I’ve recently been developing a multiplayer game in jmonkey using SpiderMonkey for networking. However, upon trying to run the game server on my dedicated server, I’ve had lots of connection problems while the iptables firewall is enabled.
*** Warning, this post requires lots of reading ***
I have CentOS 5.10 running on a HP ProLiant ML350 Generation 4p (G4p). (http://goo.gl/UBVPaF) It’s an old system, but according to the driver page (http://goo.gl/uraQXh), the machine supports up to RHEL 5 and I’ve had no problems with the RHEL clone, CentOS, so far.
The machine is running a LAMP server as well as my game server. It’s connected to my network with a static local IP address and I have ports 80 (http) and 42069 (game) forwarded to the server. Then, for remote access, I hooked up the No-IP service (http://www.noip.com/) to my router to dynamically update a DNS.
During OS install, I disabled SELinux because I was planning on configuring that later once the server was in a more stable state. I also disabled the iptables firewall to try to lower the amount of initial headaches I would have to deal with while just trying to get the game server to work.
Now, I don’t actually have the jMonkey IDE running on the server, I just use “java -jar MyGame.jar” on the built code. The server runs with no errors and I can see that it’s listening for incoming connections on the correct port using the command: " netstat -tapen | grep ‘:42069’ " with the output:
"tcp 0 0 :::42069 :::* LISTEN 0 86848 10644/java"I then run the client program on my PC on the same network and type the No-IP DNS in for the IP of the server. The client connects just fine with no problems. Any of my friends that have the client on their PCs can also connect with no issues.
After connecting multiple times and having no problems, I decided to re-enable the iptables firewall. This is where the problems began. In order to allow users to connect I added the exception for the game server using the command:
“iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 42069 -j ACCEPT” Now, I am a pretty big newb when it comes to iptables, so if I’m making some stupid mistake, please feel free to tell me. But, being the newb I am, I confirmed this command would work by checking multiple different forums. I then confirmed the exception was added by using the command: “iptables -L” with the output:
Chain INPUT (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhereChain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all – anywhere anywhereChain OUTPUT (policy ACCEPT)
target prot opt source destinationChain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all – anywhere anywhere
ACCEPT icmp – anywhere anywhere icmp any
ACCEPT esp – anywhere anywhere
ACCEPT ah – anywhere anywhere
ACCEPT udp – anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp – anywhere anywhere udp dpt:ipp
ACCEPT tcp – anywhere anywhere tcp dpt:ipp
ACCEPT all – anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp – anywhere anywhere state NEW tcp dpt:ftp
ACCEPT tcp – anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp – anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp – anywhere anywhere state NEW tcp dpt:42069
REJECT all – anywhere anywhere reject-with icmp-host-prohibited
I then restarted the iptables firewall with the command: “service iptables restart” and restarted the game server. The server restarted with no problems and I could still see it listening using “netstat”. However, when I try to connect to the game server with the client, the client locks up and stops responding. Usually, if you try to click on the window, it fades white and windows asks you if you want to end the process or wait for it to respond. Waiting for the program to respond does nothing I usually just end the task. I think the program crashes because I haven’t completely handled a timeout when trying to connect to a game server.
So, assume I messed something up with the iptables firewall config, I ran an nmap scan of my server. The nmap scan, once configured to probe all ports, returned this:
(I masked my public IP with “<MY-IP>” , my No-IP DNS with “<MY DNS>”, and my router name with “<MY-ROUTER>” for privacy reasons)
Starting Nmap 6.46 ( http://nmap.org ) at 2014-08-16 12:39 Eastern Daylight Time NSE: Loaded 118 scripts for scanning. NSE: Script Pre-scanning. Initiating Ping Scan at 12:39 Scanning <MY-DNS> (<MY-IP>) [4 ports] Completed Ping Scan at 12:39, 0.26s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 12:39 Completed Parallel DNS resolution of 1 host. at 12:39, 0.09s elapsed Initiating SYN Stealth Scan at 12:39 Scanning <MY-DNS> (<MY-IP>) [65535 ports] Discovered open port 80/tcp on <MY-IP> Discovered open port 631/tcp on <MY-IP> Discovered open port 33344/tcp on <MY-IP> Discovered open port 40090/tcp on <MY-IP> Discovered open port 5916/tcp on <MY-IP> Discovered open port 20005/tcp on <MY-IP> Discovered open port 548/tcp on <MY-IP> Discovered open port 8200/tcp on <MY-IP> Discovered open port 42069/tcp on <MY-IP> Completed SYN Stealth Scan at 12:40, 5.05s elapsed (65535 total ports) Initiating Service scan at 12:40 Scanning 9 services on <MY-DNS> (<MY-IP>)Completed Service scan at 12:42, 131.02s elapsed (9 services on 1 host)
Initiating OS detection (try #1) against <MY-DNS> (<MY-IP>)
Retrying OS detection (try #2) against <MY-DNS> (<MY-IP>)
Initiating Traceroute at 12:42
Completed Traceroute at 12:42, 0.01s elapsed
Initiating Parallel DNS resolution of 1 host. at 12:42
Completed Parallel DNS resolution of 1 host. at 12:42, 0.03s elapsed
NSE: Script scanning <MY-IP>.
