Running TeamSpeak server through ipTables

OberonKenObi · #1 13th October 2004, 02:56 AM

Hi
I have a nice install of FC 2 that is used to protect my WinXP games box from itself. It has installed/configured on it the firewall using ipTables, The rule set was one sourced from the net and (if i understand it correctly) it refuses all activity except NEW (if i initiate it) or if its an ESTABLISHED or RELATED from others. This was installed by a more knowledgable Linux person than me, but this time I would like to do for myself and learn.
I wish to use software called Teamspeak. I can use the client version perfiktly (;+P), however it will not allow me to set up a server. I had a look at a tutorial from the web as to how to create a rule/rules to allow this, but alas it seems a bit complex for my talents (and also not wishing to stuff what I have).
Following is an excerpt from the help files.....

If you are using a firewall TeamSpeak requires to have an UDP port open. The standard port for this is UDP port 8767 but can be configured in the server.ini file of the TeamSpeak server.
Im not sure that I need this bit below, but someone may know...
You can use TeamSpeak 2 even if you are behind a firewall with NAT. You’ll have to ask your firewall admin (might be you yourself) to forward the UDP port 8767 (the standard port, it can be configured though) to your computer or use connection tracking in the firewall rules.

So I guess what im asking is for some advice as to how to go about telling the firewall to allow incoming communication from ONLY the others on the same channel as me.
As a further thing, is this port one that can be exploited by a malicious user (since i just announced it here). I may be overly paranoid about this but I prefer to be safe than sorry. Thanks all in advance.

Yours
OberonKenObi

Cookie · #2 13th October 2004, 02:17 PM

Yes! I'm having the same problem! Some one please help

ghenry · #3 13th October 2004, 05:17 PM

East to setup with http://firestarter.sourceforge.net/

OberonKenObi · #4 13th October 2004, 10:39 PM

Hey thanks Ghenry,
So firestarter is just an easy front for the iptables? If so I will download and try that, and good luck to Cookie as well.

ghenry · #5 14th October 2004, 10:16 AM

Yeah, very easy and does NAT and realtime reporting of firewall hits etc.

#6 14th October 2004, 10:20 AM

While your at it, learn to love yum to install all your package needs.

Code:

yum install firestarter

If you setting up NAT or other advanced features, be sure to rtfm.

Dog-One · #7 14th October 2004, 03:54 PM

Quote:

Originally Posted by OberonKenObi

So I guess what im asking is for some advice as to how to go about telling the firewall to allow incoming communication from ONLY the others on the same channel as me.
As a further thing, is this port one that can be exploited by a malicious user (since i just announced it here). I may be overly paranoid about this but I prefer to be safe than sorry.

When you say "channel", you're talking about the TeamSpeak2 channel, correct?

You can use netfilter (iptables) to DNAT to your Windows machine on a specific port but this port is still open to the world. What you may want to do is run a TeamSpeak2 server on your firewall (Linux machine). That way you can connect to it from your Windows machine with the TS2 client and you won't have anyone banging directly on your Windows box. You can do the initial setup from a browser, get your admin and superadmin passwords set, then turn off the browser port on the TS2 server. Then when you want to configure the server, just connect as a SA to create channels, kick and ban incoming users.

I do recommend that you create a special user account on the Linux server to run TS2 server. That way should it get hacked, the attacker will be limited to what the regular user account can do.

OberonKenObi · #8 15th October 2004, 12:52 AM

Hey thanks guys (and any anonymous girls)
All answers were helpful, especially the most recent. Dog-One, yes the channell ,i was refering to is on the TS application. I have the TS server on the Linux box, configured with webmin and i never log in as root (unless i need to) so will my usual user account will be ok for this, or make another non su account with even more limited rights?
One final question, if i install Firestarter, have downloaded it with yum (thanks superbnerd) and i dont want to change the iptables I have but just make a copy and manipulate that, where is the file located I cant seem to find it?
Thanks again all.

Dog-One · #9 15th October 2004, 03:23 AM

Quote:

Originally Posted by OberonKenObi

All answers were helpful, especially the most recent. Dog-One, yes the channell ,i was refering to is on the TS application. I have the TS server on the Linux box, configured with webmin and i never log in as root (unless i need to) so will my usual user account will be ok for this, or make another non su account with even more limited rights?

That should be okay. Somewhere I read to make a specific user just for this (tss as I recall). You could chroot jail this account if you are real paranoid. I just set mine up as a normal user account and made TSS a clan server so it doesn't advertise. If you use iptraf with TSS running, you will notice that it tries to phone home. I blocked mine from doing that by filtering the outbound port it uses.

I still like to dig into the nuts-n-bolts so I don't use a GUI to configure iptables. I have a pretty large shell script for that--it's been refined considerably over the last few years. My net is as tight as I can manage to get it; I'm sure there are still holes, but hey.

Something you may want to do is collect the static IPs from the folks that will be using your TSS and only enable those IPs to talk to it. For the folks that don't have static IPs, you could get the network segments from the ISPs they use and just enable those. It wouldn't be perfect but you could certainly limit connections from 95% of the world that way. The group I chat with using TS2 had a problem a while back--we were getting kids connecting and blabbering nonsense. The SA tried banning them and they would just come back with a different IP, so we finally filtered as I just mentioned it that took care of that problem. The only other solution is to have moderated channels and/or passwords, but that gets to be a pain.

BTW, if answers you get are helpful, please remember to bump people's reputation.

OberonKenObi · #10 15th October 2004, 03:01 PM

Already bumped both you Dog-One and Superbnerd. Its so quick and easy, everyone shouild take a few moments to give kudos to those peeps who take the time to read our posts and profer solutions.
I have decided passwords and moderated channels is for me. A bit of inconvenience for thew others will pay back the hassle of xtra config for me. Plus there is only limited users anyways so its no big deal.
Thank you both for invaluable help and advice.