Jump to content
  • 0

Iptables rule for rathena


nobukadnezar

Question


  • Group:  Members
  • Topic Count:  35
  • Topics Per Day:  0.01
  • Content Count:  163
  • Reputation:   7
  • Joined:  01/07/12
  • Last Seen:  

Hi folks,

anyone can help me for configuring iptables so it can allow login,char, and map to connect?

Thanks,

Link to comment
Share on other sites

20 answers to this question

Recommended Posts

  • 0

  • Group:  Members
  • Topic Count:  14
  • Topics Per Day:  0.00
  • Content Count:  42
  • Reputation:   0
  • Joined:  02/21/13
  • Last Seen:  

The method that provided by Asura is for CentOS 6, as shown below.

/sbin/iptables -A RH-Firewall-1-INPUT -p udp --dport 6900 -m state --state NEW -j ACCEPT
/sbin/iptables -A RH-Firewall-1-INPUT -p udp --dport 5121 -m state --state NEW -j ACCEPT
/sbin/iptables -A RH-Firewall-1-INPUT -p udp --dport 6121 -m state --state NEW -j ACCEPT
/sbin/iptables -A RH-Firewall-1-INPUT -p tcp --dport 6900 -m state --state NEW -j ACCEPT
/sbin/iptables -A RH-Firewall-1-INPUT -p tcp --dport 5121 -m state --state NEW -j ACCEPT
/sbin/iptables -A RH-Firewall-1-INPUT -p tcp --dport 6121 -m state --state NEW -j ACCEPT

For CentOS 7 you have to use these:

Quote

sudo firewall-cmd --permanent --add-port=6900/udp

sudo firewall-cmd --permanent --add-port=5121/udp

sudo firewall-cmd --permanent --add-port=6121/udp

sudo firewall-cmd --permanent --add-port=6900/tcp

sudo firewall-cmd --permanent --add-port=5121/tcp

sudo firewall-cmd --permanent --add-port=6121/udp

1

And then reload the firewall

Quote

sudo firewall-cmd --reload

 

Link to comment
Share on other sites


  • Group:  Members
  • Topic Count:  3
  • Topics Per Day:  0.00
  • Content Count:  707
  • Reputation:   168
  • Joined:  01/26/12
  • Last Seen:  

Hi nobukadnezar,

Here it is;

# Allow Ragnarok Online
/sbin/iptables -A INPUT -p udp --dport 6900 -m state --state NEW -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 5121 -m state --state NEW -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 6121 -m state --state NEW -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 6900 -m state --state NEW -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 5121 -m state --state NEW -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 6121 -m state --state NEW -j ACCEPT

  • Upvote 1
Link to comment
Share on other sites


  • Group:  Members
  • Topic Count:  35
  • Topics Per Day:  0.01
  • Content Count:  163
  • Reputation:   7
  • Joined:  01/07/12
  • Last Seen:  

i still can't connect, although it was the same port /panic

Link to comment
Share on other sites


  • Group:  Members
  • Topic Count:  3
  • Topics Per Day:  0.00
  • Content Count:  707
  • Reputation:   168
  • Joined:  01/26/12
  • Last Seen:  

Hi nobukadnezar,

Show us the error it's giving you.

Link to comment
Share on other sites


  • Group:  Members
  • Topic Count:  35
  • Topics Per Day:  0.01
  • Content Count:  163
  • Reputation:   7
  • Joined:  01/07/12
  • Last Seen:  

this is my rule at etc/sysconfig/iptables

# Generated by iptables-save v1.3.5 on Sat Jul 7 20:29:49 2012

*filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [161:34821]

:RH-Firewall-1-INPUT - [0:0]

