RedHat 7.2 Installation - need someone to check

[Adder]

Ok I will just lay out my setup and copy my scripts to here to try and give a complete picture.

Base dir: /usr/sbin/teamspeak/tss
ini file:

[Version]
ServerVersion=v1.2.2

[Passwords]
ServerPassword=dog
AdminPassword=joe

[General]
Servername=Area51 Server
MaxClients=16

[Networking]
TCPPort=8765
IP=68.98.64.221

[Ping]
MaxPingTries=3
PingWaitTime=15000
IdleTimeBeforePing=5000

[WebStatus]
Active=0
TeamSpeakSite_Active=0
TeamSpeakSite_DisplayInWebList=0
WebPostURL=http://
WebPostLinkUrl=http://www.teamspeak.net

Startscript:

#! /bin/bash
# Copyright (c) 2001 TeamSpeak team All rights reserved.
#
# Author: Niels Werensteijn 2001
#
# add a directory to all options (ini,log and pid) and this will always work :P
#

case "$1" in
start)
./tss -INI=/etc/tsserver.ini -LOG=/var/tsserver.log -PID=/usr/sbin/teamspeak/tss/tsserver.pid
;;
stop)
kill -TERM `cat tsserver.pid`
;;
restart)
$0 stop && $0 start || return=$rc_failed
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
esac
exit 0

All paths are verified. The daemon starts, here is some log output:

01/07/2002 19:12:45 | Done reading ini file
01/07/2002 19:12:45 | UDP+TCP created
01/07/2002 19:12:45 | Creating ping thread
01/07/2002 19:12:45 | Created ping thread
01/07/2002 19:12:45 | Creating UDPsender thread
01/07/2002 19:12:45 | Created UDPsender thread
01/07/2002 19:12:45 | UDPSender.Execute
01/07/2002 19:12:45 | Activated tcp/udp
01/07/2002 19:12:45 | Started Ping Thread
01/07/2002 19:12:45 | ----TeamSpeak server started----
01/07/2002 19:12:45 | PingThread.Execute
01/07/2002 19:12:45 | TeamSpeak Server daemon activated
01/07/2002 19:15:46 | ----Entering Server_DeInit ----
01/07/2002 19:15:46 | Server_DeInit -- pingpong term sent
01/07/2002 19:15:46 | Server_DeInit -- UDPThread term + event sent
01/07/2002 19:15:46 | UDPSender.Terminated
01/07/2002 19:15:46 | PingThread.Terminated
01/07/2002 19:15:47 | Server_DeInit -- Slept 2 secs
01/07/2002 19:15:47 | Server_DeInit -- Stopped TCP
01/07/2002 19:15:48 | Server_DeInit -- Stopped UDP
01/07/2002 19:15:48 | ----TeamSpeak server shutdown----
01/07/2002 19:15:48 | TeamSpeak Server daemon shutdown
01/07/2002 19:15:52 | ----Entering server init----
01/07/2002 19:15:52 | Created Threadlists
01/07/2002 19:15:52 | Done reading ini file
01/07/2002 19:15:52 | UDP+TCP created
01/07/2002 19:15:52 | Creating ping thread
01/07/2002 19:15:52 | Created ping thread
01/07/2002 19:15:52 | Creating UDPsender thread
01/07/2002 19:15:52 | Created UDPsender thread
01/07/2002 19:15:52 | UDPSender.Execute
01/07/2002 19:15:52 | Activated tcp/udp
01/07/2002 19:15:52 | Started Ping Thread
01/07/2002 19:15:52 | ----TeamSpeak server started----
01/07/2002 19:15:52 | PingThread.Execute
01/07/2002 19:15:52 | TeamSpeak Server daemon activated

