Topic: how to open ports sme7

[dub]

hello world,

is somebody now how to open tcp ports on sme 7b4

thanks

[arne]

"To open a port" can be two completely different things.

a. To "open" or forward a port to a server on lan.
b. To open a port to one internal processes running at the gateway PC.

please explain the requirement a little bit bether.

Arne.

[dub]

I need to open port on lan and then use port forwarding contrib to foward it

And open external port for specials applications.

no way at time in sme7 and contrib.

How to do it in code line

thanks

[dub]

sorry

its for server in gateway mode

[arne]

When it comes to "opening" and forwarding udp or tcp trafic into servers on the lan, this is very easy. You just use the standard function on the server-manager panel, go into the function for port forwarding, and all "actions" are done automatic. (Port opening, port forwarding etc.) There is absolutely no need for any shell commands for that.

If it is also a question of opening for certain ports or trafic to the internal local processes on the gateway machine itself, that's an other story.

Linux (with 2.4.x or 2.6.x kernel) has two completely different set of built inn firewalls. One set is for filtering and forwarding trafick to lan. The other is for filtering the trafic into the local processes on the gateway. Technically the one firewall that controll the inncomming trafic to lan can be completely open, when the firewall that controll access to local gateway processes can be completely locked or vise versa. You dont have to lock up "the gateway firewall" to be able to have free access via "the lan access firewall".

(In earlier revisions of Linux kernel it worked the other way, there were only one firewall that opened for access to local processes and lan.)

SME 7.4 B4 has a fully automated controll function, via the server-manager panel, for controlling the trafic to servers located on the lan. (Enables controll of one of the two firewalls.)

(Actually the Linux revisions of two day has more than two firewall sets, it's also possible to filter the outgoing trafic, so the set of independent firewalls is at least 3, depending a bit how you like to see the situation.)

[arne]

"of two day" .. of cource not two days but "to day".

[dub]

ok i'm now in 7b5

i need to open port 22000 in local access
and external acces to...

how doing that ??

thanks for your comments

[dub]

i add an engine and need to view data and work with on the lan but also with external client (personnal built application)

[arne]

If the application is running on the gateway PC itself ..

There is a real and proper way of doing this modification (did see the real and proper way mentioned in a tread here some days ago), and there is also a "quick and dirty one" for testing.

"The quick and dirty" method as mentioned here is a bit dangerous because minor mistakes can destroy the security of your gateway completeley. It can be mentioned but not recomended.

This command will/should put in a whole in your firewall that will leak in the specified trafic:

iptables -I INPUT -i eth1 -p tcp --dport 22000 -j ACCEPT

(If it is udp, "tcp" in the string has to be replaced by "udp". You might also have to check that eth1 is your external card.)

If you reboot your sme server-gateway this whole will be gone and the orginal security will be back.

[dub]

Ok it work but how to keep it all the time

rebooting will be necessary !!!

thanks for your help

[Black]

Just tell the guy how to open/forward a port via the server manager. If you cant do it under 2 sentences then someone needs to fix the problem in the distro.

There should be no reason why this guy has to post 5 times to get an answer for port opening.

[arne]

"Just tell the guy how to open/forward a port via the server manager."

Well the point is that Linux have a number of firewalls. This is to day common for most distros.

The question is then "which one of those firewalls in the Linux kernel doed he want to get opened."

Anwer to this question seems to be: He does not want to get opened the fireeall that can be managed via the server-manager. He want to get opened one of the other firewalls.

I think it is not a probelem in the distro that it does not contain a function for configuration that has never been in this distribution before, a server-manager control of the input or output chain of the netfilter module.

[arne]

By the way .. I saw for a few days ago a description of how to make proper and permanent netfilter input chain modifications in one tread in this forum. (So it can be searced for.) It has to be done as a template modification. Don't remeber the details.

[CharlieBrady]

Just tell the guy how to open/forward a port via the server manager.

Well, you are rather rude, aren't you. Arne has already said how to forward a port via the server manager. He tried to help. You haven't tried to help anyone.

There should be no reason why this guy has to post 5 times to get an answer for port opening.

Most people who want to "open a port" don't know what they are trying to achieve. Opening a port on the server itself usually isn't required.

[dub]

Ok mens keep cool !

just one or two ideas...

After Arne suggest i ve try to find the fabulous post where we can find the netfilter customsation but finding nothing.

For charly we try to understand the difference with or product centos servers.  For lot of things your job is so great...but in 2005-06 many softs and engines need to use several ports to communicate.