-A INPUT -j RH-Firewall-1-INPUT

-A INPUT -p udp -m udp --dport 6900 -m state --state NEW -j ACCEPT

-A INPUT -p udp -m udp --dport 5121 -m state --state NEW -j ACCEPT

-A INPUT -p udp -m udp --dport 6121 -m state --state NEW -j ACCEPT

-A INPUT -p tcp -m tcp --dport 6900 -m state --state NEW -j ACCEPT

-A INPUT -p tcp -m tcp --dport 5121 -m state --state NEW -j ACCEPT

-A INPUT -p tcp -m tcp --dport 6121 -m state --state NEW -j ACCEPT

-A FORWARD -j RH-Firewall-1-INPUT

-A RH-Firewall-1-INPUT -i lo -j ACCEPT

-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT

-A RH-Firewall-1-INPUT -p esp -j ACCEPT

-A RH-Firewall-1-INPUT -p ah -j ACCEPT

-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT

-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT

-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT

-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

COMMIT

# Completed on Sat Jul 7 20:29:49 2012

nothing error, just can't connect when i start the iptables service.

Edited by nobukadnezar
Link to comment
Share on other sites


  • Group:  Members
  • Topic Count:  3
  • Topics Per Day:  0.00
  • Content Count:  707
  • Reputation:   168
  • Joined:  01/26/12
  • Last Seen:  

Hi nobukadnezar,

Try using this...

# Allow Ragnarok Online
/sbin/iptables -A RH-Firewall-1-INPUT -p udp --dport 6900 -m state --state NEW -j ACCEPT
/sbin/iptables -A RH-Firewall-1-INPUT -p udp --dport 5121 -m state --state NEW -j ACCEPT
/sbin/iptables -A RH-Firewall-1-INPUT -p udp --dport 6121 -m state --state NEW -j ACCEPT
/sbin/iptables -A RH-Firewall-1-INPUT -p tcp --dport 6900 -m state --state NEW -j ACCEPT
/sbin/iptables -A RH-Firewall-1-INPUT -p tcp --dport 5121 -m state --state NEW -j ACCEPT
/sbin/iptables -A RH-Firewall-1-INPUT -p tcp --dport 6121 -m state --state NEW -j ACCEPT

Link to comment
Share on other sites


  • Group:  Members
  • Topic Count:  35
  • Topics Per Day:  0.01
  • Content Count:  163
  • Reputation:   7
  • Joined:  01/07/12
  • Last Seen:  

Still can't connect.

This is the result for bash command "iptables -L" :

11 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:6900 state NEW

12 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:5121 state NEW

13 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:6121 state NEW

14 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:6900 state NEW

15 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5121 state NEW

16 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:6121 state NEW

// Login Server Port (char_athena)

login_port: 6900

// Character Server Port (map_athena)

char_port: 6121

map_port: 5121

anything wrong?

Link to comment
Share on other sites


  • Group:  Members
  • Topic Count:  39
  • Topics Per Day:  0.01
  • Content Count:  196
  • Reputation:   20
  • Joined:  11/20/11
  • Last Seen:  

service iptables stop

for time being :P

Link to comment
Share on other sites


  • Group:  Members
  • Topic Count:  35
  • Topics Per Day:  0.01
  • Content Count:  163
  • Reputation:   7
  • Joined:  01/07/12
  • Last Seen:  

is it risky to leave it off?

Link to comment
Share on other sites


  • Group:  Members
  • Topic Count:  3
  • Topics Per Day:  0.00
  • Content Count:  707
  • Reputation:   168
  • Joined:  01/26/12
  • Last Seen:  

Hi nobukadnezar,

Create a new file called 'clear-iptables', and inside this file; input the following.

Filename: 'clear-iptables'

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

After uploading this file onto your server, go into PuTTY/SSH and 'cd' to the directory of where you have uploaded this file and perform the following commands.

chmod +x clear-iptables
./clear-iptables

Now you can safely insert your own rules without previous rules conflicting your service. Here is an example of the iptables of which a server administrator should use for his RO service, but please note that this will close out all ports unless specified.

Filename: 'iptables-policy'

/sbin/iptables -F

/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT

/sbin/iptables --policy INPUT DROP
/sbin/iptables --policy OUTPUT DROP
/sbin/iptables --policy FORWARD DROP

/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT


# Allow incoming TCP port 22 (ssh) traffic
/sbin/iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT


# Allow Ragnarok Online
/sbin/iptables -A INPUT -p udp --dport 6900 -m state --state NEW -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 5121 -m state --state NEW -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 6121 -m state --state NEW -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 6900 -m state --state NEW -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 5121 -m state --state NEW -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 6121 -m state --state NEW -j ACCEPT


# Allow MySQL
/sbin/iptables -A INPUT -p tcp --dport 3306 -m state --state NEW -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 3306 -m state --state NEW -j ACCEPT


# Have these rules take effect when iptables is started
/sbin/iptables-save

After uploading that file, you would simply 'cd' to the directory of the file location and perform the following commands.

chmod +x iptables-policy
./iptables-policy

And now, all traffic is blocked except for 22, 6900, 5121, 6121, and 3306. You can do some research on how to set limits/bursts, and then setting rules to drop malformed/ACK/SYN/spoofed packets, and other malicious traffic.

  • Upvote 3
Link to comment
Share on other sites


  • Group:  Members
  • Topic Count:  15
  • Topics Per Day:  0.00
  • Content Count:  139
  • Reputation:   2
  • Joined:  07/05/12
  • Last Seen:  

wow nice guide sir Asura :D if i want to add more ports i can just copy paste that and add new port right? :D

Link to comment
Share on other sites


  • Group:  Members
  • Topic Count:  3
  • Topics Per Day:  0.00
  • Content Count:  707
  • Reputation:   168
  • Joined:  01/26/12
  • Last Seen:  

wow nice guide sir Asura :D if i want to add more ports i can just copy paste that and add new port right? :D

Hi onizame,

Yes, that's correct; I specifically separated the TCP/UDP per port so that you can choose to either disable a protocol if you wish. And you'd just follow that format to enable more ports, for either TCP/UDP.

  • Upvote 1
Link to comment
Share on other sites


  • Group:  Members
  • Topic Count:  35
  • Topics Per Day:  0.01
  • Content Count:  163
  • Reputation:   7
  • Joined:  01/07/12
  • Last Seen:  

Hi Azura, I clearn the iptables file at etc/sysconfig/iptables first and Here's what i got from both step

]# ./clear-iptables

iptables: No chain/target/match by that name

iptables: No chain/target/match by that name

iptables: No chain/target/match by that name

iptables: No chain/target/match by that name

iptables: No chain/target/match by that name

iptables: No chain/target/match by that name

iptables: Bad policy name

iptables: Bad policy name

# ./iptables-policy

iptables: No chain/target/match by that name

: command not foundline 2:

'ptables v1.3.5: Invalid target name `ACCEPT

Try `iptables -h' or 'iptables --help' for more information.

'ptables v1.3.5: Invalid target name `ACCEPT

Try `iptables -h' or 'iptables --help' for more information.

: command not foundline 5:

iptables: Bad policy name

iptables: Bad policy name

iptables: Bad policy name

: command not foundline 9:

'ptables v1.3.5: Invalid target name `ACCEPT

Try `iptables -h' or 'iptables --help' for more information.

'ptables v1.3.5: Invalid target name `ACCEPT

Try `iptables -h' or 'iptables --help' for more information.

: command not foundline 12:

: command not foundline 13:

'ptables v1.3.5: Invalid target name `ACCEPT

Try `iptables -h' or 'iptables --help' for more information.

: command not foundline 16:

: command not foundline 17:

'ptables v1.3.5: Invalid target name `ACCEPT

Try `iptables -h' or 'iptables --help' for more information.

'ptables v1.3.5: Invalid target name `ACCEPT

Try `iptables -h' or 'iptables --help' for more information.

'ptables v1.3.5: Invalid target name `ACCEPT

Try `iptables -h' or 'iptables --help' for more information.

'ptables v1.3.5: Invalid target name `ACCEPT

Try `iptables -h' or 'iptables --help' for more information.