Initiating NSE at 12:42
NSE Timing: About 97.92% done; ETC: 13:06 (0:00:30 remaining)
NSE Timing: About 97.92% done; ETC: 13:06 (0:00:31 remaining)
NSE Timing: About 97.92% done; ETC: 13:07 (0:00:31 remaining)
NSE Timing: About 97.92% done; ETC: 13:07 (0:00:32 remaining)
NSE Timing: About 97.92% done; ETC: 13:08 (0:00:33 remaining)
NSE Timing: About 97.92% done; ETC: 13:09 (0:00:33 remaining)
NSE Timing: About 97.92% done; ETC: 13:09 (0:00:34 remaining)
NSE Timing: About 97.92% done; ETC: 13:10 (0:00:35 remaining)
NSE Timing: About 97.92% done; ETC: 13:10 (0:00:36 remaining)
NSE Timing: About 97.92% done; ETC: 13:11 (0:00:36 remaining)
NSE Timing: About 97.92% done; ETC: 13:12 (0:00:37 remaining)
NSE Timing: About 97.92% done; ETC: 13:12 (0:00:38 remaining)
NSE Timing: About 97.92% done; ETC: 13:13 (0:00:39 remaining)
NSE Timing: About 97.92% done; ETC: 13:14 (0:00:40 remaining)
NSE Timing: About 97.92% done; ETC: 13:14 (0:00:41 remaining)
NSE Timing: About 97.92% done; ETC: 13:15 (0:00:42 remaining)
NSE Timing: About 97.92% done; ETC: 13:16 (0:00:42 remaining)
NSE Timing: About 97.92% done; ETC: 13:17 (0:00:43 remaining)
NSE Timing: About 97.92% done; ETC: 13:17 (0:00:44 remaining)
NSE Timing: About 97.92% done; ETC: 13:18 (0:00:45 remaining)
NSE Timing: About 97.92% done; ETC: 13:19 (0:00:46 remaining)
Completed NSE at 13:19, 2205.15s elapsed
Nmap scan report for <MY-DNS> (<MY-IP>)
Host is up (0.00084s latency).
Not shown: 65526 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.2.3 ((CentOS))
|http-methods: No Allow or Public header in OPTIONS response (status code 200)
|http-title: Site doesn’t have a title (text/html; charset=UTF-8).
548/tcp open afp Netatalk 2.2.5 (name: <MY-ROUTER>; protocol 3.3)
| afp-serverinfo:
| | Server Flags: 0x8f79
| | Super Client: Yes
| | UUIDs: Yes
| | UTF8 Server Name: Yes
| | Open Directory: Yes
| | Reconnect: No
| | Server Notifications: Yes
| | TCP/IP: Yes
| | Server Signature: Yes
| | ServerMessages: Yes
| | Password Saving Prohibited: No
| | Password Changing: No
| | Copy File: Yes
| Server Name: <MY-ROUTER>
| Machine Type: Netatalk2.2.5
| AFP Versions: AFP2.2, AFPX03, AFP3.1, AFP3.2, AFP3.3
| UAMs: DHX2, 2-Way Randnum exchange, Randnum exchange, DHCAST128, Cleartxt Passwrd, No User Authent
| Server Signature: 9ed14821a55cabbbc1e9e73d307eb985
| Network Address 1: <MY-IP>
| UTF8 Server Name: <MY-ROUTER>
631/tcp open ipp?
5916/tcp open unknown
8200/tcp open tcpwrapped
20005/tcp open btx?
33344/tcp open unknown
40090/tcp open http uTorrent WebUI
|_http-title: Site doesn’t have a title (text/html).
