bittorrent / iptables (?) problem (works more or less :x)

nei · 03-23-2004, 07:13 AM

hi

iam having trouble with bittorrent and my gateway (slack 9.1)

i launch the dowloads directly on my gw with screen...it actually works, but very bad...
the d/l rate is between a few hundreds bytes/s and 4-6k/s when it works good :/ ive also
tried on a win2k box behind the gw, but i get timouts and it also doesnt work well...
( im speaking of recent bt with a lot of seeders an leechers...)
below is my fw script and a few cmds outputs... am i missing sth ?
(btw i have an adsl 512k)

thanx for any help and sorry for my english ^^

tihis one has 80 seeds and 80 leechers... ( i used to d/l at more than 40k/s one month ago :/)
file: [AonE]_Gungrave_22_[134772B0].avi |
| size: 193,798,144 (184.8 MB) |
| dest: /home/nei/dl/[AonE]_Gungrave_22_[134772B0].avi |
| progress: |
| status: finishing in 20:35:33 (82.3%) |
| speed: 1.3 KB/s down - 10.4 KB/s up |
| totals: 6.5 MB down - 64.8 MB up

root@syhknosys:~# cat /etc/rc.d/rc.firewall
#/bin/bash

IPTABLES=/usr/local/sbin/iptables

#--------------------------------------------------------------------#

echo "1" > /proc/sys/net/ipv4/ip_forward

#Disabling IP Spoofing attacks.
echo "2" > /proc/sys/net/ipv4/conf/all/rp_filter

#Don't respond to broadcast pings (Smurf-Amplifier-Protection)
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

#Block source routing
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route

#Kill timestamps
echo "0" > /proc/sys/net/ipv4/tcp_timestamps

#Enable SYN Cookies
echo "1" > /proc/sys/net/ipv4/tcp_syncookies

#Kill redirects
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects

#Enable bad error message protection
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

#Log martians (packets with impossible addresses)
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians

#Set out local port range
#echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range

#Reduce DoS'ing ability by reducing timeouts
echo "30" > /proc/sys/net/ipv4/tcp_fin_timeout
echo "2400" > /proc/sys/net/ipv4/tcp_keepalive_time
echo "0" > /proc/sys/net/ipv4/tcp_window_scaling
echo "0" > /proc/sys/net/ipv4/tcp_sack
#--------------------------------------------------------------------#
#Flush the tables
$IPTABLES -t filter -F
$IPTABLES -t filter -X
$IPTABLES -t nat -F
$IPTABLES -t nat -X
$IPTABLES -t mangle -F
$IPTABLES -t mangle -X

#--------------------------------------------------------------------#
#Setting policies on filter table
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
#--------------------------------------------------------------------#
#Setting policies on the other tables
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P INPUT ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
$IPTABLES -t mangle -P FORWARD ACCEPT
$IPTABLES -t mangle -P POSTROUTING ACCEPT

$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
#--------------------------------------------------------------------#
#ACCEPTing ourselves
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
#ACCEPTing lan packets
$IPTABLES -A INPUT -i eth0 -j ACCEPT
$IPTABLES -A OUTPUT -o eth0 -m state --state NEW -j LOG --log-prefix="[eth0]new connection:"
$IPTABLES -A OUTPUT -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

$IPTABLES -A INPUT -i eth1 -j ACCEPT
$IPTABLES -A OUTPUT -o eth1 -m state --state NEW -j LOG --log-prefix="[eth1]new connection:"
$IPTABLES -A OUTPUT -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
#ACCEPTing wlan packets
$IPTABLES -A INPUT -i wlan0 -j ACCEPT
$IPTABLES -A OUTPUT -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
#FW has internet...
$IPTABLES -A OUTPUT -o ppp0 -j ACCEPT
$IPTABLES -A INPUT -i ppp0 -m state --state RELATED,ESTABLISHED -j ACCEPT
#--------------------------------------------------------------------#
#NATing
$IPTABLES -t nat -A POSTROUTING -s 192.168.1.0/24 -o ppp0 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -s 192.168.16.0/24 -o ppp0 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -s 192.168.11.0/24 -o ppp0 -j MASQUERADE

