[Talk] Final Fantasy XI iptables rules

Danny Rathjens talk@flux.org
Mon, 03 Nov 2003 20:52:13 -0500

I started playing Final Fantasy XI online for PC this weekend.
(Yep, had to boot into windows for first time in long time
and had a couple crashes to remind me why I stopped using it)

Anyway, I have a linux box as my firewall doing NAT and the game
would not work with the error:
 FFXI:3100 Could not connect to lobby server

Tech support just told me it's my fault for using a linux firewall
and implied their system has no bugs and claimed it works with NAT.

After some packet sniffing, I discovered that some bug in the game's
network code was causing it to send packets to the external ip of
my firewall(port 54001) instead of to square enix's lobby server.
A web search of port 54001 came up with a japanese language page
which had some iptables rules to use to let FF online work from
a playstation through a firewall.  Those did not work, but the page
also had a list of Square's servers and which ports they use so
I made some quick rules to forward any misdirected packets to those
listed servers and voila it all worked.

So, in case anyone happens to have problems with this bug in
PlayOnline and Final Fantasy XI not working through NAT on
an adsl connection, here is the solution.

Here are the relevant parts of my firewall script:

extip=`ifconfig eth0|grep 'inet addr'|cut -f2 -d:|cut -f1 -d" "`
iptables -I PREROUTING -t nat -p tcp -s $intnet -d $extip --dport 51220 -j DNAT --to
iptables -I PREROUTING -t nat -p tcp -s $intnet -d $extip --dport 51240 -j DNAT --to
iptables -I PREROUTING -t nat -p tcp -s $intnet -d $extip --dport 51300 -j DNAT --to
iptables -I PREROUTING -t nat -p tcp -s $intnet -d $extip --dport 51301 -j DNAT --to
iptables -I PREROUTING -t nat -p tcp -s $intnet -d $extip --dport 54000 -j DNAT --to
iptables -I PREROUTING -t nat -p tcp -s $intnet -d $extip --dport 54001 -j DNAT --to
iptables -I PREROUTING -t nat -p tcp -s $intnet -d $extip --dport 54002 -j DNAT --to
iptables -I PREROUTING -t nat -p udp -s $intnet -d $extip --dport 54120 -j DNAT --to
iptables -I PREROUTING -t nat -p udp -s $intnet -d $extip --dport 54246 -j DNAT --to

     _.,-*~`^'~*-,._ Danny Rathjens _.,-*~`^'~*-,._
FireCast: Rock solid kiosk software: http://wirespring.com