Actually or base engine work fine and all services are ok we just need to exchange or 128 bits crypting ('by or engine') data to a TCP hole.

Nothing more .....two minutes in centos a little bit more with sme7 but i'hope to find

If you can help me thanks a lot if not just keep relax

no problems i understand after few hours reading posts that many questions are under ways

[arne]

I think I can see that the procedure in post no 2 is not completely right because it does make corrections to the "main template area" and not "the custom template area". But I believe that this priciples here in post 2 can be used.

http://forums.contribs.org/index.php?topic=20731.0

Also some info here:
http://no.longer.valid/phpwiki/index.php/Customizing


Please make a post of the working solution if/when its up and running  

Keep cool but not cool only  

Arne.

[dub]

ok Arne
CharlieBrady give me the solution in this other post
http://forums.contribs.org/index.php?topic=29258.0

i spend a long time to find an other way to publish custom template in the right directory..
Very long and hasardious to.

the CharlieBrady way is so easy...i ask him for an other  need and when he give the way i publish a fully post for an example

Or i try it ...my linux knowledge is not so good (newbie)

thanks for your interest and see you next time

[arne]

Thanks for the info. I did not know about "the one line method" and I will certainly write it down.

The template system is something unic for the sme server, so if one try to use "ordinary linux books" as a refferance one can get rather confused.

It is rather difficult to get started with, but not that bad, when you get a bit used to it.

One very good part of it is that if you transfer the installation to a new PC all the template mods are within the automated data backup, so it is not neccessary to modify the next pc. All modifications are transfered automatically to the next PC, or a new PC eventually after a data crash. This mean you can change hardware in a one hour time or so. (If not to much datas. I think the limit is 4 GB now (??))

[gregswallow]

Thanks for the instructions Charlie.  Added to the FAQ page for lack of a better place:
http://smeserver.sourceforge.net/sme70/FAQs

[gordonr]

Thanks for the instructions Charlie.  Added to the FAQ page for lack of a better place:
http://smeserver.sourceforge.net/sme70/FAQs

Note that Charlie's instructions are slightly wrong (the Wiki doesn't like me at the moment, or I would fix them myself). They should be:

Code: [Select]

config set manta service access public status enabled TCPPort nnn

For UDP services, use UDPPort instead of TCPPort. Note that you can also set restrictions with AllowHosts and DenyHosts:

Code: [Select]

config setprop manta AllowHosts 1.2.3.4,10.11.12.0/24
config setprop manta DenyHosts 16.17.18.18

[gregswallow]

Thanks Gordon, I updated the wiki:
http://smeserver.sourceforge.net/sme70/FAQs

[tracksattak]

Hello

 I m looking for a way to open ports to be abble to
 run a counter strike server on my SME 7 , i followed
 the FAQ but it seems that my ports are still closed

 I need to open

 UDP 1200    (used for friends service)
 UDP 27000 to 27015 inclusive
 TCP 27020 to 27039 inclusive
 TCP 27040 and 27041 only for CyberCafe Owners

 Computers running Dedicated Servers need these  
 *ports* open:

 UDP: 27015 and 27020 (default HLDS, SRCDS and HLTV  port)
 TCP: 27015 (SRCDS Rcon port)

 So i tried for example

 config set steam service access public status
 enabled TCPPort 27015

 and then
 signal-event remoteaccess-update

 I did this for all the ports with no sucess

 Can you help ?

 Thanks

[dub]

hi i think your problem is the service...

IS "steam" a service load at startup ??

[tracksattak]

I think so too , no it s not a service loaded at
 startup.

 I just launch it when i want .

 Do you have a solution ?

 Rgds
 Tracks

[dub]

//first create rules to start up the service 'steam' at boot

ln -s /etc/init.d/steam/etc/rc.d/rc7.d/S56steam
ln -s /etc/init.d/steam/etc/rc.d/rc6.d/K03steam

/sbin/e-smith/db configuration setprop steam status enabled
/sbin/e-smith/signal-event console-save


// then...openning ports for this service


config set steam service access public status enabled TCPPort 4900

signal-event remoteaccess-update


Finally i prefer to reboot

[CharlieBrady]

Finally i prefer to reboot

If you are content to reboot, then you can simplify your steps somewhat:

ln -s ../init.d/e-smith-service /etc/rc7.d/S56steam
config set steam service \
 access public \
 status enabled \
 TCPPort 4900
signal-event post-upgrade
signal-event reboot

[tracksattak]

Thanks for your help

 Excuse me but i m a noob .

 Steam is a software that i launch when i want ,
 you ask me to create rules for the service steam

 But there s no service steam , how can i create it ?

 steam is in an ibay , and i need to open few ports
 for it .
 Can i use iptables ?

 Rgds
 Tracks

[CharlieBrady]

 Steam is a software that i launch when i want ,
 you ask me to create rules for the service steam

 But there s no service steam , how can i create it ?

Follow the instructions you have been given above.

However ....

The instructions above refer to a service which is running on your SME server box, and offering services to the outside world. From what google tells me, "steam" is client software which connects to outside servers. If that is so, there's no need to open any ports - all you expect to receive is return traffic, and that is already allowed automatically.

Why do you think you need to open ports, and what ports do you think you need to open. Can you post a URL which contains the information?

[tracksattak]

Again a big thanks for your help

 Steam is a software i can use to create a game server
 called counter strike on Linux

 Here is the link of the official web site

 http://www.steampowered.com/

 I m used this software and sme , i was running a
 server on my 6.01 sme. The only thing i had to do  
 was to open few ports with port opening
 
 Here they are

 UDP 1200 (used for friends service)
 UDP 27000 to 27015 inclusive
 TCP 27020 to 27039 inclusive
 TCP 27040 and 27041 only for CyberCafe Owners

 Computers running Dedicated Servers need these
 *ports* open:

 UDP: 27015 and 27020 (default HLDS, SRCDS and HLTV  
 port)
 TCP: 27015 (SRCDS Rcon port)

 As you can read here

 http://support.steampowered.com/cgi-bin/steampowered.cfg/php/enduser/std_adp.php?p_faqid=160&p_created=1093381261&p_sid=r_CZGnXh&p_lva=&p_sp=cF9zcmNoPTEmcF9zb3J0X2J5PSZwX2dyaWRzb3J0PSZwX3Jvd19jbnQ9MjQmcF9wcm9kcz0wJnBfY2F0cz0wJnBfcHY9JnBfY3Y9JnBfc2VhcmNoX3R5cGU9YW5zd2Vycy5zZWFyY2hfbmwmcF9wYWdlPTEmcF9zZWFyY2hfdGV4dD1wb3J0cw**&p_li=&p_topview=1

 Port opening is not working anymore on the 7.0 , so  
 i m looking for a way to do it

 I did the instructions given by Dub , but it seems not working because under root with winscp , i have two red arrow on S56steam and K03steam , and when i look at db/configuration , only one port is enable ,
the one i did at last (27020)

 Sorry again to be such a noob ....

 Rgds
 Tracks

[tracksattak]

I forgot to say that i followed the above
 instructions again , when i look at  

 /sbin/e-smith/config show  

 I can see the steam service with all the ports
 enabled

 steam=service
    TCPort=27015,27020,27021,27022,27023,27024,27025,27026,27027,27028,27029,27030,27031,27032,27033,27034,27035,27036,27037,27038,27039
    UDPPort=1200,27020,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010,27011,27012,27013,27014,27015
 access=public
 status=enabled

 But my server is still not viewable on the net .

 And when i look at the log

 Dec 19 12:33:04 sme-tracker steam: /etc/rc7.d/S56steam: Couldn't find/execute init script for service steam
Dec 19 12:33:04 sme-tracker rc.e-smith: Démarrage de steam : failed


 Also i checked in etc/rc.d/rc7.d and i have s56steam
 but when i check etc/rc.d/rc6.d , i don t see the
 K03steam file.

 If i try to scan my UDP / TCP ports , none of the one i need are open

 Please help

 Rgds
 Tracks

[dub]

a service is like a soft..

if this service (soft)is not installed first, no way to open it at start...ports stay closed.

You must open ports directly without refering to service.
Its really dangereous but it seem to be your only solution.

[tracksattak]

Thanks Dub

 So i need to use iptables to open them ?

 And to do it after each reboot ?

 Like
 
 iptables -I INPUT -i eth1 -p udp --dport 27000:27015 -j ACCEPT

iptables -I OUTPUT -o eth1 -p udp --sport 27000:27015 -j ACCEPT

 Rgds
 tracks

[dub]

i don't know how is the best way in sme7 to do this..
Ip tables shouldn't be the way

Ask around how to do it and give me the result

should be interesting to know

rgds

[tracksattak]

Thanks for your help

 Yes i m in contact with few people to solve my problem . I ll let you know

 Rgds
 Tracks