# Issue with iptables based gateway and Xbox Live

## RelievedSimpleton

Hello,

I have been setting up a new gateway/firewall system for the home network and trying to get more familiar with iptables as well.  I seem to be having one problem that I can't get around however now matter what I try, I can't get Xbox Live to work properly.  The Xbox 360 reports Moderate NAT where I would like it to be Open NAT like it was with the old standalone router.  I can't seem to pinpoint the issue and have done some extensive googleing and come up with very little information and what I've found doesn't seem to work.  I'm starting to wonder if it's a problem with another rule I have somewhere.  Anyways, was wondering if anyone had any suggestions or information about the Xbox Live problem.  Also other tips would be appreciated.  Attached is the script I run at system startup.  The last 4 lines are the forwards for Xbox Live.

Thanks,

-RS

Edit:  Found the solution after a bit of searching.  Turns out if you just install a upnpd, it works, so I figured out the commands the upnpd uses and they are as follows.

```

iptables -t nat -A PREROUTING -p tcp -i $EXTIF --dport 88 -j DNAT --to xxx.xxx.xxx.xxx

iptables -t nat -A PREROUTING -p udp -i $EXTIF --dport 88 -j DNAT --to xxx.xxx.xxx.xxx

iptables -t nat -A PREROUTING -i $EXTIF -p udp --dport 3074 -j DNAT --to xxx.xxx.xxx.xxx:3074

iptables -I FORWARD -p udp -d xxx.xxx.xxx.xxx --dport 3074 -j ACCEPT

```

xxx.xxx.xxx.xxx being the 360's IP obviously.

Just figured I'd update this post since I'm sure sometime in the future someone will be looking for this solution as well.

```

#!/bin/sh 

echo -e "\n\nSETTING UP IPTABLES FIREWALL..."

INTIF="eth1" 

INTNET="10.6.12.0/24"          

INTIP="10.6.12.1/24" 

EXTIF="eth0" 

EXTIP="`/sbin/ifconfig eth0 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"     

/sbin/depmod -a 

/sbin/modprobe ip_tables 

/sbin/modprobe ip_conntrack 

/sbin/modprobe ip_conntrack_ftp 

/sbin/modprobe ip_conntrack_irc 

/sbin/modprobe iptable_nat              

/sbin/modprobe ip_nat_ftp 

/sbin/modprobe ip_nat_irc

echo "1" > /proc/sys/net/ipv4/ip_forward

echo "1" > /proc/sys/net/ipv4/ip_dynaddr 

UNIVERSE="0.0.0.0/0" 

iptables -P INPUT ACCEPT 

iptables -F INPUT 

iptables -P OUTPUT ACCEPT 

iptables -F OUTPUT 

iptables -P FORWARD DROP                  

iptables -F FORWARD 

iptables -t nat -F

if [ "`iptables -L | grep drop-and-log-it`" ]; then

        iptables -F drop-and-log-it 

fi 

iptables -X 

iptables -Z 

iptables -N drop-and-log-it 

iptables -A drop-and-log-it -j LOG --log-level info

iptables -A drop-and-log-it -j REJECT

 

echo -e "     - Loading INPUT rulesets" 

iptables -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT

iptables -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT 

iptables -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it    

iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j ACCEPT

iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it

 

echo -e "     - Loading OUTPUT rulesets"

iptables -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT

iptables -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT

iptables -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT

iptables -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j drop-and-log-it

iptables -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT

iptables -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it

 

echo -e "     - Loading FORWARD rulesets"

iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT

iptables -A FORWARD -j drop-and-log-it

iptables -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP

echo -e "    Firewall server rule loading complete\n\n" 

#FORWARDING

#iptables -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED -p tcp -s $UNIVERSE -d $EXTIP --dport 8080 -j ACCEPT

iptables -t nat -A PREROUTING -p tcp -i $EXTIF --dport 48202 -j DNAT --to 10.6.12.10:48202

iptables -I FORWARD -p tcp -i $EXTIF -d 10.6.12.10 --dport 48202 -j ACCEPT

iptables -t nat -A PREROUTING -p tcp -i $EXTIF --dport 88 -j DNAT --to 10.6.12.20

iptables -t nat -A PREROUTING -p udp -i $EXTIF --dport 88 -j DNAT --to 10.6.12.20

iptables -t nat -A PREROUTING -p tcp -i $EXTIF --dport 3074 -j DNAT --to 10.6.12.20

iptables -t nat -A PREROUTING -p udp -i $EXTIF --dport 3074 -j DNAT --to 10.6.12.20

```

----------

## broconne

Very helpful post.

Thanks for coming back with a solution.  Worked like a charm for me and I was unable to get uPNP to work properly on gentoo.

