The Dink Network

Linux Firewall Stuff

April 22nd 2008, 01:27 AM
sob_scorpy.gif
DinkDude95
Peasant He/Him Australia
The guy with the cute D-Mod. 
Dad says this:

My FC6 box has 2 NICs, one connects to the DSL modem (192.168.1 subnet) and the
other connects to the LAN (192.168.0 subnet). One of my kids wants to play
runescape. When he tries, the runescape server says that I need to allow
outgoing network connections on port 43594.

What is confusing is that it works fine on my PC. I am running
squid-2.6.STABLE13-1 and dansguardian v2.9.8.2. The kids access the net via
dansguardian which passes all requests to squid - works perfectly for normal
browsing. Their PCs do not do anything else on the net except use the web - no
other network access is set up.

On my PC my browser points at squid - runescape works fine.

I have tried adding port 43594 /tcp to the iptables config using the FC6
firewall front end, have tried using Firestarter but couldn't figure out what
to do, wanted to try guarddog but couldn't find an RPM or download the source
(that is another problem - simonzone gives 510 error). Nothing worked, as
catweazle would say.

Tried installing webmin thinking it might make iptables look easier, but that
didn't work My iptables settings is very simple, almost the same as the day
I set the OS up. But you need to know what to change in iptables, and I don't.
What am I missing?

Anyone know anything? Seeing as this forum is full of Linux loving Unix Hugging disciples.
May 8th 2008, 12:08 PM
farmer.gif
Beuc
Peasant He/Him France
 
Hey,

I learned "iptables" at school so I tend to use that directly and I'm not much familiar with user-friendlier tools. But maybe I can help

For example, can you verify that you enabled outgoing and not incoming traffic in the FC6 firewall?
Also, can you precise your configuration? Apparently you have a proxy for outgoing HTTP, and you block all other ports? Is the proxy transparent (e.g. do you need to configure a proxy on the children's desktops, or does content-filtering work automagically?)

May 9th 2008, 08:34 PM
sob_scorpy.gif
DinkDude95
Peasant He/Him Australia
The guy with the cute D-Mod. 
Since we don't want to reveal our Firewall stuff on the net, as someone could find a hole and hack it, I emailed you what my Dad said, Beuc. I hope you can help!
May 10th 2008, 03:13 AM
farmer.gif
Beuc
Peasant He/Him France
 
From what I understand, you only have access to a proxy.

RuneScape wants a direct Internet access to port 43594/tcp (with a gateway instead of a proxy), as well as access to a DNS server (typically your ISP's). This requires setting upon connection sharing on the FC6 box. Using FireStarter sounds a good idea for this.

Your dad could:
- setup connection sharing on the FC6 box,
- then restrict outgoing traffic except for:
- DNS ports (53 udp+tcp)
- runescape's port (43594 tcp)
- connections coming from the local computer

Curiously though, it doesn't seem runescape requires 43594 precisely - it ran fine when I blocked this port. But it still requires direct access to another port (it used https/443 instead).

Or, you'll need something like this:
http://www.scape-xp.com/runescape_proxy.php