Here are the associated procs I see:

root 1666 1 0 19:15 pts/0 00:00:00 ./tss -INI=/etc/tsserver.ini -LO
root 1667 1666 0 19:15 pts/0 00:00:00 ./tss -INI=/etc/tsserver.ini -LO
root 1668 1667 0 19:15 pts/0 00:00:00 ./tss -INI=/etc/tsserver.ini -LO
root 1669 1667 0 19:15 pts/0 00:00:00 ./tss -INI=/etc/tsserver.ini -LO
root 1670 1667 0 19:15 pts/0 00:00:00 ./tss -INI=/etc/tsserver.ini -LO
root 1671 1667 0 19:15 pts/0 00:00:00 ./tss -INI=/etc/tsserver.ini -LO

This box is a router also. The outside world goes directly into it, and is then from it distributed to the rest of my network, I dont want to explain IP masquerading and IPTables here - but thats what it is.

But I cannot connect from one of my other boxes, error no computer on other end. Why?

Thanks.

[ScratchMonkey]

What's the topology? What's ifconfig report? What's the address of the box that fails?

You're setting the IP for the server explicitly, so it probably listens only on that address. Are you connecting to that address from the inside client? (If you want to listen on all interfaces, use 0.0.0.0 as the address.)

From the box that fails, try telnet'ing to the tss server/port and see if you can get a connection:

telnet 68.98.64.221 8765

From the server, try using "lsof -i" as root to see what ports are in use, and what ports and interfaces tss is listening on.

[Adder]

Here is the ifconfig output:

eth0 Link encap:Ethernet HWaddr 00:60:97:34:40:F4
inet addr:68.98.64.221 Bcast:68.98.71.255 Mask:255.255.248.0
UP BROADCAST NOTRAILERS RUNNING MTU:1500 Metric:1
RX packets:18047779 errors:67 dropped:0 overruns:0 frame:70
TX packets:20622659 errors:0 dropped:0 overruns:0 carrier:3
collisions:321734 txqueuelen:100
RX bytes:3376009531 (3219.6 Mb) TX bytes:720850817 (687.4 Mb)
Interrupt:11 Base address:0xee80

eth1 Link encap:Ethernet HWaddr 00:10:4B:33:0A:9E
inet addr:192.168.1.1 Bcast:0.0.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:20661052 errors:0 dropped:0 overruns:0 frame:0
TX packets:16169236 errors:0 dropped:0 overruns:0 carrier:0
collisions:109454 txqueuelen:100
RX bytes:725373557 (691.7 Mb) TX bytes:3245341720 (3094.9 Mb)
Interrupt:9 Base address:0xed80

The box thats 'failing' (to connect to the ts server running) is internal to my masq network, so its 192.168.1.something

I cannot telnet to it as you requested.
Here is the lsof output:


COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
portmap 585 root 3u IPv4 884 UDP *:sunrpc
portmap 585 root 4u IPv4 885 TCP *:sunrpc (LISTEN)
rpc.statd 613 root 4u IPv4 911 UDP *:789
rpc.statd 613 root 5u IPv4 942 UDP *:1024
rpc.statd 613 root 6u IPv4 945 TCP *:1024 (LISTEN)
sshd 764 root 3u IPv4 1064 TCP *:ssh (LISTEN)
xinetd 797 root 3u IPv4 1083 TCP mylinux:1025 (LISTEN)
X 1211 root 1u IPv4 34977 TCP *:x11 (LISTEN)
mozilla-b 1336 root 28u IPv4 48329 TCP ip68-98-64-221.ph.ph.cox.net:1075->www.hg-computer.de:http (CLOSE_WAIT)
mozilla-b 1361 root 28u IPv4 48329 TCP ip68-98-64-221.ph.ph.cox.net:1075->www.hg-computer.de:http (CLOSE_WAIT)
mozilla-b 1362 root 28u IPv4 48329 TCP ip68-98-64-221.ph.ph.cox.net:1075->www.hg-computer.de:http (CLOSE_WAIT)
mozilla-b 1363 root 28u IPv4 48329 TCP ip68-98-64-221.ph.ph.cox.net:1075->www.hg-computer.de:http (CLOSE_WAIT)
fam 1367 root 0u IPv4 1083 TCP mylinux:1025 (LISTEN)
fam 1367 root 1u IPv4 1083 TCP mylinux:1025 (LISTEN)
fam 1367 root 2u IPv4 1083 TCP mylinux:1025 (LISTEN)
mozilla-b 1441 root 28u IPv4 48329 TCP ip68-98-64-221.ph.ph.cox.net:1075->www.hg-computer.de:http (CLOSE_WAIT)
tss 1666 root 7u IPv4 40396 UDP ip68-98-64-221.ph.ph.cox.net:8766
tss 1666 root 8u IPv4 40397 TCP ip68-98-64-221.ph.ph.cox.net:8765 (LISTEN)
tss 1667 root 7u IPv4 40396 UDP ip68-98-64-221.ph.ph.cox.net:8766
tss 1667 root 8u IPv4 40397 TCP ip68-98-64-221.ph.ph.cox.net:8765 (LISTEN)
tss 1668 root 7u IPv4 40396 UDP ip68-98-64-221.ph.ph.cox.net:8766
tss 1668 root 8u IPv4 40397 TCP ip68-98-64-221.ph.ph.cox.net:8765 (LISTEN)
tss 1669 root 7u IPv4 40396 UDP ip68-98-64-221.ph.ph.cox.net:8766
tss 1669 root 8u IPv4 40397 TCP ip68-98-64-221.ph.ph.cox.net:8765 (LISTEN)
tss 1670 root 7u IPv4 40396 UDP ip68-98-64-221.ph.ph.cox.net:8766
tss 1670 root 8u IPv4 40397 TCP ip68-98-64-221.ph.ph.cox.net:8765 (LISTEN)
tss 1671 root 7u IPv4 40396 UDP ip68-98-64-221.ph.ph.cox.net:8766
tss 1671 root 8u IPv4 40397 TCP ip68-98-64-221.ph.ph.cox.net:8765 (LISTEN)

[ScratchMonkey]

The first thing I notice is that your eth1 broadcast address is messed up. It should be 192.168.1.255. But that shouldn't affect this.

The lsof output looks reasonable. You've got a bunch of tss processes listening for connections on eth0. The telnet should have worked. I can see that you're browsing the TS website with Mozilla.

A few worriesome things: You have portmap, rpc.statd, and fam running and listening on all interfaces. Do you have those firewalled? You don't want outsiders connecting to those.

You should be able to patch the fam file for xinetd.d to only listen on 127.0.0.1, as it's only needed by the file browsers in X desktops. (There's a bugzilla on this.) Or just disable it, if you don't need your file browser to automatically detect changes in the file system (my preference).

Why is portmap and rpc.statd running? Disable them if you don't need them.

How complex is your iptables setup? Perhaps you could post that. (Coicidentally, I'm struggling with debugging an iptables ruleset myself.)

[Adder]

Well that sounds like good advice, I may lock things up a bit like you suggest.

But that doesn't really help as to why I cannot connect to that TS server, I have hosted other things with no problem, it may seems weird to go out to an external DNS and use the whole outside world from inside my network just to get back to the router, but thats what the masq does.

I will post the iptables script I use for you, it is a pieced together and hacked together thing I took 2 weeks off and on to make work just so I could get the latest version of showeq working about a year ago - I used to use IPchains (actually ipfwadm-wrapper) but 7.2 redhat doesn't like the old chains stuff - seemless transition to tables my ass.

Please help solve my server problem, and try conectring once I will leave it running. Thanks.

