Linux HL Server and Firewalls

[Peter Dingwall]

Hi

Sorry if someone's already posted something on this, i couldn't find
anything...

I'm trying to run a dedicated linux server behind a firewall and i'm having
a few problems. I've got a Smoothwall firewall, which runs a version of
Linux designed to run on old bits of hardware (I recommend it, its fab and
FREE!, www.smoothwall.org) It is connected to the Internet via cable modem
through one interface, and then to my private lan (192.168.0.1) on a second
interface. This works fine for web browsing and i've also managed to set up
NATing to a web server on another PC on the network.

The problem i have is the Half-Life server... i've checked on the web for
the port requirements and i've opened up ports 27010 and 27015, and
redirected all traffic for these ports to the HL server on the private lan.
When i start the server with hlds_run it starts fine and manages to
authenticate to the WON servers, however this is with the server binding to
the internal IP address. When I force it to bind to the public address
(+ip ) it fails with the following error

WARNING: UDP_OpenSocket: port: 27015 bind: Cannot assign requested address,
Error Couldn't allocate dedicated server IP port.

Can I run a HL server behind a firewall in this way, or am I going to have
to run the server on the same machine as my Internet gateway (which i've
done in the past), any help anyone could offer would be ace.

Peter
din...@ntlworld.com

[John Twernbold]

"Peter Dingwall" wrote:
> it starts fine and manages to authenticate to the WON
> servers, however this is with the server binding to the
> internal IP address. When I force it to bind to the public
> address (+ip ) it fails

I ran a HL server under Linux for a while and encountered the same
situation. It sounds weird, but your first method is actually the correct
one: start the server with the internal IP address. All your clients (and
the master server list, GameSpy3D, etc.) will instead see it at the public
address.

--
Bold
aka John Twernbold
jtwernbold (at) yahoo.com

[Peter Dingwall]

John

Thanks for that, however i'm still having problems with connecting to the
server from the Internet. The address appears in the servers list but there
is no other information about the server and i am unable to connect to it.
I've opened the following ports on my firewall for TCP and UDP traffic...

6003
7002
27010
27011
27015

Do i need any other ports opened?

"John Twernbold" <jtwer...@remove-this.yahoo.com> wrote in message
news:gRKX7.145959$8w3.30...@typhoon.kc.rr.com...

[John Twernbold]

"Peter Dingwall" wrote:
> Do i need any other ports opened?

I don't recall what each port is needed for, but the standard advice given
for opening ports is this:

6003 TCP
7002 TCP

27005 UDP
27010 UDP
27011 UDP
27012 UDP
27015 UDP

For more info, try these resources:
http://server.counter-strike.net/cgi-bin/ib3/ikonboard.cgi
http://maillist.congiman.com/pipermail/listtfclinux/
http://maillist.congiman.com/pipermail/listhlserver/
irc://NY.gamesnet.net:6667/hlds

[Peter Dingwall]

Hi

I'm still battling this, i've tried opening the ports you suggested but
still got the same results unfortunately. After looking around I found the
following post

http://server.counter-strike.net/ubb/Forum8/HTML/000781.html

The guy mentions that the masquerading is changing the port HL broadcasts on
from 27015 to a random port somewhere between 61000-64999! I did a tcpdump
on my internet-connected nic and sure enough i was getting lots of errors on
incoming connections on udp ports 61023,61024 and 61028.

He then suggests using loose UDP, problem is that this seems to have been
disabled on my version of Linux (Smoothwall with kernel 2.2.20), as he
suggests typing the following

echo "1" > /proc/sys/net/ipv4/ip_masq_udp_dloose

... but then when I reboot 'something' is changing it back to 0 again! There
is a patch for the kernel but i don't want to recompile the kernel just to
get HL to work. I'm going to try to find a workaround for this but if you
have any other cunning plans i'd be more than happy to hear about them...

Thanks for your help with this...

Pete

"John Twernbold" <jtwer...@remove-this.yahoo.com> wrote in message

news:9DoY7.167014$RP1.32...@typhoon.kc.rr.com...

[John Twernbold]

"Peter Dingwall" wrote:
> The guy mentions that the masquerading is changing
> the port HL broadcasts on from 27015 to a random
> port somewhere between 61000-64999!

Sorry, I'm all tapped out. :-) My knowledge of Linux is fairly limited. I
didn't experience the problem you're having because all NAT was done by the
router, rather than by the Linux box. Perhaps the people on a Linux
newsgroup might be able to help you with IP masquerading?

[Jakub Burgis]

In article <huNZ7.62237$4x4.8...@news2-win.server.ntlworld.com>,
din...@ntlworld.com says...

>
> He then suggests using loose UDP, problem is that this seems to have been
> disabled on my version of Linux (Smoothwall with kernel 2.2.20), as he
> suggests typing the following
>
> echo "1" > /proc/sys/net/ipv4/ip_masq_udp_dloose
>
> ... but then when I reboot 'something' is changing it back to 0 again! There
> is a patch for the kernel but i don't want to recompile the kernel just to
> get HL to work. I'm going to try to find a workaround for this but if you
> have any other cunning plans i'd be more than happy to hear about them...
>

Does that fix the problem for you, even if it's temporary?

If so, add that command to /etc/init.d/rc.local, or any other startup
script of your choosing. Then it'll get applied everything you boot
the machine. The changes should take effect immediately, even if you
just enter it on the console.