0ad multiplayer doesn't work when firewalld enabled.
When I'm starting host a game - it waiting, waiting and failing.
# tcpdump -n -vv -i any host localhost tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes 17:45:45.749575 IP (tos 0x0, ttl 64, id 51251, offset 0, flags [DF], proto UDP (17), length 80) 192.168.254.10.59827 > 127.0.0.1.20595: [bad udp cksum 0x3e02 -> 0xe001!] UDP, length 52 17:45:46.253279 IP (tos 0x0, ttl 64, id 51252, offset 0, flags [DF], proto UDP (17), length 80) 192.168.254.10.59827 > 127.0.0.1.20595: [bad udp cksum 0x3e02 -> 0xde09!] UDP, length 52 17:45:47.254587 IP (tos 0x0, ttl 64, id 51253, offset 0, flags [DF], proto UDP (17), length 80) 192.168.254.10.59827 > 127.0.0.1.20595: [bad udp cksum 0x3e02 -> 0xda20!] UDP, length 52 17:45:49.258627 IP (tos 0x0, ttl 64, id 51254, offset 0, flags [DF], proto UDP (17), length 80) 192.168.254.10.59827 > 127.0.0.1.20595: [bad udp cksum 0x3e02 -> 0xd24c!] UDP, length 52 17:45:53.265274 IP (tos 0x0, ttl 64, id 51255, offset 0, flags [DF], proto UDP (17), length 80) 192.168.254.10.59827 > 127.0.0.1.20595: [bad udp cksum 0x3e02 -> 0xc2a5!] UDP, length 52 17:46:01.271421 IP (tos 0x0, ttl 64, id 51256, offset 0, flags [DF], proto UDP (17), length 80) 192.168.254.10.59827 > 127.0.0.1.20595: [bad udp cksum 0x3e02 -> 0xa360!] UDP, length 52 ^C 6 packets captured 12 packets received by filter 0 packets dropped by kernel
If I will disable firewalld I see:
[root@PC ~]# tcpdump -n -vv -i any host localhost tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes 17:47:05.540699 IP (tos 0x0, ttl 64, id 51257, offset 0, flags [DF], proto UDP (17), length 80) 127.0.0.1.55343 > 127.0.0.1.20595: [bad udp cksum 0xfe4f -> 0x1c5e!] UDP, length 52 17:47:05.540753 IP (tos 0x0, ttl 64, id 51258, offset 0, flags [DF], proto UDP (17), length 76) 127.0.0.1.20595 > 127.0.0.1.55343: [bad udp cksum 0xfe4b -> 0x2b65!] UDP, length 48 17:47:05.543179 IP (tos 0x0, ttl 64, id 51259, offset 0, flags [DF], proto UDP (17), length 44) 127.0.0.1.55343 > 127.0.0.1.20595: [bad udp cksum 0xfe2b -> 0xcd8a!] UDP, length 16 17:47:05.543439 IP (tos 0x0, ttl 64, id 51260, offset 0, flags [DF], proto UDP (17), length 61) 127.0.0.1.20595 > 127.0.0.1.55343: [bad udp cksum 0xfe3c -> 0xff00!] UDP, length 33 17:47:05.552854 IP (tos 0x0, ttl 64, id 51261, offset 0, flags [DF], proto UDP (17), length 38) 127.0.0.1.55343 > 127.0.0.1.20595: [bad udp cksum 0xfe25 -> 0xd65b!] UDP, length 10 17:47:05.552933 IP (tos 0x0, ttl 64, id 51262, offset 0, flags [DF], proto UDP (17), length 53) 127.0.0.1.55343 > 127.0.0.1.20595: [bad udp cksum 0xfe34 -> 0x2fd2!] UDP, length 25 17:47:05.553016 IP (tos 0x0, ttl 64, id 51263, offset 0, flags [DF], proto UDP (17), length 38) 127.0.0.1.20595 > 127.0.0.1.55343: [bad udp cksum 0xfe25 -> 0xd652!] UDP, length 