LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 04-21-2008, 05:11 PM   #1
jordib
Member
 
Registered: Apr 2008
Distribution: Debian
Posts: 35

Rep: Reputation: 15
iptables: redirect eMule ports


Hello,

I'm setting up a public services subnetwork and I need some help with iptables. This is what I manage:

Firewall (Debian 4.0r3) with 3 NIC's:

eth0 NET, interface "INET", subnet 192.168.3.0/24, connected to a DSL router pointed by a public static IP address.
eth1 DMZ, interface "IDMZ", subnet 192.168.2.0/24, only one machine
eth2 LOC, interface "ILOC", subnet 192.168.1.0/24 (XLOC)

The default policy for INPUT, OUTPUT, FORWARD chains (and PRE/POST-ROUTING) is DROP.

The firewall masquerades all that comes from LOC and DMZ subnets going to the Internet.

I'm having problems with eMule ports redirection to a machine in the local network, this is the related portion of the ruleset:

Code:
iptables -t nat -A PREROUTING -i $INET -p tcp --dport 4662 -j DNAT --to-destination $MACHINE:4662
iptables -t nat -A PREROUTING -i $INET -p udp --dport 4672 -j DNAT --to-destination $MACHINE:4672
iptables -t nat -A PREROUTING -i $INET -p udp --dport 4665 -j DNAT --to-destination $MACHINE:4665

iptables -A FORWARD -i $ILOC -o $INET -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport 4662 -j ACCEPT
iptables -A FORWARD -i $INET -o $ILOC -m state --state ESTABLISHED,RELATED -p tcp --sport 4662 -j ACCEPT

iptables -A FORWARD -i $ILOC -o $INET -m state --state NEW,ESTABLISHED,RELATED -p udp --dport 4672 -j ACCEPT
iptables -A FORWARD -i $INET -o $ILOC -m state --state ESTABLISHED,RELATED -p udp --sport 4672 -j ACCEPT

iptables -A FORWARD -i $ILOC -o $INET -m state --state NEW,ESTABLISHED,RELATED -p udp --dport 4665 -j ACCEPT
iptables -A FORWARD -i $INET -o $ILOC -m state --state ESTABLISHED,RELATED -p udp --sport 4665 -j ACCEPT
even though simple, it does not work (I continue having LowID), some help please

Last edited by jordib; 04-23-2008 at 05:25 PM.
 
Old 04-23-2008, 02:32 AM   #2
FraGGod
Member
 
Registered: Jun 2007
Location: Yekaterinburg, RU
Distribution: gentoo
Posts: 59

Rep: Reputation: 16
Prehaps just 'iptables -A FORWARD -i $INET -o $ILOC -m state --state ESTABLISHED,RELATED -j ACCEPT' will help?
I doubt that kernel is able to track ed2k protocol connections but still it might just work.

For my mldonkey ports are tcp:4662 (by default) and udp:4666 (tcp+4), also there is one random TCP+UDP (same number for both protocols) port for Kademilla.
I believe eMule uses tcp:4662 + udp:4672 (notice UDP, not TCP as it is in your configuration) for ed2k and tcp:6419 + udp:6429 for KAD, but I'm not sure if it's still true for modern mules.
 
Old 04-23-2008, 05:23 PM   #3
jordib
Member
 
Registered: Apr 2008
Distribution: Debian
Posts: 35

Original Poster
Rep: Reputation: 15
Transcription error, UDP for 4672 and 4665. Why not able to track ed2k protocol connections, they're not like any other over TCP/UDP? thanks
 
Old 04-24-2008, 09:27 AM   #4
FraGGod
Member
 
Registered: Jun 2007
Location: Yekaterinburg, RU
Distribution: gentoo
Posts: 59

Rep: Reputation: 16
Quote:
Originally Posted by jordib View Post
Transcription error, UDP for 4672 and 4665. Why not able to track ed2k protocol connections, they're not like any other over TCP/UDP? thanks
No, they should be quite ordinary connections, I just haven't seen netfilter module in vanilla kernel to conntrack which additional ports should be opened / forwarded, based on main port connection data, as it can be done for FTP or IRC.

I've also just noticed that you actually do not allow any connections from outside world get past FORWARD chain:
"iptables -A FORWARD -i $ILOC -o $INET -m state --state NEW,ESTABLISHED,RELATED -p udp --dport 4672 -j ACCEPT"
...is for connections, initiated by your client, I believe that line is OK.
"iptables -A FORWARD -i $INET -o $ILOC -m state --state ESTABLISHED,RELATED -p udp --sport 4672 -j ACCEPT" is for
...isn't good enough, because other client have to actually initiate NEW connection to your port, it's certainly not ESTABLISHED and should not be considered RELATED by netfilter.
Try adding NEW to states here, same for the rest of the ports, used by eMule.
 
Old 04-24-2008, 04:43 PM   #5
jordib
Member
 
Registered: Apr 2008
Distribution: Debian
Posts: 35

Original Poster
Rep: Reputation: 15
Ok, I'll try that soon.
 
  


Reply

Tags
iptables, redirection, security


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables to redirect ports? mtndew Linux - Networking 4 04-21-2006 10:03 PM
iptables:redirect ports except for packets destined for fierwall(upto 256 ip) itself mmshekiba Linux - Security 1 02-02-2006 12:08 PM
Linux as router, iptables and eMule thugic Linux - Networking 2 01-12-2006 06:03 AM
Blocking Emule with Iptables Palula Linux - Networking 12 08-26-2005 12:21 PM
emule don't work with iptables/nat coyote gomen Linux - Networking 1 08-16-2003 04:19 PM


All times are GMT -5. The time now is 03:10 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration