Setting-up "Xbox Live" Services on Linux Based Firewalls
ZOIS Technical Note TN-2007-10-10.
There have been a number of system failures, for which the Xbox 360
has become famous. This, coupled with a declining interest in this as
a gaming platform, mean the IP rules espoused here were removed from
ZOIS Firewall. This TN is left as a historical note
that may now contain obsolete information. Martin Sullivan,
Author and Audience
This TN is intended for persons working with the Linux based
Firewall IPTables system. A reasonable knowledge
of iptables(8) and a limited set of Linux programming
skills are assumed. Written by Martin Sullivan,
ZOIS Limited, Cockermouth.
Forwarding rules for an iptables(8) firewall are presented
so that an Xbox (specifically an Xbox 360) may be connected to the
Xbox Live service and used in peer-to-peer gaming.
The Xbox 360 is an advanced video games console produced by Mircosoft. It has an Ethernet connection and a hard disk and internally it appears to be similar to a conventional computer, all be it using a three core version of the ppc architecture and a specialised graphics controller. It runs a proprietary specialised operating system and is aimed exclusively at the home-based gaming market.
Microsoft offer the Xbox Live product which allows the Xbox to connect to servers over the Internet, download games and updates and most desirably to allow direct player-to-player interaction in games running on their own Xbox. Microsoft clearly intended that the Xbox would be retail and as such would be plugged more-or-less straight into the Internet, acquiring transitory addresses and the like from the customer's ISP. It is thus heavily firewalled in its own right, it is unresponsive to ping(8) and nmap(8) reports that all ports are filtered.
There is a growing number of people who have slightly more
elaborate than usual internal networks based on
RFC1918 numbering and Network Address
Translation, RFC1631. Many of these networks
involve Routers and Firewalls based on Linux. This TN introduces
several specific rules that allow an Xbox on an internal network to
connect to a full Xbox Live service to an existing firewall
Materials and Platform
To connect to the Xbox Live service one needs a subscription (see
the dedicated web-site). One also needs an Xbox
(an Xbox 360 was used in this work). An Ethernet connection and a
conventional PC with two network interfaces running Linux is also
required. In this work a redundant desk-top PC with a 700 MHz
Pentium III and 190 MBytes of memory was used. It had Red Hat's
Fedora Core 7 distribution of Linux installed
and was therefore running with Netfilter's
The rules were found by a mixture of trial and error and by various researches on the Internet. The task was considerably simplified by the use of an internal DNS server (which therefore has its own set of firewall rules, outside the scope of this TN) and the use of static IP address assignment (rather than DHCP). With a static address assigned to the Xbox, traffic can be designated easily. Similarly, the router/firewall machine has static IP addresses on both its internal and external interfaces. It is realised that this is not always the case, however, and that ISPs frequently assign IP address dynamically from a pool. In these instances the external interface IP address can change on a regular basis. Consideration to such cases is given in the Conclusion.
The iptable rules are set up as a series of invocations of iptable(8). The firewall policy is quite conservative and has a default policy of LOG and REJECT. LOG is particularly useful in arranging rules for things like the Xbox, when documentation seems a little thin. Iptables have a number of rules arranged into linear sets known as 'chains'. There are chains for packets coming in and out the router and one, 'FORWARD', that controls IP routing. This TN only concerns itself with the 'FORWARD' rules and the rest is left to the reader. The shell-script fragments found in this TN are intended to be cut-and-paste-able, feel free. The Xbox itself needs to be set-up with a static IP address, a default router and the address of Domain name servers (DNS). This involves the console handsets and a series of menus that slide in from the side of the screen. In the following examples the appropriate entries have been set up in DNS too:
- The Xbox itself. In the scripts a shell variable "$xbox" contains the IP address of the Xbox in your RFC1918 network (example: 10.0.0.142).
- The routing Linux boxes external IP address. This sometimes appears in scripts as a dotted-quad (as in 18.104.22.168) in a shell variable "$router". It is the external address of the network and is found on an interface eth1. Needless to say eth0 is supplied with an RFC1918 address (an example would be 10.0.0.1).
Much of what follows surrounds the use of port 3074, which is used
extensively for TCP and UDP and apparently contains a number of
protocols ranging from file-transfer to Voice Over IP (VOIP).