#!/bin/sh

#config IPMASQ
/sbin/ifconfig eth1 down
/sbin/ifconfig eth1 #Our actual rules

#Our NAT stuff

#Source NAT everything heading out the eth0 (external) interface to be the
#given IP. If you have a dynamic ip or a DHCP ip that changes
#semi-regularly, comment this and uncomment the second line
#
#Remember to change the ip address to your static ip
#
#$IPTABLES -t nat -A POSTROUTING -o eth0 -j SNAT --to 68.98.64.132

$IPTABLES -t nat -A POSTROUTING -o eth0 -j MASQUERADE

#These are port-forwarding examples for several different cases.
#These map the specified ports to the specified ip address.
#
#This one maps port 80 to 192.168.1.1. Anything incoming over eth0 to
#the server will be redirected invisibly to port 80 on 192.168.1.1
#$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.1.1
#
#These two redirect a block of ports, in both udp and tcp.
#$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 2300:2400 -j DNAT --to 192.168.1.1
#$IPTABLES -t nat -A PREROUTING -i eth0 -p udp --dport 2300:2400 -j DNAT --to 192.168.1.1
192.168.1.1 broadcast 0.0.0.255 netmask 255.255.255.0

IPTABLES="/sbin/iptables"

#Time to clean house

#Clear out any existing firewall rules, and any chains that might have
#been created
$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -X

#Setup our policies
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT

#This enables ip forwarding, and thus by extension, NAT
#Turn this on if you're going to be doing NAT or Masquerading
echo 1 > /proc/sys/net/ipv4/ip_forward#Now, our firewall chain
#We use the limit commands to cap the rate at which it alerts to 15
#log messages per minute
#Joe 3
$IPTABLES -N firewall
$IPTABLES -A firewall -m limit --limit 15/minute -j LOG --log-prefix Firewall:
$IPTABLES -A firewall -j DROP

#Now, our dropwall chain, for the final catchall filter
#Joe 3
$IPTABLES -N dropwall
$IPTABLES -A dropwall -m limit --limit 15/minute -j LOG --log-prefix Dropwall:
$IPTABLES -A dropwall -j DROP

#Our "hey, them's some bad tcp flags!" chain
$IPTABLES -N badflags
$IPTABLES -A badflags -m limit --limit 15/minute -j LOG --log-prefix Badflags:
$IPTABLES -A badflags -j DROP

#And our silent logging chain
$IPTABLES -N silent
$IPTABLES -A silent -j DROP


#Accept ourselves (loopback interface), 'cause we're all warm and friendly
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -i dolly -j ACCEPT
$IPTABLES -A INPUT -i dopey -j ACCEPT#Drop those nasty packets!
#These are all TCP flag combinations that should never, ever occur in the
#wild. All of these are illegal combinations that are used to attack a box
#in various ways, so we just drop them and log them here.
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j badflags

#Drop icmp, but only after letting certain types through
$IPTABLES -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$IPTABLES -A INPUT -p icmp -j firewall

#Accept SSH connections from everywhere.
#Uncomment this if you're running SSH and want to be able to access it
#from the outside world.
#
#$IPTABLES -A INPUT -i eth0 -d 0/0 -p tcp --dport 22 -j ACCEPT

#Lets do some basic state-matching
#This allows us to accept related and established connections, so
#client-side things like ftp work properly, for example.
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

#Uncomment to drop port 137 netbios packets silently. We don't like
#that netbios stuff, and it's #way too spammy with windows machines on
#the network.
#
$IPTABLES -A INPUT -p udp --sport 137 --dport 137 -j silent

#Our final trap. Everything on INPUT goes to the dropwall so we don't get silent drops
$IPTABLES -A INPUT -j dropwall

[ScratchMonkey]

I've been using ipchains successfully until very recently when I needed to port forward a customer to a printer, and learned just how dop-in iptables is not.

In your rule set, what are dolly and dopey? As an argument to -i, shouldn't those be interface names?

I don't see any rules to allow TS connections in (you need two, one for UDP and one for TCP), so maybe the connection attempt is hitting the dropwall at the end. Are you getting anything in your logs after an attempt?

I use "ls -lt /var/log | head" to see what logs were recently touched, then run tail on those to see what happened. You can also run "tail -f /var/log/messages" in a typical Red Hat setup to watch firewall violations as they happen.