'ptables v1.3.5: Invalid target name `ACCEPT

Try `iptables -h' or 'iptables --help' for more information.

'ptables v1.3.5: Invalid target name `ACCEPT

Try `iptables -h' or 'iptables --help' for more information.

: command not foundline 25:

: command not foundline 26:

'ptables v1.3.5: Invalid target name `ACCEPT

Try `iptables -h' or 'iptables --help' for more information.

'ptables v1.3.5: Invalid target name `ACCEPT

Try `iptables -h' or 'iptables --help' for more information.

: command not foundline 30:

: command not foundline 31:

# Generated by iptables-save v1.3.5 on Fri Jul 27 06:59:43 2012

*mangle

:PREROUTING ACCEPT [665:28352]

:INPUT ACCEPT [664:28312]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [1235:1675476]

:POSTROUTING ACCEPT [1235:1675476]

COMMIT

# Completed on Fri Jul 27 06:59:43 2012

# Generated by iptables-save v1.3.5 on Fri Jul 27 06:59:43 2012

*nat

:PREROUTING ACCEPT [5:268]

:POSTROUTING ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

COMMIT

# Completed on Fri Jul 27 06:59:43 2012

# Generated by iptables-save v1.3.5 on Fri Jul 27 06:59:43 2012

*filter

:INPUT ACCEPT [1640:70315]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [1233:1675228]

COMMIT

# Completed on Fri Jul 27 06:59:43 2012

Asura, i accidently typed /sbin/iptables --policy INPUT DROP in console and now i can't access to my vps trough anything. Is there any way to shut the firewall down?

Edited by nobukadnezar
Link to comment
Share on other sites


  • Group:  Members
  • Topic Count:  3
  • Topics Per Day:  0.00
  • Content Count:  707
  • Reputation:   168
  • Joined:  01/26/12
  • Last Seen:  

Hi nobukadnezar,

You'd have to consult your host provider to log into your container and then disable iptables. What kind of virtualization is your hosting company providing you with?

Also, it seems like you're having issues with actually running the scripts... I would recommend trying to install dos2unix first, and converting the files to UNIX format before proceeding to run them.

yum -y install dos2unix
dos2unix clear-iptables
dos2unix iptables-policy

Now you should be able to properly execute the scripts.

./clear-iptables
./iptables-policy

Link to comment
Share on other sites


  • Group:  Members
  • Topic Count:  15
  • Topics Per Day:  0.00
  • Content Count:  139
  • Reputation:   2
  • Joined:  07/05/12
  • Last Seen:  

sir asura.. im using this iptables policy.. but i fail to add FTP port for the website /abs

here is my iptables-policy

/sbin/iptables -F

/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT

/sbin/iptables --policy INPUT DROP
/sbin/iptables --policy OUTPUT DROP
/sbin/iptables --policy FORWARD DROP

/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT


# Allow incoming TCP port 22 (ssh) traffic
/sbin/iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 21 -m state --state NEW -j ACCEPT

# Allow Ragnarok Online
/sbin/iptables -A INPUT -p udp --dport 6900 -m state --state NEW -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 5121 -m state --state NEW -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 6121 -m state --state NEW -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 6900 -m state --state NEW -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 5121 -m state --state NEW -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 6121 -m state --state NEW -j ACCEPT


# Allow MySQL
/sbin/iptables -A INPUT -p tcp --dport 3306 -m state --state NEW -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 3306 -m state --state NEW -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 21 -m state --state NEW -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 21 -m state --state NEW -j ACCEPT

# Have these rules take effect when iptables is started
/sbin/iptables-save

eh.. i can open the web.. but not with www. and i should modify host files on c:windows/system32/drivers/etc/ /abs

is there any way to fix this? :x

Edited by onizame
Link to comment
Share on other sites


  • Group:  Members
  • Topic Count:  3
  • Topics Per Day:  0.00
  • Content Count:  707
  • Reputation:   168
  • Joined:  01/26/12
  • Last Seen:  

Hi onizame,

Websites use port 80 (HTTP), and also 443 (HTTPS).