42069/tcp open unknown
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at Nmap Fingerprint Submitter 2.0 :
SF-Port33344-TCP:V=6.46%I=7%D=8/16%Time=53EF896A%P=i686-pc-windows-windows
SF:%r(NULL,7D,“\x1c\x20connect\x20success\x20d744a4e0\x20\n
SF:”\x20NetUSB\x201.02.41,\x202009,\x2000020624\x20\n\x0c\x20AUT
SF:H\x20ISOC\n\x1f\x20MOVE_HEAD\x20emb_lp\x20filterAudio\n
SF:“)%r(GenericLines,1067,”\x1c\x20connect\x20success\x20d744a4e0
SF:x20\n"\x20NetUSB\x201.02.41,\x202009,\x2000020624\x20\n
SF:0\x0c\x20AUTH\x20ISOC\n\x1f\x20MOVE_HEAD\x20emb_lp\x20filterA
SF:udio\n@INFO1E99:\x20Tunnel\x20start\x20sig\x20error..
SF:.old\x20version\x20windows\x20driver?\n*INFO1F58:\x20\x20con
SF:nent\x20fail\x20from\x20:\x20d744bba0\x20\n\x006INFO1632:\x20new
SF:x20connection\x20from\x20192.168.1.5\x20:\x20d744ad00\n@INFO
SF:1E99:\x20Tunnel\x20start\x20sig\x20error...old\x20version\x20windows
SF:\x20driver?\n*INFO1F58:\x20\x20connent\x20fail\x20from\x20:\x
SF:20d744ad00\x20\n\x006INFO1632:\x20new\x20connection\x20from\x2019
SF:2.168.1.5\x20:\x20d75f4b60\n@INFO1E99:\x20Tunnel\x20start\x2
SF:0sig\x20error...old\x20version\x20windows\x20driver?\n*INF
SF:O1F58:\x20\x20connent\x20fail\x20from\x20:\x20d75f4b60\x20\n\x006
SF:INFO1632:\x20new\x20connection\x20from\x20192.168.1.5\x20:\x20d744ad
SF:00\n@INFO1E99:\x20Tunnel\x20start\x20sig\x20error...old\x20v
SF:ersion\x20windows\x20driver?\n*INFO1F58:\x20\x20connent\x20fa
SF:il\x20from\x20:\x20d744ad00\x20\n\x006INFO1632:\x20new\x20connect
SF:ion\x20from\x20192.168.1.5\x20:\x20d744bba0\n@INFO1E
SF:99:\x20Tunnel\x20start\x20sig\x20error...old\x20version\x20windows\x
SF:20driver?\n*INFO1F58:\x20\x20");
Aggressive OS guesses: ZoneAlarm Z100G WAP (97%), Linux 2.6.18 (95%), Linux 2.6.9 - 2.6.18 (93%), Linux 2.6.18 - 2.6.32 (92%), Sonos ZonePlayer audio distribution unit (91%), Linux 2.6.32 - 3.9 (91%), Linux 2.6.9 - 2.6.30 (90%), Linux 3.0 - 3.1 (90%), Linux 2.6.17 (Mandriva) (90%), Linux 2.6.18 (Centos 5.3) (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: OSs: Unix, Windows; CPE: cpe:/o:microsoft:windowsTRACEROUTE (using port 113/tcp)
HOP RTT ADDRESS
1 1.00 ms <MY-IP>NSE: Script Post-scanning.
Read data files from: F:\Program Files (x86)\Nmap
OS and Service detection performed. Please report any incorrect results at Nmap OS/Service Fingerprint and Correction Submission Page .
