LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 04-12-2005, 07:49 AM   #1
b:z
Member
 
Registered: Mar 2005
Posts: 146

Rep: Reputation: 15
iptables - how to allow client in my local net use emule -- please help me


I connect Internet through Linux Gateway, it doesn't allow me use Emule to get file. I also contact to my administrator, and he is sure that he have set iptables firewall allow range port: 4661-4672 (even TCP and UDP). However i have been know that he has set allow me full port to connect Internet.
He also edit Nat for range port 4662:4672 nated at Zyxel modem.(i have seen it). But, i can connect to emule with HighID (just LowID).
How can i fix this problem, please help me or tell me the way to tell him.
Thank you very much.
 
Old 04-12-2005, 08:23 AM   #2
SonJelfn
Member
 
Registered: Aug 2003
Location: Sendai, Japan
Distribution: Slackware, Slackware64, Debian
Posts: 63

Rep: Reputation: 16
What your administrator has done, is basically right. However to make you connect at a HIGH ID, you will have to NAT a bigger portion of port ranges to the computer running eMule.

In my particular network using a gateway Linux IPTables Firewall, I DNAT destination ports (TCP) 4242 to 4670, source ports 4242 to 9999, (UDP) destination ports 4672 and source ports 4672 to the machine running eMule.

I also let the firewall forward (UDP) 4672 and (TCP) 4242 to 4680 with destination to the machine running eMule or packets that originate from that same machine.

I hope this information is of some help. If you need more help don't be afraid to ask. Good luck.
 
Old 04-12-2005, 08:55 AM   #3
b:z
Member
 
Registered: Mar 2005
Posts: 146

Original Poster
Rep: Reputation: 15
Quote:
What your administrator has done, is basically right. However to make you connect at a HIGH ID, you will have to NAT a bigger portion of port ranges to the computer running eMule.

In my particular network using a gateway Linux IPTables Firewall, I DNAT destination ports (TCP) 4242 to 4670, source ports 4242 to 9999, (UDP) destination ports 4672 and source ports 4672 to the machine running eMule.

I also let the firewall forward (UDP) 4672 and (TCP) 4242 to 4680 with destination to the machine running eMule or packets that originate from that same machine.

I hope this information is of some help. If you need more help don't be afraid to ask. Good luck.
Thanks for your answer, and this is the line that my administrator have added to "rc.firewall"

Quote:
$IPT -A FORWARD -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -m mac --mac-source 00:50:8B:AF:73:C4 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -p TCP -i $LAN_IFACE -o $INET_IFACE -m mac --mac-source 00:50:8B:AF:73:C4 --dport 4662:4670 -m state --state NEW,ESTABLISHED -j ACCEPT
Note:
Quote:
00:50:8B:AF:73:C4
is MAC address of my computer.
However i still can't get Emule HighID. Are there some thing wrong? Can you show me, thanks so much.
 
Old 04-12-2005, 09:53 AM   #4
SonJelfn
Member
 
Registered: Aug 2003
Location: Sendai, Japan
Distribution: Slackware, Slackware64, Debian
Posts: 63

Rep: Reputation: 16
The forwarding part seems to be in order, and I don't believe it needs to be changed. Perhaps you could tell your administrator to extend this:

a)
$IPT -A FORWARD -p TCP -i $LAN_IFACE -o $INET_IFACE -m mac --mac-source 00:50:8B:AF:73:C4 --dport 4662:4670 -m state --state NEW,ESTABLISHED -j ACCEPT

to when you get an incoming packet from $INET_IFACE, in other words add the following lines:

b)
$IPT -A FORWARD -p UDP -i $INET_IFACE -o $LAN_IFACE -d <eMule machine> --dport 4672 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -p TCP -i $INET_IFACE -o $LAN_IFACE -d <eMule machine> --dport 4662:4670 -m state --state ESTABLISHED,RELATED -j ACCEPT

This however only makes sense if you add the following to the NAT table:

c)
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -p udp --sport 4672 -j DNAT --to <eMule machine>
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -p udp --dport 4672 -j DNAT --to <eMule machine>
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -p tcp --sport 4242:9999 -j DNAT --to <eMule machine>
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -p tcp --dport 4242:4670 -j DNAT --to <eMule machine>

Notice how the ranges of the TCP ports are quite big. You could have your administrator try to lower it, I'm sure for security reasons a 5000 port range is a little too much. I would suggest you start here and try to lower the range with time. The DNAT part is important, since when the packet goes through the FORWARD part of the chain, after transversing c) it will need b) to let the packet through.

I hope this wasn't too confusing and I hope it helps you with your problem. Good luck
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
emule/ed2k client open port demmylls Linux - Software 1 11-06-2005 06:12 PM
Blocking Emule with Iptables Palula Linux - Networking 12 08-26-2005 12:21 PM
eMule client for Ubuntu linux porio Linux - Software 3 05-17-2005 03:09 PM
Best eMule client for linux yelp666 Linux - Software 3 04-24-2004 05:33 AM
emule don't work with iptables/nat coyote gomen Linux - Networking 1 08-16-2003 04:19 PM


All times are GMT -5. The time now is 07:30 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration