 udp in iptables
Using the eqemulator.net:5998 world server
Basically, I am not getting any inbound connections. The server shows up on the list just fine. If I leave the address blank in the config, world server reports my 66.x.x.x address. So I forced my 205.x.x.x ip address, nothing changed. The dynamic and static zones boot up fine using the 205.x.x.x ip address with the proper ports (7000:7005).
Any ideas on how I am not understanding my setup and what I should look for next? Possible that logging in as root forces use of the main server ip address even though I'm logged in to SSH using the 205.x.x.x address? Should I be looking at FORWARD options? I wasn't sure about forward because using INPUT/OUTPUT allowed the world server to connect.
All ideas welcomed and appreciated!
|
|
|
|
06-06-2011, 10:52 PM
|
Dragon
|
|
Join Date: May 2010
Posts: 966
|
|
On my windows server, the windows firewall is off, and my router only has upd ports forwarded. Not tcp 9000
Well by router I mean ClearOS firewall/router/webserver
|
06-07-2011, 12:27 AM
|
|
Developer
|
|
Join Date: Mar 2003
Posts: 1,497
|
|
Interesting. I thought I had only tcp on my windows setup. Perhaps I did both ... I'll have to look at that again. So I have tcp/udp entries for in/out on 9000 and zones now. Seems to be operational now. Thanks!
|
06-07-2011, 08:34 AM
|
Demi-God
|
|
Join Date: Jan 2002
Posts: 1,290
|
|
Just to let you know the TCP communication is only used between the loginserver <- world <- zone (communication is setup this way between the different server exe's).
UDP is the only requirement for clients connecting to any of these servers.
It is just good to note this because when you open up TCP you leave your server communications vulnerable - such as if someone figured out your zspassword they could connect and do nasty stuff.
__________________
www.eq2emu.com
EQ2Emu Developer
Former EQEMu Developer / GuildWars / Zek Seasons Servers
Member of the "I hate devn00b" club.
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT -4. The time now is 06:55 AM.
|
|
|
|
|
|
|
|
|
|
|
|
|