----------

## linuxbgood

I did it a little different then you, I did have some problems with nat once I added the 2nd xbox but both are open now.

```

 ###############################################################

# My Xbox 360 172.16.4.51

###############################################################

#Xbox Live

iptables -A FORWARD -p udp -i $EXTIF --dport 1024:1259 -d 172.16.4.51 -j ACCEPT

iptables -A FORWARD -p udp -i $EXTIF --dport 3074:3831 -d 172.16.4.51 -j ACCEPT

#nat

iptables -t nat -A PREROUTING -p udp --dport 3074 -i $EXTIF -j DNAT --to 172.16.4.51

iptables -t nat -A PREROUTING -p udp --dport 88 -i $EXTIF -j DNAT --to 172.16.4.51

###############################################################

# Jakes Xbox 360 172.16.4.55

###############################################################

#Xbox Live

iptables -A FORWARD -p udp -i $EXTIF --dport 1024:1259 -d 172.16.4.55 -j ACCEPT

iptables -A FORWARD -p udp -i $EXTIF --dport 3074:3831 -d 172.16.4.55 -j ACCEPT

#nat

iptables -t nat -A PREROUTING -p udp --dport 3074 -i $EXTIF -j DNAT --to 172.16.4.55

iptables -t nat -A PREROUTING -p udp --dport 88 -i $EXTIF -j DNAT --to 172.16.4.55

```

Im still getting a few errors in dmesg and dont know how to deal with it, everything seems to work. Any ideas or hints for a iptables tard?

```

INPUT DROPPED: IN=eth0 OUT= MAC=00:08:a1:12:bd:54:00:19:2f:e6:04:05:08:00 SRC=67.224.52.156 DST=xxxxxxxxx LEN=150 TOS=0x00 PREC=0x20 TTL=51 ID=4491 PROTO=UDP SPT=52026 DPT=1024 LEN=130

INPUT DROPPED: IN=eth0 OUT= MAC=00:08:a1:12:bd:54:00:19:2f:e6:04:05:08:00 SRC=71.193.87.220 DST=xxxxxxxxxx LEN=150 TOS=0x00 PREC=0x00 TTL=51 ID=5477 PROTO=UDP SPT=3074 DPT=1024 LEN=130

INPUT DROPPED: IN=eth0 OUT= MAC=00:08:a1:12:bd:54:00:19:2f:e6:04:05:08:00 SRC=67.224.52.156 DST=xxxxxxxxx LEN=150 TOS=0x00 PREC=0x20 TTL=51 ID=4525 PROTO=UDP SPT=52026 DPT=1024 LEN=130

INPUT DROPPED: IN=eth0 OUT= MAC=00:08:a1:12:bd:54:00:19:2f:e6:04:05:08:00 SRC=71.193.87.220 DST=xxxxxxxxx LEN=150 TOS=0x00 PREC=0x00 TTL=51 ID=5515 PROTO=UDP SPT=3074 DPT=1024 LEN=130

INPUT DROPPED: IN=eth0 OUT= MAC=00:08:a1:12:bd:54:00:19:2f:e6:04:05:08:00 SRC=67.224.52.156 DST= xxxxxxxxxLEN=150 TOS=0x00 PREC=0x20 TTL=51 ID=4559 PROTO=UDP SPT=52026 DPT=1024 LEN=130

INPUT DROPPED: IN=eth0 OUT= MAC=00:08:a1:12:bd:54:00:19:2f:e6:04:05:08:00 SRC=71.193.87.220 DST=xxxxxxxxx LEN=150 TOS=0x00 PREC=0x00 TTL=51 ID=5549 PROTO=UDP SPT=3074 DPT=1024 LEN=130

INPUT DROPPED: IN=eth0 OUT= MAC=00:08:a1:12:bd:54:00:19:2f:e6:04:05:08:00 SRC=67.224.52.156 DST=xxxxxxxxx   LEN=150 LEN=150 TOS=0x00 PREC=0x20 TTL=51 ID=4593 PROTO=UDP SPT=52026 DPT=1024 LEN=130

INPUT DROPPED: IN=eth0 OUT= MAC=00:08:a1:12:bd:54:00:19:2f:e6:04:05:08:00 SRC=71.193.87.220 DST=xxxxxxxxx LEN=150 TOS=0x00 PREC=0x00 TTL=51 ID=5585 PROTO=UDP SPT=3074 DPT=1024 LEN=130

INPUT DROPPED: IN=eth0 OUT= MAC=00:08:a1:12:bd:54:00:19:2f:e6:04:05:08:00 SRC=71.193.87.220 DST=xxxxxxxxx LEN=150 TOS=0x00 PREC=0x00 TTL=51 ID=5624 PROTO=UDP SPT=3074 DPT=1024 LEN=130

INPUT DROPPED: IN=eth0 OUT= MAC=00:08:a1:12:bd:54:00:19:2f:e6:04:05:08:00 SRC=202.97.238.198  DST=xxxxxxxxxLEN=485 TOS=0x00 PREC=0x00 TTL=43 ID=0 DF PROTO=UDP SPT=45106 DPT=1026 LEN=465

```

----------

## linuxbgood

Seems the input dropped in dmesg had nothing to do with xbox live, PS2 you would get alot of input dropped from other players so I assumed it had something to do with xbox but its just spam.