Link to comment
Share on other sites


  • Group:  Members
  • Topic Count:  15
  • Topics Per Day:  0.00
  • Content Count:  139
  • Reputation:   2
  • Joined:  07/05/12
  • Last Seen:  

ty sir asura.. but.. my website.. i still cant access with www. /abs

Link to comment
Share on other sites


  • Group:  Members
  • Topic Count:  3
  • Topics Per Day:  0.00
  • Content Count:  707
  • Reputation:   168
  • Joined:  01/26/12
  • Last Seen:  

Hi onizame,

Contact your domain provider then.

Link to comment
Share on other sites


  • Group:  Members
  • Topic Count:  0
  • Topics Per Day:  0
  • Content Count:  7
  • Reputation:   0
  • Joined:  01/05/12
  • Last Seen:  

i know this topic is old... but if it can helps...

first of all you must understand how "transactions" works

client create a new connection --> request on server --> server looks for an answer --> server request on client to answer through current connection

Then, you must identify client and server for each job

For example : FTP

YOU want to connect to FTP to upload some files on your server

So you do the client job

plus, i don't think it's a good thing to let you server respond on every request

if we take a look at your script onizame, here is some corrections we can do (red for add/modification - blue for del) :

#!/bin/sh

IPT=/sbin/iptables

$IPT -F INPUT

$IPT -f OUTPUT

$IPT -F FORWARD

$IPT -A INPUT -i lo -j ACCEPT

$IPT -A OUTPUT -o lo -j ACCEPT

$IPT -P INPUT DROP

$IPT -P OUTPUT DROP

$IPT -P FORWARD DROP

echo "1" > /proc/sys/net/ipv4/ip_forward

IPCLIENT=`echo $SSH_CLIENT | sed 's/\([0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\).*/\1/'`

/sbin/iptables -A INPUT -s ${IPCLIENT} -m state --state ESTABLISHED,RELATED -j ACCEPT

/sbin/iptables -A OUTPUT -d ${IPCLIENT} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# we add some SYN flood protection

$IPT -A INPUT -p tcp --syn -m limit --limit 5/s -j ACCEPT

$IPT -A INPUT -p udp -m limit --limit 10/s -j ACCEPT

$IPT -A INPUT -p tcp --syn -j DROP

$IPT -A INPUT -p udp -j DROP

# we add some ping flood protection

$IPT -A INPUT -p icmp --icmp-type echo-request -m limit --limit 4/s -j ACCEPT

$IPT -A INPUT -p icmp --icmp-type echo-reply -m limit --limit 4/s -j ACCEPT

$IPT -A INPUT -p icmp --icmp-type echo-request -j DROP

$IPT -A INPUT -p icmp --icmp-type echo-reply -j DROP

# -- /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# -- /sbin/iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# Allow incoming TCP port 22 (ssh) traffic

$IPT -A INPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

$IPT -A OUTPUT -p tcp --sport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT

# -- /sbin/iptables -A INPUT -p tcp --dport 21 -m state --state NEW -j ACCEPT

# DNS (client)

$IPT -A OUTPUT -p tcp --dport 53 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

$IPT -A INPUT -p tcp --sport 53 -m state --state RELATED,ESTABLISHED -j ACCEPT

$IPT -A OUTPUT -p udp --dport 53 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

$IPT -A INPUT -p udp --sport 53 -m state --state RELATED,ESTABLISHED -j ACCEPT

# Web server (http & https)

$IPT -A INPUT -p tcp --dport 80 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

$IPT -A OUTPUT -p tcp --sport 80 -m state --state RELATED,ESTABLISHED -j ACCEPT

$IPT -A INPUT -p tcp --dport 443 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

$IPT -A OUTPUT -p tcp --sport 443 -m state --state RELATED,ESTABLISHED -j ACCEPT

# Web client (for example : for apt-get on debian / *buntu)

$IPT -A INPUT -p tcp --sport 80 -m state --state RELATED,ESTABLISHED -j ACCEPT

$IPT -A OUTPUT -p tcp --dport 80 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