10 17:47:05.553256 IP (tos 0x0, ttl 64, id 51264, offset 0, flags [DF], proto UDP (17), length 65) 127.0.0.1.20595 > 127.0.0.1.55343: [bad udp cksum 0xfe40 -> 0xe0fb!] UDP, length 37 17:47:05.562232 IP (tos 0x0, ttl 64, id 51265, offset 0, flags [DF], proto UDP (17), length 38) 127.0.0.1.55343 > 127.0.0.1.20595: [bad udp cksum 0xfe25 -> 0xd64f!] UDP, length 10 17:47:05.562308 IP (tos 0x0, ttl 64, id 51266, offset 0, flags [DF], proto UDP (17), length 75) 127.0.0.1.55343 > 127.0.0.1.20595: [bad udp cksum 0xfe4a -> 0xd51f!] UDP, length 47 17:47:05.562378 IP (tos 0x0, ttl 64, id 51267, offset 0, flags [DF], proto UDP (17), length 38) 127.0.0.1.20595 > 127.0.0.1.55343: [bad udp cksum 0xfe25 -> 0xd646!] UDP, length 10 17:47:05.562771 IP (tos 0x0, ttl 64, id 51268, offset 0, flags [DF], proto UDP (17), length 120) 127.0.0.1.20595 > 127.0.0.1.55343: [bad udp cksum 0xfe77 -> 0x7769!] UDP, length 92 17:47:05.571848 IP (tos 0x0, ttl 64, id 51269, offset 0, flags [DF], proto UDP (17), length 54) 127.0.0.1.55343 > 127.0.0.1.20595: [bad udp cksum 0xfe35 -> 0xd05e!] UDP, length 26 17:47:05.764008 IP (tos 0x0, ttl 64, id 51270, offset 0, flags [DF], proto UDP (17), length 1406) 127.0.0.1.20595 > 127.0.0.1.55343: [bad udp cksum 0x037e -> 0xd1fc!] UDP, length 1378 17:47:05.764297 IP (tos 0x0, ttl 64, id 51271, offset 0, flags [DF], proto UDP (17), length 46) 127.0.0.1.55343 > 127.0.0.1.20595: [bad udp cksum 0xfe2d -> 0xc163!] UDP, length 18 17:47:05.764356 IP (tos 0x0, ttl 64, id 51272, offset 0, flags [DF], proto UDP (17), length 38) 127.0.0.1.20595 > 127.0.0.1.55343: [bad udp cksum 0xfe25 -> 0xd57a!] UDP, length 10 17:47:05.764522 IP (tos 0x0, ttl 64, id 51273, offset 0, flags [DF], proto UDP (17), length 62) 127.0.0.1.20595 > 127.0.0.1.55343: [bad udp cksum 0xfe3d -> 0xca77!] UDP, length 34 17:47:05.776700 IP (tos 0x0, ttl 64, id 51274, offset 0, flags [DF], proto UDP (17), length 54) 127.0.0.1.55343 > 127.0.0.1.20595: [bad udp cksum 0xfe35 -> 0xcdf0!] UDP, length 26 17:47:05.815087 IP (tos 0x0, ttl 64, id 51275, offset 0, flags [DF], proto UDP (17), length 75) 127.0.0.1.20595 > 127.0.0.1.55343: [bad udp cksum 0xfe4a -> 0xce1a!] UDP, length 47 17:47:05.819560 IP (tos 0x0, ttl 64, id 51276, offset 0, flags [DF], proto UDP (17), length 38) 127.0.0.1.55343 > 127.0.0.1.20595: [bad udp cksum 0xfe25 -> 0xd53b!] UDP, length 10 17:47:06.276820 IP (tos 0x0, ttl 64, id 51277, offset 0, flags [DF], proto UDP (17), length 36) 127.0.0.1.55343 > 127.0.0.1.20595: [bad udp cksum 0xfe23 -> 0xce81!] UDP, length 8 17:47:06.276902 IP (tos 0x0, ttl 64, id 51278, offset 0, flags [DF], proto UDP (17), length 38) 127.0.0.1.20595 > 127.0.0.1.55343: [bad udp cksum 0xfe25 -> 0xd27b!] UDP, length 10 17:47:06.368439 IP (tos 0x0, ttl 64, id 51279, offset 0, flags [DF], proto UDP (17), length 36) 127.0.0.1.20595 > 127.0.0.1.55343: [bad udp cksum 0xfe23 -> 0xce26!] UDP, length 8 17:47:06.377106 IP (tos 0x0, ttl 64, id 51280, offset 0, flags [DF], proto UDP (17), length 38) 127.0.0.1.55343 > 127.0.0.1.20595: [bad udp cksum 0xfe25 -> 0xd221!] UDP, length 10 17:47:06.518929 IP (tos 0x0, ttl 64, id 51281, offset 0, flags [DF], proto UDP (17), length 44) 127.0.0.1.20595 > 127.0.0.1.55343: [bad udp cksum 0xfe2b -> 0xc87f!] UDP, length 16 17:47:06.522748 IP (tos 0x0, ttl 64, id 51282, offset 0, flags [DF], proto UDP (17), length 38) 127.0.0.1.55343 > 127.0.0.1.20595: [bad udp cksum 0xfe25 -> 0xd189!] UDP, length 10 17:47:06.540883 IP (tos 0x0, ttl 64, id 51283, offset 0, flags [DF], proto UDP (17), length 44) 127.0.0.1.55343 > 127.0.0.1.20595: [bad udp cksum 0xfe2b -> 0xc868!] UDP, length 16 17:47:06.540967 IP (tos 0x0, ttl 64, id 51284, offset 0, flags [DF], proto UDP (17), length 38) 127.0.0.1.20595 > 127.0.0.1.55343: [bad udp cksum 0xfe25 -> 0xd171!] UDP, length 10 17:47:06.787348 IP (tos 0x0, ttl 64, id 51285, offset 0, flags [DF], proto UDP (17), length 38) 127.0.0.1.55343 > 127.0.0.1.20595: [bad udp cksum 0xfe25 -> 0x941f!] UDP, length 10 ^C 29 packets captured 58 packets received by filter 0 packets dropped by kernel
[root@PC ~]# iptables-save # Generated by iptables-save v1.4.19.1 on Sun Jun 1 17:51:07 2014 *nat :PREROUTING ACCEPT [192:12124] :INPUT ACCEPT [174:9868] :OUTPUT ACCEPT [28:2439] :POSTROUTING ACCEPT [0:0] :OUTPUT_direct - [0:0] :POSTROUTING_ZONES - [0:0] :POSTROUTING_ZONES_SOURCE - [0:0] :POSTROUTING_direct - [0:0] :POST_0brain - [0:0] :POST_0brain_allow - [0:0] :POST_0brain_deny - [0:0] :POST_0brain_log - [0:0] :PREROUTING_ZONES - [0:0] :PREROUTING_ZONES_SOURCE - [0:0] :PREROUTING_direct - [0:0] :PRE_0brain - [0:0] :PRE_0brain_allow - [0:0] :PRE_0brain_deny - [0:0] :PRE_0brain_log - [0:0] -A PREROUTING -j PREROUTING_direct -A PREROUTING -j PREROUTING_ZONES_SOURCE -A PREROUTING -j PREROUTING_ZONES -A OUTPUT -j OUTPUT_direct -A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN -A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535 -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535 -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE -A POSTROUTING -j POSTROUTING_direct -A POSTROUTING -j POSTROUTING_ZONES_SOURCE -A POSTROUTING -j POSTROUTING_ZONES -A POSTROUTING_ZONES -o p4p1 -g POST_0brain -A POSTROUTING_ZONES -o bridge0 -g POST_0brain -A POSTROUTING_ZONES -g POST_0brain -A POST_0brain -j POST_0brain_log -A POST_0brain -j POST_0brain_deny -A POST_0brain -j POST_0brain_allow -A POST_0brain_allow ! -i lo -j MASQUERADE -A PREROUTING_ZONES -i p4p1 -g PRE_0brain -A PREROUTING_ZONES -i bridge0 -g PRE_0brain -A PREROUTING_ZONES -g PRE_0brain -A PRE_0brain -j PRE_0brain_log -A PRE_0brain -j PRE_0brain_deny -A PRE_0brain -j PRE_0brain_allow COMMIT # Completed on Sun Jun 1 17:51:07 2014 # Generated by iptables-save v1.4.19.1 on Sun Jun 1 17:51:07 2014 *mangle :PREROUTING ACCEPT [391:47603] :INPUT ACCEPT [389:47503] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [374:72958] :POSTROUTING ACCEPT [379:74096] :FORWARD_direct - [0:0] :INPUT_direct - [0:0] :OUTPUT_direct - [0:0] :POSTROUTING_direct - [0:0] :PREROUTING_ZONES - [0:0] :PREROUTING_ZONES_SOURCE - [0:0] :PREROUTING_direct - [0:0] :PRE_0brain - [0:0] :PRE_0brain_allow - [0:0] :PRE_0brain_deny - [0:0] :PRE_0brain_log - [0:0] -A PREROUTING -j PREROUTING_direct -A PREROUTING -j PREROUTING_ZONES_SOURCE -A PREROUTING -j PREROUTING_ZONES -A INPUT -j INPUT_direct -A FORWARD -j FORWARD_direct -A OUTPUT -j OUTPUT_direct -A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill -A POSTROUTING -j POSTROUTING_direct -A PREROUTING_ZONES -i p4p1 -g PRE_0brain -A PREROUTING_ZONES -i bridge0 -g PRE_0brain -A PREROUTING_ZONES -g PRE_0brain -A PRE_0brain -j PRE_0brain_log -A PRE_0brain -j PRE_0brain_deny -A PRE_0brain -j PRE_0brain_allow COMMIT # Completed on Sun Jun 1 17:51:07 2014 # Generated by iptables-save v1.4.19.1 on Sun Jun 1 17:51:07 2014 *security :INPUT ACCEPT [361:44669] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [375:72998] :FORWARD_direct - [0:0] :INPUT_direct - [0:0] :OUTPUT_direct - [0:0] -A INPUT -j INPUT_direct -A FORWARD -j FORWARD_direct -A OUTPUT -j OUTPUT_direct COMMIT # Completed on Sun Jun 1 17:51:07 2014 # Generated by iptables-save v1.4.19.1 on Sun Jun 1 17:51:07 2014 *raw :PREROUTING ACCEPT [392:47655] :OUTPUT ACCEPT [375:72998] :OUTPUT_direct - [0:0] :PREROUTING_direct - [0:0] -A PREROUTING -j PREROUTING_direct -A OUTPUT -j OUTPUT_direct COMMIT # Completed on Sun Jun 1 17:51:07 2014 # Generated by iptables-save v1.4.19.1 on Sun Jun 1 17:51:07 2014 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [374:72958] :FORWARD_IN_ZONES - [0:0] :FORWARD_IN_ZONES_SOURCE - [0:0] :FORWARD_OUT_ZONES - [0:0] :FORWARD_OUT_ZONES_SOURCE - [0:0] :FORWARD_direct - [0:0] :FWDI_0brain - [0:0] :FWDI_0brain_allow - [0:0] :FWDI_0brain_deny - [0:0] :FWDI_0brain_log - [0:0] :FWDO_0brain - [0:0] :FWDO_0brain_allow - [0:0] :FWDO_0brain_deny - [0:0] :FWDO_0brain_log - [0:0] :INPUT_ZONES - [0:0] :INPUT_ZONES_SOURCE - [0:0] :INPUT_direct - [0:0] :IN_0brain - [0:0] :IN_0brain_allow - [0:0] :IN_0brain_deny - [0:0] :IN_0brain_log - [0:0] :OUTPUT_direct - [0:0] -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -j INPUT_direct -A INPUT -j INPUT_ZONES_SOURCE -A INPUT -j INPUT_ZONES -A INPUT -p icmp -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT -A FORWARD -i virbr0 -o virbr0 -j ACCEPT -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i lo -j ACCEPT -A FORWARD -j FORWARD_direct -A FORWARD -j FORWARD_IN_ZONES_SOURCE -A