----------

## dlambeth

Just set all your network devices to use an MTU size of 1364, including your linux box and be done with the problem. Use DRTCP to change all your PC's. Of course you would need to put this in your crontab.

CODE:

#!/bin/bash

MTU="1364"

#MTU="1500"

#if [ `ifconfig eth0 |grep MTU |cut -d \: -f 2 |cut -d \  -f 1` =  "1364" ];

#   then

#echo "good"

#else

for addr in "$MTU"; do

/sbin/ifconfig eth0 mtu $MTU

done

exit

----------

## Hu

dlambeth, did you notice that this thread was last touched in June 2008?

 *dlambeth wrote:*   

> Just set all your network devices to use an MTU size of 1364, including your linux box and be done with the problem. Use DRTCP to change all your PC's. Of course you would need to put this in your crontab.

 What are you proposing to place in the crontab?  The bash script you showed, in addition to being somewhat buggy, only needs to run when the interface is reconfigured.  That reconfiguration can be detected by using the hook script of your DHCP client of choice.  Placing it in a crontab is overkill.

 *dlambeth wrote:*   

> 
> 
> ```
> for addr in "$MTU"; do
> 
> ...

 Usually, a for loop will use the iteration variable.  There are some cases where the iteration variable is legitimately unused, but this does not appear to be one of them.

----------

## Spidey

Sorry for bumping such an old thread, but I have a similar problem. I can use my Xbox correctly, get open Nat and all, but my Windows box doesn't. I mean, while using Game for Windows Live games, I can't get open NAT without UPnP on my PC, only on my Xbox. Any thoughts?

----------

## Hu

Spidey: I understand that something is not working for you, but it is not clear to me what you have done or why you expect that to produce a working environment.  Please start a new thread and post:emerge --info net-firewall/iptablesiptables-save -cip6tables-save -cThe game you want to workWhich TCP ports it requires and which UDP ports it requiresAn explanation of how UPnP fits into this

----------

## linuxbgood

Maybe I dont understand MTU like I thought by why would you want to lower it to 1364?

I actually never got the 2nd x box in the rules to have open nat, just moderate nat.  I gave up as it worked good enough for me as long as my sons xbox was named first or he couldnt do group chat(something I never do) and searching was a little slower.

----------

## Hu

 *linuxbgood wrote:*   

> Maybe I dont understand MTU like I thought by why would you want to lower it to 1364?

 If you send a packet larger than the PMTU, then it will not reach the far end.  Some "criminally braindead ISPs or servers" (see man iptables) do not return an error in this case, but instead silently drop your packet (and any retransmissions of it), causing the connection to hang.  Forcing your MTU to a lower value can allow your traffic to pass such misconfigured devices, but the first course of action should always be to fix the broken device (or, if it is not yours, complain to the person who can fix it).

----------

## Spidey

It was just a random rant about Games for Windows Live (on Windows, not on Gentoo) not working correctly. I use a Tomato USB wireless router, it's an ASUS RT-N16, it uses iptables AFAIK, but I don't configure it by hand, but by the web interface. Anyways, I used to have a ethernet wireless bridge, which is basically a router without a WAN port. This forced me to use it as an AP, so the main router in my home network was my ADSL modem.

So, to make it clear, my ADSL modem was my home router (gateway and dhcp server), and my "wireless device" was a simple access point, in bridged mode. Every device, wired or wireless, was in the same subnet, 192.168.254.0/24. To make things worse, my adsl modem/router has a terrible bug that it crashes/resets itself when Skype is open, if UPnP is activated. That forced me to disable UPnP, and then I started needing to configure port forwarding entries by hand. That's when the nightmare started.

After searching for a while, I discovered which ports Xbox Live used, it was a couple ports for the initial connection and then a 10 port range for permanent connection (I guess, that's not a fact). I could forward the ports to my Xbox, and then it got Open NAT. But my Windows reported Strict NAT under Games for Windows Live games. I tried forwarding one port of the 10 in the port range, without success. I just lived with a strict NAT at the PC.

Now I got this new router, RT-N16, and it doesn't have that nasty bug. So my adsl modem is now in bridged mode, and my wireless router connects to the internet, serves dhcp, etc. My wireless and wired networks are separated. Everything works alright. UPnP is active. But nevertheless, the last time I checked, GfWL games still had Strict NAT.

Making it short: RANDOM RANT. I've adopted Gentoo as my main OS, I just boot to Windows to play StarCraft II and Team Fortress II. Street Fighter IV, the GfWL game that I used to play, was deprecated in favor of Super Street Fighter IV Arcade Edition on my Xbox, which has Open NAT correctly. I think Microsoft didn't implement the UPnP client correcly or something on their devices. Or maybe I'm just crazy, and UPnP solved my problem altogether and I didn't bother to check or didn't remembered to, and my historically bad opinion is biasing this report.

Over.

----------