Nmap done: 1 IP address (1 host up) scanned in 2348.72 seconds
Raw packets sent: 65602 (2.890MB) | Rcvd: 65574 (2.624MB)
The “open” keyword, according to nmap’s website (Port Scanning Basics | Nmap Network Scanning), means that 1. the port is allowing connections and 2. that there is an application listening for connections on that port. This means that the iptables firewall was working correctly and allowing connections through. I also noticed during the nmap scan that the game server was return some runtime exceptions. The exceptions were as follows:
(I masked my public IP with “<MY-IP>” and the server local ip with “<SERVER-LOCAL-IP>” for privacy reasons)
[java]Aug 16, 2014 12:40:32 PM com.jme3.network.base.KernelAdapter reportError
SEVERE: Unhandled error, endpoint:NioEndpoint[93, java.nio.channels.SocketChannel[connected local=/<SERVER-LOCAL-IP>:42069 remote=/<MY-IP>:12596]], context:Envelope[NioEndpoint[93, java.nio.channels.SocketChannel[connected local=/<SERVER-LOCAL-IP>:42069 remote=/<MY-IP>:12596]], reliable, 44]
java.lang.IllegalArgumentException
at java.nio.ByteBuffer.allocate(ByteBuffer.java:334)
at com.jme3.network.base.MessageProtocol.addBuffer(MessageProtocol.java:141)
at com.jme3.network.base.KernelAdapter.createAndDispatch(KernelAdapter.java:216)
at com.jme3.network.base.KernelAdapter.run(KernelAdapter.java:280)
Aug 16, 2014 12:40:32 PM com.jme3.network.base.KernelAdapter reportError
SEVERE: Unhandled error, endpoint:NioEndpoint[94, java.nio.channels.SocketChannel[connected local=/<SERVER-LOCAL-IP>:42069 remote=/<MY-IP>:12597]], context:Envelope[NioEndpoint[94, java.nio.channels.SocketChannel[connected local=/<SERVER-LOCAL-IP>:42069 remote=/<MY-IP>:12597]], reliable, 32]
java.lang.RuntimeException: Error deserializing object
at com.jme3.network.base.MessageProtocol.createMessage(MessageProtocol.java:184)
at com.jme3.network.base.MessageProtocol.addBuffer(MessageProtocol.java:160)
at com.jme3.network.base.KernelAdapter.createAndDispatch(KernelAdapter.java:216)
at com.jme3.network.base.KernelAdapter.run(KernelAdapter.java:280)
Caused by: com.jme3.network.serializing.SerializerException: Class not found for buffer data.
at com.jme3.network.serializing.Serializer.readClassAndObject(Serializer.java:356)
at com.jme3.network.base.MessageProtocol.createMessage(MessageProtocol.java:180)
… 3 more
Aug 16, 2014 12:40:32 PM com.jme3.network.base.KernelAdapter reportError
SEVERE: Unhandled error, endpoint:NioEndpoint[95, java.nio.channels.SocketChannel[connected local=/<SERVER-LOCAL-IP>:42069 remote=/<MY-IP>:12598]], context:Envelope[NioEndpoint[95, java.nio.channels.SocketChannel[connected local=/<SERVER-LOCAL-IP>:42069 remote=/<MY-IP>:12598]], reliable, 14]
java.lang.RuntimeException: Error deserializing object
at com.jme3.network.base.MessageProtocol.createMessage(MessageProtocol.java:184)
at com.jme3.network.base.MessageProtocol.addBuffer(MessageProtocol.java:160)
at com.jme3.network.base.KernelAdapter.createAndDispatch(KernelAdapter.java:216)
at com.jme3.network.base.KernelAdapter.run(KernelAdapter.java:280)
Caused by: com.jme3.network.serializing.SerializerException: Class not found for buffer data.
at com.jme3.network.serializing.Serializer.readClassAndObject(Serializer.java:356)
at com.jme3.network.base.MessageProtocol.createMessage(MessageProtocol.java:180)
… 3 more
Aug 16, 2014 12:40:45 PM com.jme3.network.base.KernelAdapter reportError
SEVERE: Unhandled error, endpoint:NioEndpoint[98, java.nio.channels.SocketChannel[connected local=/<SERVER-LOCAL-IP>:42069 remote=/<MY-IP>:12613]], context:Envelope[NioEndpoint[98, java.nio.channels.SocketChannel[connected local=/<SERVER-LOCAL-IP>:42069 remote=/<MY-IP>:12613]], reliable, 117]
java.nio.BufferUnderflowException
at java.nio.Buffer.nextGetIndex(Buffer.java:506)
at java.nio.HeapByteBuffer.getShort(HeapByteBuffer.java:310)
at com.jme3.network.serializing.Serializer.readClass(Serializer.java:340)
at com.jme3.network.serializing.Serializer.readClassAndObject(Serializer.java:354)
at com.jme3.network.base.MessageProtocol.createMessage(MessageProtocol.java:180)
at com.jme3.network.base.MessageProtocol.addBuffer(MessageProtocol.java:160)