FORWARD -j FORWARD_IN_ZONES -A FORWARD -j FORWARD_OUT_ZONES_SOURCE -A FORWARD -j FORWARD_OUT_ZONES -A FORWARD -p icmp -j ACCEPT -A FORWARD -j REJECT --reject-with icmp-host-prohibited -A OUTPUT -j OUTPUT_direct -A FORWARD_IN_ZONES -i p4p1 -g FWDI_0brain -A FORWARD_IN_ZONES -i bridge0 -g FWDI_0brain -A FORWARD_IN_ZONES -g FWDI_0brain -A FORWARD_OUT_ZONES -o p4p1 -g FWDO_0brain -A FORWARD_OUT_ZONES -o bridge0 -g FWDO_0brain -A FORWARD_OUT_ZONES -g FWDO_0brain -A FWDI_0brain -j FWDI_0brain_log -A FWDI_0brain -j FWDI_0brain_deny -A FWDI_0brain -j FWDI_0brain_allow -A FWDO_0brain -j FWDO_0brain_log -A FWDO_0brain -j FWDO_0brain_deny -A FWDO_0brain -j FWDO_0brain_allow -A FWDO_0brain_allow -j ACCEPT -A INPUT_ZONES -i p4p1 -g IN_0brain -A INPUT_ZONES -i bridge0 -g IN_0brain -A INPUT_ZONES -g IN_0brain -A IN_0brain -j IN_0brain_log -A IN_0brain -j IN_0brain_deny -A IN_0brain -j IN_0brain_allow -A IN_0brain_allow -d 224.0.0.251/32 -p udp -m udp --dport 5353 -m conntrack --ctstate NEW -j ACCEPT -A IN_0brain_allow -p udp -m udp --dport 137 -m conntrack --ctstate NEW -j ACCEPT -A IN_0brain_allow -p udp -m udp --dport 138 -m conntrack --ctstate NEW -j ACCEPT -A IN_0brain_allow -p tcp -m tcp --dport 139 -m conntrack --ctstate NEW -j ACCEPT -A IN_0brain_allow -p tcp -m tcp --dport 445 -m conntrack --ctstate NEW -j ACCEPT -A IN_0brain_allow -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT -A IN_0brain_allow -p udp -m udp --dport 631 -m conntrack --ctstate NEW -j ACCEPT -A IN_0brain_allow -p tcp -m tcp --dport 5900:5903 -m conntrack --ctstate NEW -j ACCEPT -A IN_0brain_allow -p udp -m udp --dport 20595 -m conntrack --ctstate NEW -j ACCEPT -A IN_0brain_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT -A IN_0brain_allow -p udp -m udp --dport 137 -m conntrack --ctstate NEW -j ACCEPT -A IN_0brain_allow -p udp -m udp --dport 138 -m conntrack --ctstate NEW -j ACCEPT -A IN_0brain_allow -p tcp -m tcp --dport 51413 -m conntrack --ctstate NEW -j ACCEPT COMMIT # Completed on Sun Jun 1 17:51:07 2014
On 06/01/2014 03:54 PM, Igor Gnatenko wrote:
-A IN_0brain_allow -p udp -m udp --dport 20595 -m conntrack --ctstate NEW -j ACCEPT
I've no idea what else except 20595/udp you need. You can run 'ss -putnl | grep <binary name>' to see what ports the program listens on.
-- Jiri
I've disabled MASQUERADE and it fixes my problem. Sent bug to upstream[0].
[0]http://trac.wildfiregames.com/ticket/2606#comment:2
On Tue, Jun 3, 2014 at 12:16 PM, Jiri Popelka jpopelka@redhat.com wrote:
On 06/01/2014 03:54 PM, Igor Gnatenko wrote:
-A IN_0brain_allow -p udp -m udp --dport 20595 -m conntrack --ctstate NEW -j ACCEPT
I've no idea what else except 20595/udp you need. You can run 'ss -putnl | grep <binary name>' to see what ports the program listens on.
-- Jiri
firewalld-users@lists.fedorahosted.org