+ip Flag: Anyone Actually Know How This Works?
Xvarion
Join Date: 2002-11-06 Member: 7281Members
Join Date: 2002-11-06 Member: 7281Members
<div class="IPBDescription">There's been much conflicting info...</div> I've checked out posts in this forum and also other mod forums, and folks are having trouble with this all over the place.
I'm behind a NAT-enabled router hanging off my cable modem. My cable router has an internet-visible address, and all my LAN machines, including my ns server, are behind it, with 192.168.x.x addresses.
One key bit of information I've gleaned off the Counter-Strike forums is that the +ip flag can only refer to actual, bound ip addresses of the server machine. That is, it can only refer to addresses that are valid for the server box itself (i.e. the address(es) you'd get using an "ipconfig /all" command on Windows or an "ifconfig" command on linux).
If this is true, then a whole lot of info in these forums in incorrect: the +ip flag does NOT tell WON which IP address to post to public lists. Rather, the +ip flag simply tells the hlds process which IP address to bind to on that box, in the event the machine has more than one IP address.
Therein lies the confusion. I believe where this got started is due to the following: if you have a computer that's acting as a firewall, it'll have two ethernet cards in it - one card will have an internet-visible, pubic IP address, and will be connected to something like a cable modem. The other ethernet card will have an internal, LAN-only address, such as a 192.168.x.x address, that can only see traffic on the internal network. When you start up hlds, the +ip flag would be used to make sure that hlds bound itself to the public ip address rather than the internal address. i.e. it would make hlds pay attention to the ethernet card that's connected to the cable modem.
Great. However, this is all valueless in the case of a server that's BEHIND a firewall, because it only has an internal (192.168x.x) address - there's no public address for that box. Thus, the +ip flag is useless in that situation. As many people have pointed out, if you attempt to use the +ip flag with the public address of the router, you get an error indicating that the hlds process can't bind to that address - this is expected, as, again, the +ip flag is telling hlds which ethernet card to pay attention to, and there's no card in the server box with that address (it's on the router).
So, the question remains: How does one get WON to list a server that's behind a Natted firewall? Is this even possible? I've tried, and can't get it to work. I've ensured that port 27015 (UDP) is open for incoming traffic, yet nothing shows up on public boards like www.serverspy.com, which should see my box even if ASE can't as it's also behind my firewall.
Does anyone have any information regarding this?
Thanks,
Eric
I'm behind a NAT-enabled router hanging off my cable modem. My cable router has an internet-visible address, and all my LAN machines, including my ns server, are behind it, with 192.168.x.x addresses.
One key bit of information I've gleaned off the Counter-Strike forums is that the +ip flag can only refer to actual, bound ip addresses of the server machine. That is, it can only refer to addresses that are valid for the server box itself (i.e. the address(es) you'd get using an "ipconfig /all" command on Windows or an "ifconfig" command on linux).
If this is true, then a whole lot of info in these forums in incorrect: the +ip flag does NOT tell WON which IP address to post to public lists. Rather, the +ip flag simply tells the hlds process which IP address to bind to on that box, in the event the machine has more than one IP address.
Therein lies the confusion. I believe where this got started is due to the following: if you have a computer that's acting as a firewall, it'll have two ethernet cards in it - one card will have an internet-visible, pubic IP address, and will be connected to something like a cable modem. The other ethernet card will have an internal, LAN-only address, such as a 192.168.x.x address, that can only see traffic on the internal network. When you start up hlds, the +ip flag would be used to make sure that hlds bound itself to the public ip address rather than the internal address. i.e. it would make hlds pay attention to the ethernet card that's connected to the cable modem.
Great. However, this is all valueless in the case of a server that's BEHIND a firewall, because it only has an internal (192.168x.x) address - there's no public address for that box. Thus, the +ip flag is useless in that situation. As many people have pointed out, if you attempt to use the +ip flag with the public address of the router, you get an error indicating that the hlds process can't bind to that address - this is expected, as, again, the +ip flag is telling hlds which ethernet card to pay attention to, and there's no card in the server box with that address (it's on the router).
So, the question remains: How does one get WON to list a server that's behind a Natted firewall? Is this even possible? I've tried, and can't get it to work. I've ensured that port 27015 (UDP) is open for incoming traffic, yet nothing shows up on public boards like www.serverspy.com, which should see my box even if ASE can't as it's also behind my firewall.
Does anyone have any information regarding this?
Thanks,
Eric
Comments
It's a given that you have to setup proper forwarding rules for the TCP and UDP traffic that results from operating a HL server, but what I noticed is that the way in which a NAT firewall communicates to the outside world is not often on the ports you indicated. From what I've seen from packet tracing is that packets will be routed correctly between the WON servers and your host, yet the host machine will not report itself as running on port 27015 (CS default) for example, but some arbitrarily assigned number. It mis-reports the server IP and port, thus it doesn't show up in many lists.
I have had zero success getting a HL based server to report itself from behind a NAT firewall device.
cg
The other way would be to put your PC in-front of the FW(defeating the purpose of the FW), or some FW's have a DMZ setting allowing you to basically map the PC as if it was in front of the FW(also defeating the purpose of the FW).
BHayes -- ROUS Natural Selection Server.
Forgot to mention that the WON servers will filter out any servers with private ip network addresses from the list they give to clients. If you don't nead the server to show up on the serverlist, it should work ok to forward the port.
You need the folowing ports to be open
tcp 7002, 5273
udp 27015, 27010, 27012
My serer does work behind my NAT. Thank god for iptables
EXAMPLE
iptables -A PREROUTING -t nat -p tcp -d externalIP --dport 7002 -j DNAT --to internalIP:7002
iptables -A PREROUTING -t nat -p tcp -d externalIP --dport 5273 -j DNAT --to internalIP:5273
iptables -A PREROUTING -t nat -p udp -d externalIP --dport 27015 -j DNAT --to internalIP:27015
iptables -A PREROUTING -t nat -p udp -d externalIP --dport 27010 -j DNAT --to internalIP:27010
iptables -A PREROUTING -t nat -p udp -d externalIP --dport 27012 -j DNAT --to internalIP:27012
iptables -A PREROUTING -t nat -p udp -d externalIP --dport 27005 -j DNAT --to internalIP:27005
Binding to a different ip won't help(unless your truly are a multi-homed host with two different internet connections.). The ipaddress in the ip header is determined by the OS and/or your NAT/FW, not Halflife.
As for the other ports, you can go ahead and open them up just to be safe(or un-safe if your a security guy), but the connections on those ports all originate from the server to the outside. So most FW/NATs will pass them through without much trouble. The only tricky port is 27015, since connections originate from the internet to that port.
Hope this helps some.
BHayes -- ROUS Natural Selection Server.