fix(left4me): srcds binds RCON to all interfaces + close external TCP

Two changes to fix web's "No data / Connection refused" symptoms: 1. ExecStart adds +ip 0.0.0.0 so srcds_linux binds both UDP and TCP to all interfaces (incl. loopback). Default Source auto-IP picks the primary host IP (141.95.32.8 here), so TCP RCON was only on the public IP; web's 127.0.0.1 connect got ECONNREFUSED. 2. nftables/input drops the TCP accept on the game port range. UDP stays open for players. Loopback (127.0.0.1) bypasses the input chain via the existing 'iifname lo accept' rule in bundles/nftables/files/nftables.conf, so web→RCON via loopback still works. Net effect: web's live-state polling + console RCON work via loopback; RCON is no longer reachable from the public internet. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-15 16:30:00 +02:00 · 2026-05-15 16:30:00 +02:00 · f5bce30a4a
commit f5bce30a4a
parent 656be1cf69
1 changed files with 11 additions and 2 deletions
--- a/bundles/left4me/metadata.py
+++ b/bundles/left4me/metadata.py
@ -248,8 +248,13 @@ def nftables_input(metadata):
    return {
        'nftables': {
            'input': {
+                # Players connect via UDP. TCP on the same port range is RCON
+                # — only the local web app should reach it. Loopback bypasses
+                # the input chain (iifname lo accept in bundles/nftables/...),
+                # so 127.0.0.1 RCON works without an explicit TCP accept here.
+                # External TCP on these ports stays blocked by the default
+                # input-chain drop.
                f'udp dport {port_start}-{port_end} accept',
-                f'tcp dport {port_start}-{port_end} accept',
            },
        },
    }
@ -352,7 +357,11 @@ def systemd_units(metadata):
                        ),
                        'WorkingDirectory': '-/var/lib/left4me/runtime/%i/merged/left4dead2',
                        'ExecStartPre': '+/usr/bin/nsenter --mount=/proc/1/ns/mnt -- /usr/local/libexec/left4me/left4me-overlay mount %i',
-                        'ExecStart': '/var/lib/left4me/runtime/%i/merged/srcds_run -game left4dead2 +hostport ${L4D2_PORT} $L4D2_ARGS',
+                        # +ip 0.0.0.0 binds RCON (TCP) to all interfaces incl. loopback;
+                        # without this, Source auto-selects the primary IP and the web
+                        # app's 127.0.0.1 RCON connect gets ECONNREFUSED. External TCP
+                        # on the game port range is firewall-blocked in nftables_input.
+                        'ExecStart': '/var/lib/left4me/runtime/%i/merged/srcds_run -game left4dead2 +ip 0.0.0.0 +hostport ${L4D2_PORT} $L4D2_ARGS',
                        'ExecStopPost': '+/usr/bin/nsenter --mount=/proc/1/ns/mnt -- /usr/local/libexec/left4me/left4me-overlay umount %i',
                        'Restart': 'on-failure',
                        'RestartSec': '5',