Resources‎ > ‎System Administration‎ > ‎

XBox

Introduction

The Xbox 360 configuration screen does not allow you to configure for a proxy. Hence if your organization uses a proxy server, you will not be able to connect to the Xbox Live Service (XBL).

The solution illustrated here is for any organization that uses a web proxy server. You will need a Linux machine with iptables and possibly a squid caching service installed. The Linux environment used here is Ubuntu.

Background

To begin with, the Xbox Live uses the following port for communication:

  • UDP & TCP 3074
  • UDP & TCP 53
  • UDP 88
  • TCP 80

Setup Method 1: Using 2 NICs and firestarter to configure iptables

One PC with 2 network cards is required for setting it up as a router with built-in web proxy server (optional). One card connects to the organization network while the other connects to the XBox. All outbound connection to port 80 will be rerouted to the local web proxy for proceessing. By doing so, Xbox will not realize it is using a proxy.

If your organization's web proxy server is a "transparent" proxy, you can just reroute all outbound port 80 connection to [proxy_server:port_number] using iptables or even a router!

However, if the web proxy server is not configured to be "transparent", you'll need a install a transparent squid proxy server on the routing PC.

Steps

1. Install squid and firestarter. Firestarter is a GUI which automatically configures iptables for internet connection sharing.

sudo apt-get install squid firestarter

2. Configure squid by modifying the file /etc/squid/squid.conf. Add the following:

http_access allow all

This is to enable access for everyone. Easy to debug if problem arises. However, you should tighten the access once everything is working.

cache_peer [organization_proxy_address] parent [organization_proxy_port] 0 no-query no-digest
never_direct allow all

The 1st line tells squid to fetch web pages from the organization's proxy server. The 2nd line tells squid not to directly connect to the requested web site, but rather to always fetch it from the proxy server(s) specified in cache_peer.

http_port [local_PC_addresss]:3128 transparent

This tells squid to behave like a transparent proxy server listening on port 3128. This is for squid version 2.6 and above. If you are using older version, then you'll need to use the configuration below:

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

3. Restart squid server and test it with a browser. Change your browser's proxy server to point to the newly set up proxy. Surf some web. If it's not working, then check if there's any firewall blocking the ports.

sudo /etc/init.d/squid restart

4. Once squid installation completes, it's time to set up internet connection sharing with NAT port redirection. In Ubuntu desktop, execute Firestarter and start the firewall. Under the policy settings, allow services for port 1-65535 for LAN. Also, redirect all Xbox services (ports) to the Xbox's IP address.

5. Then add the following iptables rules to /etc/firestarter/user-post:

$IPT -t nat -A PREROUTING -s 192.168.0.0/24 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.1:3128

This assumes the Ubuntu machine is 192.168.0.1 with squid listening on 3128.

6. In your Xbox, configure the network:

  • IP address: 192.168.0.2
  • Subnet mask: 255.255.255.0
  • Gateway: 192.168.0.1
  • DNS address: [the DNS server used by your organization]

Debugging

1. To check the content of iptables NAT table, execute:

sudo iptables -t nat -S

2. There are cases where squid server doesn't run properly after PC restart. Then, a squid restart is required. The problem is that squid loads nameservers through resolv.conf and the NetworkManager re-create resolv.conf during each PC restart. To fix this, append the following line to squid.conf.

dns_nameservers [nameserver1] [nameserver2] [...]

Tweaking

  1. If you do not want to store the cache locally, then add the "proxy-only" option to the end of the cache_peer directive.
  2. Note: Don't forget to set a default DROP policy on your iptables before setting this up!

Setup Method 2: Using Virtual NIC eth0:1 and raw iptables

This method is for you if you:

  • Don't have a second network card.
  • Want to implement pure iptables solution.

In this scenario, you have eth0 as internet gateway to the Internet (IP assigned by your organisation) , eth0:1 as the Ubuntu server router (192.168.0.1) to the private network and the XBox as 192.168.0.2.

Please install squid following Setup Method 2 first.

To set up a virtual network interface, add the following to /etc/network/interfaces:

auto eth0:1
iface eth0:1 inet static
address 192.168.0.1
netmask 255.255.255.0

Then for iptables, run the following in sudo:

sudo iptables -A FORWARD -o eth0 -i eth0 -s 192.168.0.0/24 -m conntrack --ctstate NEW -j ACCEPT
sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A POSTROUTING -t nat -j MASQUERADE
sudo iptables -t nat -A PREROUTING -s 192.168.0.0/24 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.1:3128

This shall forward all traffics from 192.168.0.0/24 to the WAN. Then the last line route all port 80 from the local network to the transparent squid proxy we set up earlier.

Next is to redirect all XBox specific ports from the Internet to the XBox.

sudo iptables -t nat -A PREROUTING -p tcp -i eth0 -d [internet interface address] --dport 3074 -j DNAT --to 192.168.0.2:3074

sudo iptables -A FORWARD -i eth0 -p tcp -d 192.168.0.2 --dport 3074 -j ACCEPT

Repeat this for UDP port 3074.

Next is to enable kernel ipv4 forwarding:

sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"

To make the setting stay after reboot, add the following to /etc/sysctl.conf:

# for ubuntu < 10.04
net.ipv4.conf.default.forwarding=1
net.ipv4.conf.all.forwarding=1
# for ubuntu > 10.04
net.ipv4.ip_forward=1

Then save the iptables:

sudo iptables-save | sudo tee /etc/iptables.sav

And add the following to /etc/rc.local before "exit 0":

iptables-restore < /etc/iptables.sav
ViSLAB transparent proxy network information is located here.
Subpages (1): XBox Proxy @ ViSLAB
Comments