#Conntrack: FORWARDing everything from the LAN/WLAN to the Net
$IPTABLES -A FORWARD -i eth0 -o ppp0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i eth1 -o ppp0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i wlan0 -o ppp0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#...allowing valid, already established connections from the Net
$IPTABLES -A FORWARD -i ppp0 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i ppp0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i ppp0 -o wlan0 -m state --state ESTABLISHED,RELATED -j ACCEPT
#....
$IPTABLES -A FORWARD -i eth1 -o eth0 -m state --state ! INVALID -j ACCEPT
$IPTABLES -A FORWARD -i eth0 -o eth1 -m state --state ! INVALID -j ACCEPT
#...
#--------------------------------------------------------------------#
#misc...-p icmp -m state --state RELATED -j ACCEPT

$IPTABLES -A INPUT -p icmp -j ACCEPT
$IPTABLES -A OUTPUT -p icmp -j ACCEPT

#ACCEPTing a few things for now:
$IPTABLES -A INPUT -p tcp --dport ssh -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport http -j ACCEPT
#dns :p
$IPTABLES -A INPUT -i ppp0 -p udp --sport 53 --dport 1024: -m state --state RELATED,ESTABLISHED -j ACCEPT

# ! bittorrent ...
iptables -A INPUT -i ppp0 -p tcp --dport 6881:6889 -j ACCEPT
iptables -A INPUT -i ppp0 -p tcp --dport 6969 -j ACCEPT

#test ! bittorrent ...
#iptables -A INPUT -i ppp0 -p tcp --dport 6000:7000 -j ACCEPT

root@syhknosys:~# netstat -nap --ip |grep 688
tcp 0 0 0.0.0.0:6881 0.0.0.0:* LISTEN 16026/python
tcp 0 0 82.x4.14.xx:6881 65.33.21.184:3799 SYN_RECV -
tcp 0 0 0.0.0.0:6882 0.0.0.0:* LISTEN 4093/python
tcp 0 0 82.x4.14.xx:6881 24.210.200.68:1124 TIME_WAIT -
tcp 0 1 82.x4.14.xx:6881 80.223.145.248:1425 FIN_WAIT1 -
tcp 0 1 82.x4.14.xx:6881 24.197.24.203:1564 FIN_WAIT1 -
tcp 0 0 82.x4.14.xx:6881 66.111.59.20:50548 ESTABLISHED 16026/python
root@syhknosys:~# uname -a
Linux syhknosys 2.4.25-grsec #1 Sun Feb 22 19:21:25 CET 2004 i686 unknown unknown GNU/Linux

heres a bt screensht...

file: Kenichi_Sonoda_-_Gallant_(DPG_-_4D1D5B86)_www.animeart.com.ar.zip |
| size: 164,025,486 (156.4 MB) |
| dest: /home/nei/dl/Kenichi_Sonoda_-_Gallant_(DPG_-_4D1D5B86)_www.animeart.com.ar.zip |
| progress: #############################################################______________ |
| status: finishing in 22:58:28 (88.7%) |
| speed: 6 B/s down - 1.5 KB/s up |
| totals: 58.1 MB down - 135.0 MB up |
| error(s): [09:27:07] Problem connecting to tracker - timeout exceeded |

nei · 03-30-2004, 08:33 AM

Azmeen · 03-31-2004, 06:34 AM

I got something similar setup on my firewall, although it's not a gateway.

Maybe you should try adjusting your bittorrent section a bit to look like:

Code:

# ! bittorrent ...
$IPTABLES -A INPUT -i ppp0 -p tcp --dport 6881:6889 -j ACCEPT

I don't think that the other line is necessary.