Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm setting up a public services subnetwork and I need some help with iptables. This is what I manage:
Firewall (Debian 4.0r3) with 3 NIC's:
eth0 NET, interface "INET", subnet 192.168.3.0/24, connected to a DSL router pointed by a public static IP address. eth1 DMZ, interface "IDMZ", subnet 192.168.2.0/24, only one machine eth2 LOC, interface "ILOC", subnet 192.168.1.0/24 (XLOC)
The default policy for INPUT, OUTPUT, FORWARD chains (and PRE/POST-ROUTING) is DROP.
The firewall masquerades all that comes from LOC and DMZ subnets going to the Internet.
I'm having problems with eMule ports redirection to a machine in the local network, this is the related portion of the ruleset:
Code:
iptables -t nat -A PREROUTING -i $INET -p tcp --dport 4662 -j DNAT --to-destination $MACHINE:4662
iptables -t nat -A PREROUTING -i $INET -p udp --dport 4672 -j DNAT --to-destination $MACHINE:4672
iptables -t nat -A PREROUTING -i $INET -p udp --dport 4665 -j DNAT --to-destination $MACHINE:4665
iptables -A FORWARD -i $ILOC -o $INET -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport 4662 -j ACCEPT
iptables -A FORWARD -i $INET -o $ILOC -m state --state ESTABLISHED,RELATED -p tcp --sport 4662 -j ACCEPT
iptables -A FORWARD -i $ILOC -o $INET -m state --state NEW,ESTABLISHED,RELATED -p udp --dport 4672 -j ACCEPT
iptables -A FORWARD -i $INET -o $ILOC -m state --state ESTABLISHED,RELATED -p udp --sport 4672 -j ACCEPT
iptables -A FORWARD -i $ILOC -o $INET -m state --state NEW,ESTABLISHED,RELATED -p udp --dport 4665 -j ACCEPT
iptables -A FORWARD -i $INET -o $ILOC -m state --state ESTABLISHED,RELATED -p udp --sport 4665 -j ACCEPT
even though simple, it does not work (I continue having LowID), some help please
Prehaps just 'iptables -A FORWARD -i $INET -o $ILOC -m state --state ESTABLISHED,RELATED -j ACCEPT' will help?
I doubt that kernel is able to track ed2k protocol connections but still it might just work.
For my mldonkey ports are tcp:4662 (by default) and udp:4666 (tcp+4), also there is one random TCP+UDP (same number for both protocols) port for Kademilla.
I believe eMule uses tcp:4662 + udp:4672 (notice UDP, not TCP as it is in your configuration) for ed2k and tcp:6419 + udp:6429 for KAD, but I'm not sure if it's still true for modern mules.
Transcription error, UDP for 4672 and 4665. Why not able to track ed2k protocol connections, they're not like any other over TCP/UDP? thanks
No, they should be quite ordinary connections, I just haven't seen netfilter module in vanilla kernel to conntrack which additional ports should be opened / forwarded, based on main port connection data, as it can be done for FTP or IRC.
I've also just noticed that you actually do not allow any connections from outside world get past FORWARD chain:
"iptables -A FORWARD -i $ILOC -o $INET -m state --state NEW,ESTABLISHED,RELATED -p udp --dport 4672 -j ACCEPT"
...is for connections, initiated by your client, I believe that line is OK.
"iptables -A FORWARD -i $INET -o $ILOC -m state --state ESTABLISHED,RELATED -p udp --sport 4672 -j ACCEPT" is for
...isn't good enough, because other client have to actually initiate NEW connection to your port, it's certainly not ESTABLISHED and should not be considered RELATED by netfilter.
Try adding NEW to states here, same for the rest of the ports, used by eMule.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.