Suggested 'INPUT' Rules
Although this TN concerns itself only with the 'FORWARD' chains the following 'INPUT' rules may be of interest:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -m state --state NEW -i ! eth1 -j ACCEPT iptables -P INPUT REJECT
The Xbox needs to be able to contact http://www.xbox.com, but in-line with the directly-connected philosophy it is not possible to use proxies.
iptables -A FORWARD -p tcp -s xbox -d www.xbox.com --dport 80 -j ACCEPT iptables -t nat -A POSTROUTING \ -s $xbox -d www.xbox.com -o eth1 -j SNAT --to $router
The Xbox uses the Kerberos protocol, or some Microsoft variety of it, for authentication. This currently appears to come from 22.214.171.124, a single IP address with no reverse Domain in the Limelight Networks IP block.
xbox_kerb=126.96.36.199 iptables -A FORWARD -p udp -s $xbox -d $xbox_kerb --dport 88 -j ACCEPT iptables -A FORWARD -p udp -s $xbox_kerb -d $xbox --sport 88 -j ACCEPT iptables -t nat -A POSTROUTING -s $xbox -d $xbox_kerb \ -o eth1 -j SNAT --to $router
The Xbox will contact a variety of IP addresses (more or less immediately it has found itself on the Internet) to update its firmware and so forth. These updates appear to be solicited by TCP connections to a dedicated Microsoft-owned net-block (again without reverse Domain entries), 188.8.131.52/24. It can also use TCP connections in the Limelight Networks IP block (184.108.40.206/19) and in Level3's IP block (220.127.116.11/14). The use of these networks may be a geographic based mirroring thing and so may differ depending what part of the world the Xbox is perceived to be in. An apparent part of this update process is the use of UDP port 3074 too (but this is covered in the next section).
xbox_msoft=18.104.22.168/24 xbox_llnw=22.214.171.124/19 xbox_updt=126.96.36.199/14 iptables -A FORWARD -p tcp -s xbox -d $xbox_msoft --dport 3074 -j ACCEPT iptables -A FORWARD -p tcp -s xbox -d $xbox_llnw --dport 3074 -j ACCEPT iptables -A FORWARD -p tcp -s xbox -d $xbox_updt --dport 3074 -j ACCEPT iptables -t nat -A POSTROUTING -s xbox -d $xbox_msoft \ -o eth1 -j SNAT --to $router iptables -t nat -A POSTROUTING -s $xbox -d $xbox_llnw \ -o eth1 -j SNAT --to $router iptables -t nat -A POSTROUTING -s $xbox -d $xbox_updt \ -o eth1 -j SNAT --to $router
Peer-to-peer gaming appears to use UDP port 3074 exclusively. Co-ordination and naming is handled by servers in one of the three networks identified above and then it is then expected that UDP packets from anywhere can be expected as well as sent to port 3074. This leads to the following rules.
iptables -A FORWARD -p udp -s $xbox -d 0/0 --dport 3074 -j ACCEPT iptables -A FORWARD -p udp -s $xbox -d 0/0 --sport 3074 -j ACCEPT iptables -A FORWARD -p udp -s 0/0 -d $xbox --sport 3074 -j ACCEPT iptables -A FORWARD -p udp -s 0/0 -d $xbox --dport 3074 -j ACCEPT iptables -t nat -A POSTROUTING \ -p udp \ -s $xbox -d $xbox_msoft \ --dport 3074 \ -o eth1 -j SNAT --to $router iptables -t nat -A POSTROUTING \ -p udp \ -s $xbox -d $xbox_updt \ --sport 3074 \ -o eth1 -j SNAT --to $router iptables -t nat -A PREROUTING \ -p udp \ -s 0/0 -d $router \ --dport 3074 \ -i eth1 -j DNAT --to $xbox
If peer-to-peer gaming is not desired then these rules will need to
be modified. As part of the update process UDP packets to and from
port 3074 can be expected from IP address in the three networks
identified as sending updates. The construction of the correct rules
for this is left as an exercise for the reader.
The subject of firewalling is complicated and necessarily this TN has concerned itself only with the rules necessary for forwarding and Network Address Translation to allow a Xbox to connect to the Internet at large from behind a Linux based firewall. In the above examples a single fixed IP address is used, however it is more common to have a dynamically-assigned external IP address. While the FORWARDing rules remain the same those that do the Address translation must necessarily change to MASQUERADE and thus the PREROUTING rule becomes:
iptables -t nat -A PREROUTING \ -p udp \ -s 0/0 -d $router \ --dport 3074 \ -i eth1 -j MASQUARADE
The POSTROUTING rules are left as an exercise.
In all instances the iptables(8) manual pages should be consulted as well at the Netfilter web-site. When you have completely satisfied yourself that the rules you have introduced are safe then switch on routing ...
sysctl -w net.ipv4.ip_forward=1
... and have fun.
- 1. IPTables:
- 2. Martin Sullivan:
- 3. RFC1918, Rekhter Y &al. "Address Allocation for Private Internets":
- 4. RFC1631, Egevang K & Francis P. "The IP Network Address Translator (NAT)":
- 5. Xbox:
- 6. Red Hat Fedora Project:
- 7. The Kerberos network authentication protocol: