Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » Setting up these iptables rules in KWF 5.1.9
  •  
Parikkala

Messages: 3
Karma: 0
Send a private message to this user
I have a game, Starcraft (Blizzard), I'd like to play on the internet with all computers on my lan. But all my computers shares a an internet connection through a computer with Kerio Winroute Firewall
5.18 with NAT activated ( and dhcp too).

This games uses port UDP 6112 for internet games but it is not possible to set a rule 6112 - 6112 on the firewall because packets going from internet server to local computers would not know which local computer they are heading for (in the game itself the error is given 'latency too high' [infinite in my opinion])

A solution should be the following:
-each client can only use 6112 but the server can handle requests also on port range 6112-6119 which is enough for 8 players (the maximum number of players in a game)
-so each client uses 6112
-the firewall should change IP of packets going from client to server with its own (the usual IP masquerading) but also change the port on the server according to the client IP (in fact on LAN clients differ by IP address and use the same port, on the internet clients use the same IP and differ by port used)
-then the firewall should forward the packets received by the server to clients according to the port on it received them.

This solution should be what these iptables rules actually do:

iptables -t nat -I PREROUTING -p udp -d 217.133.229.230 --dport 6115 -j DNAT --to-destination 192.168.8.3:6112

iptables -t nat -I POSTROUTING -p udp -s 192.168.8.3 --sport 6112 -j SNAT --to-source 217.133.229.230:6115

217.133.229.230 : internet server
192.168.8.3 : one client (seen by the server on port 6115)

(obviously similar rules are to be set up for each client)

what I want to do is simply to translate this iptables rules in Kerio traffic policy rules! how should I add them? DO I need two Kerio rules or just one?

Thank you
and bye bye
Antonio
  •  
Parikkala

Messages: 3
Karma: 0
Send a private message to this user
With a rule such as:

Source: Superman (the computer on the local network)
Destination: bnet.fastempire.net (the internet gaming server)
Service: Starcraft UDP 6112 (protocol UDP, source port: any, destination port: 6112)
Action: Allow
Translation: NAT (default outgoing interface)
MAP bnet.fastempire.net:6113

Starcraft does not work. It detects UDP ability correctly only if I MAP bnet.fastempire.net:6112 (same as with no translation). In fact a sinff with Ethereal shows that there is no traffic on UDP 6113 either on the firewall LAN interface or on firewall WAN interface. What's the problem with Destination NAT (source mapping)?

putting this rule together with the following rule:
Source: bnet.fastempire.net
Destination: firewall host
Service: Starcraft UDP 6113 (protocol UDP, source port: any, destination port: 6113)
Action: Allow
Translation: NAT (default outgoing interface)
MAP superman:6112

or with the following:

Source: bnet.fastempire.net
Destination: Superman
Service: Starcraft UDP 6113 (protocol UDP, source port: any, destination port: 6113)
Action: Allow
Translation: NAT (default outgoing interface)
MAP superman:6112

A crazy thing I tried was also these two rules:
Source: Superman
Destination: Firewall host
Service: Starcraft UDP 6112
Action: Allow
Translation: NAT (default outgoing interface)
MAP bnet.fastempire.net:6113

Source: bnet.fastempire.net
Destination: Firewall host
Service: Starcraft UDP 6113
Action: Allow
Translation: MAP antonio:6112

where I use the FIrewall Host as internet gaming server in Starcraft instead of the internet gaming server itself. But again port forwarding does seem to do what I want since Starcraft can't see any Starcraft 6112 UDP service. Unless I forget about mapping on 6113.

Any help is really appreciated
Bye bye
Antonio
Previous Topic: Kerio 5.1.9 with one subnet (public IP number)
Next Topic: interface not visible in list
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Wed Nov 22 10:29:16 CET 2017

Total time taken to generate the page: 0.00329 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.