iptables: redirect eMule ports

jordib · 04-21-2008, 05:11 PM

Hello,

I'm setting up a public services subnetwork and I need some help with iptables. This is what I manage:

Firewall (Debian 4.0r3) with 3 NIC's:

eth0 NET, interface "INET", subnet 192.168.3.0/24, connected to a DSL router pointed by a public static IP address.
eth1 DMZ, interface "IDMZ", subnet 192.168.2.0/24, only one machine
eth2 LOC, interface "ILOC", subnet 192.168.1.0/24 (XLOC)

The default policy for INPUT, OUTPUT, FORWARD chains (and PRE/POST-ROUTING) is DROP.

The firewall masquerades all that comes from LOC and DMZ subnets going to the Internet.

I'm having problems with eMule ports redirection to a machine in the local network, this is the related portion of the ruleset:

Code:

iptables -t nat -A PREROUTING -i $INET -p tcp --dport 4662 -j DNAT --to-destination $MACHINE:4662
iptables -t nat -A PREROUTING -i $INET -p udp --dport 4672 -j DNAT --to-destination $MACHINE:4672
iptables -t nat -A PREROUTING -i $INET -p udp --dport 4665 -j DNAT --to-destination $MACHINE:4665

iptables -A FORWARD -i $ILOC -o $INET -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport 4662 -j ACCEPT
iptables -A FORWARD -i $INET -o $ILOC -m state --state ESTABLISHED,RELATED -p tcp --sport 4662 -j ACCEPT

iptables -A FORWARD -i $ILOC -o $INET -m state --state NEW,ESTABLISHED,RELATED -p udp --dport 4672 -j ACCEPT
iptables -A FORWARD -i $INET -o $ILOC -m state --state ESTABLISHED,RELATED -p udp --sport 4672 -j ACCEPT

iptables -A FORWARD -i $ILOC -o $INET -m state --state NEW,ESTABLISHED,RELATED -p udp --dport 4665 -j ACCEPT
iptables -A FORWARD -i $INET -o $ILOC -m state --state ESTABLISHED,RELATED -p udp --sport 4665 -j ACCEPT

even though simple, it does not work (I continue having LowID), some help please

FraGGod · 04-23-2008, 02:32 AM

Prehaps just 'iptables -A FORWARD -i $INET -o $ILOC -m state --state ESTABLISHED,RELATED -j ACCEPT' will help?
I doubt that kernel is able to track ed2k protocol connections but still it might just work.

For my mldonkey ports are tcp:4662 (by default) and udp:4666 (tcp+4), also there is one random TCP+UDP (same number for both protocols) port for Kademilla.
I believe eMule uses tcp:4662 + udp:4672 (notice UDP, not TCP as it is in your configuration) for ed2k and tcp:6419 + udp:6429 for KAD, but I'm not sure if it's still true for modern mules.

jordib · 04-23-2008, 05:23 PM

Transcription error, UDP for 4672 and 4665. Why not able to track ed2k protocol connections, they're not like any other over TCP/UDP? thanks

FraGGod · 04-24-2008, 09:27 AM

Quote:

Originally Posted by jordib

Transcription error, UDP for 4672 and 4665. Why not able to track ed2k protocol connections, they're not like any other over TCP/UDP? thanks

No, they should be quite ordinary connections, I just haven't seen netfilter module in vanilla kernel to conntrack which additional ports should be opened / forwarded, based on main port connection data, as it can be done for FTP or IRC.

I've also just noticed that you actually do not allow any connections from outside world get past FORWARD chain:
"iptables -A FORWARD -i $ILOC -o $INET -m state --state NEW,ESTABLISHED,RELATED -p udp --dport 4672 -j ACCEPT"
...is for connections, initiated by your client, I believe that line is OK.
"iptables -A FORWARD -i $INET -o $ILOC -m state --state ESTABLISHED,RELATED -p udp --sport 4672 -j ACCEPT" is for
...isn't good enough, because other client have to actually initiate NEW connection to your port, it's certainly not ESTABLISHED and should not be considered RELATED by netfilter.
Try adding NEW to states here, same for the rest of the ports, used by eMule.

jordib · 04-24-2008, 04:43 PM

Ok, I'll try that soon.