at com.jme3.network.base.KernelAdapter.createAndDispatch(KernelAdapter.java:216)
at com.jme3.network.base.KernelAdapter.run(KernelAdapter.java:280)
Aug 16, 2014 12:40:45 PM com.jme3.network.base.KernelAdapter reportError
SEVERE: Unhandled error, endpoint:NioEndpoint[99, java.nio.channels.SocketChannel[connected local=/<SERVER-LOCAL-IP>:42069 remote=/<MY-IP>:12614]], context:Envelope[NioEndpoint[99, java.nio.channels.SocketChannel[connected local=/<SERVER-LOCAL-IP>:42069 remote=/<MY-IP>:12614]], reliable, 168]
java.nio.BufferUnderflowException
at java.nio.Buffer.nextGetIndex(Buffer.java:506)
at java.nio.HeapByteBuffer.getShort(HeapByteBuffer.java:310)
at com.jme3.network.serializing.Serializer.readClass(Serializer.java:340)
at com.jme3.network.serializing.Serializer.readClassAndObject(Serializer.java:354)
at com.jme3.network.base.MessageProtocol.createMessage(MessageProtocol.java:180)
at com.jme3.network.base.MessageProtocol.addBuffer(MessageProtocol.java:160)
at com.jme3.network.base.KernelAdapter.createAndDispatch(KernelAdapter.java:216)
at com.jme3.network.base.KernelAdapter.run(KernelAdapter.java:280)
Aug 16, 2014 12:41:42 PM com.jme3.network.base.KernelAdapter reportError
SEVERE: Unhandled error, endpoint:NioEndpoint[111, java.nio.channels.SocketChannel[connected local=/<SERVER-LOCAL-IP>:42069 remote=/<MY-IP>:12677]], context:Envelope[NioEndpoint[111, java.nio.channels.SocketChannel[connected local=/<SERVER-LOCAL-IP>:42069 remote=/<MY-IP>:12677]], reliable, 18]
java.lang.RuntimeException: Error deserializing object
at com.jme3.network.base.MessageProtocol.createMessage(MessageProtocol.java:184)
at com.jme3.network.base.MessageProtocol.addBuffer(MessageProtocol.java:160)
at com.jme3.network.base.KernelAdapter.createAndDispatch(KernelAdapter.java:216)
at com.jme3.network.base.KernelAdapter.run(KernelAdapter.java:280)
Caused by: com.jme3.network.serializing.SerializerException: Class not found for buffer data.
at com.jme3.network.serializing.Serializer.readClassAndObject(Serializer.java:356)
at com.jme3.network.base.MessageProtocol.createMessage(MessageProtocol.java:180)
… 3 more
Aug 16, 2014 12:41:42 PM com.jme3.network.base.KernelAdapter reportError
SEVERE: Unhandled error, endpoint:NioEndpoint[112, java.nio.channels.SocketChannel[connected local=/<SERVER-LOCAL-IP>:42069 remote=/<MY-IP>:12678]], context:Envelope[NioEndpoint[112, java.nio.channels.SocketChannel[connected local=/<SERVER-LOCAL-IP>:42069 remote=/<MY-IP>:12678]], reliable, 8]
java.lang.IllegalArgumentException
at java.nio.ByteBuffer.allocate(ByteBuffer.java:334)
at com.jme3.network.base.MessageProtocol.addBuffer(MessageProtocol.java:141)
at com.jme3.network.base.KernelAdapter.createAndDispatch(KernelAdapter.java:216)
at com.jme3.network.base.KernelAdapter.run(KernelAdapter.java:280)
Aug 16, 2014 12:42:21 PM com.jme3.network.base.KernelAdapter reportError
SEVERE: Unhandled error, endpoint:NioEndpoint[113, java.nio.channels.SocketChannel[connected local=/<SERVER-LOCAL-IP>:42069 remote=/<MY-IP>:498]], context:Envelope[NioEndpoint[113, java.nio.channels.SocketChannel[connected local=/<SERVER-LOCAL-IP>:42069 remote=/<MY-IP>:498]], reliable, 44]
java.lang.IllegalArgumentException
at java.nio.ByteBuffer.allocate(ByteBuffer.java:334)
at com.jme3.network.base.MessageProtocol.addBuffer(MessageProtocol.java:141)
at com.jme3.network.base.KernelAdapter.createAndDispatch(KernelAdapter.java:216)
at com.jme3.network.base.KernelAdapter.run(KernelAdapter.java:280)[/java]
I concluded that these exceptions combined with the nmap scans means that packets are getting to the server successfully while the iptables firewall is enabled. However, with the iptables firewall enabled, the game client stops responding and eventually crashes when you try to connect to the game server. But, when the iptables firewall is disabled, the game client connects with no problem.
If anyone could shed some light on what I’m doing wrong that’d be great because I’ve pulling my hairs out trying to fix this problem for the last few days. And I definitely do not want to have a public server up and running with a disabled firewall!