# FTP server (ftp et ftp-data)

$IPT -A INPUT -p tcp --dport 20 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

$IPT -A OUTPUT -p tcp --sport 20 -m state --state RELATED,ESTABLISHED -j ACCEPT

$IPT -A INPUT -p tcp --dport 21 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

$IPT -A OUTPUT -p tcp --sport 21 -m state --state RELATED,ESTABLISHED -j ACCEPT

# FTP client (example : apt-get)

$IPT -A INPUT -p tcp --sport 20 -m state --state RELATED,ESTABLISHED -j ACCEPT

$IPT -A OUTPUT -p tcp --dport 20 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

$IPT -A INPUT -p tcp --sport 21 -m state --state RELATED,ESTABLISHED -j ACCEPT

$IPT -A OUTPUT -p tcp --dport 21 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

#FTP passive ports

$IPT -A INPUT -p tcp --dport 1024:65535 --sport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT

$IPT -A OUTPUT -p tcp --dport 1024:65535 --sport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT

#auth

$IPT -A INPUT -p tcp --dport 113 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

$IPT -A OUTPUT -p tcp --sport 113 -m state --state RELATED,ESTABLISHED -j ACCEPT

# -- /sbin/iptables -A INPUT -p udp --dport 6900 -m state --state NEW -j ACCEPT

# -- /sbin/iptables -A INPUT -p udp --dport 5121 -m state --state NEW -j ACCEPT

# -- /sbin/iptables -A INPUT -p udp --dport 6121 -m state --state NEW -j ACCEPT

# -- /sbin/iptables -A INPUT -p tcp --dport 6900 -m state --state NEW -j ACCEPT

# -- /sbin/iptables -A INPUT -p tcp --dport 5121 -m state --state NEW -j ACCEPT

# -- /sbin/iptables -A INPUT -p tcp --dport 6121 -m state --state NEW -j ACCEPT

# Allow Ragnarok Online

for PRT in 5121 6121 6900

do

$IPT -A INPUT -p tcp --dport $PRT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

$IPT -A OUTPUT -p tcp --sport $PRT -m state --state RELATED,ESTABLISHED -j ACCEPT

done

# Allow MySQL

# -- /sbin/iptables -A INPUT -p tcp --dport 3306 -m state --state NEW -j ACCEPT

# -- /sbin/iptables -A INPUT -p udp --dport 3306 -m state --state NEW -j ACCEPT

# -- /sbin/iptables -A INPUT -p tcp --dport 21 -m state --state NEW -j ACCEPT

# -- /sbin/iptables -A INPUT -p udp --dport 21 -m state --state NEW -j ACCEPT

#

# Mysql on port 21 oO ??? ...and MySQL open ??

# We don't want outside connection to our MySQL server.

# Ragnarok server use localhost/127.0.0.1 like hosted websites

# Lan to Lan connection aren't filtered. Only Wan <--> Lan

# Have these rules take effect when iptables is started

# -- /sbin/iptables-save

#

# no needs

# just save this in a file like rc.firewall

# then chmod +x rc.firewall

# edit /etc/rc.local and call for this file just before "exit 0"

#

# rc.local :

#

# ...

# /you/folder/where/you/save/the/file/rc.firewall

# exit 0

#

# it will launch you script at server start

# to launch manually, juste execute the file

# #~ /folder/rc.firewall

FTP, Web, and your Ragnarok should works then

enjoy ;)

Edited by Mitsu
Link to comment
Share on other sites


  • Group:  Members
  • Topic Count:  22
  • Topics Per Day:  0.01
  • Content Count:  75
  • Reputation:   0
  • Joined:  05/26/12
  • Last Seen:  

Hi Mitsu ^^'

 

Could you help me how to use this setting that has gone above?

And I need to know if my website, that is on another server and remotely accesses the database, could be blocked by flood.

 

Att,

CaioVictor.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...