Iptables,firewall,nat,gnutella

fortezza · 05-11-2004, 12:07 PM

Ok, I am trying to get a handle on doing all the PREROUTING,FORWARDING, and POSTROUTING required for Gnutella to work properly behind my Linx NAT/Firewall/Router running on my home network. I have found many, many related posts on the 'net, but none are clear or inclusive. i.e. they dont' address all of the requirements, or, if they do, the commands are spread out over the iptable config file such that I can't find which ones I need and which ones I do not need.

Here is my setup using ASCII art -

[Internet]---[eth0][Linux NAT/FW/Router][eth1]---[Gnutella Host

]

Here is my idea of what commands I need to get it all to work

#Enable GTK-Gnutella
##accept incoming gnutella packets
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 6346 -j DNAT --to-destination 10.0.0.3:6346
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 6436 -j DNAT --to-destination 10.0.0.3:6346
##Ok, their accepted and set to go to 10.0.0.3, now forward them to the correct system
iptables -A FORWARD -i eth0 -o eth1 -p tcp -d 10.0.0.3 --dport 6346 -j ACCEPT
##Allow the Gnutella host to also connect to other Gnutella Hosts
iptables -A FORWARD -i eth1 -o eth0 -s 10.0.0.3 --sport 1024: -p tcp,udp --dport 6346 -j ACCEPT
##the Gnutella host need to reply, but make it look like the reply is from Internet Connection
iptables -t nat -A POSTROUTING -p tcp -s 10.0.0.3 --sport 6346 -j MASQUERADE

First, is any of this redundant? Second, do I need to add anything to allow the Gnutella host to send replies back to systems that connect to it? How about allow it to connect out?

Thank you for reading this far, thank you even more if you reply with helpful information.

Capt_Caveman · 05-15-2004, 12:16 AM

Quote:

Originally posted by fortezza
First, is any of this redundant?

Do those rules actually load? Some of the syntax appears to be incorrect. In fact I get errors on:
iptables -A FORWARD -i eth1 -o eth0 -s 10.0.0.3 --sport 1024: -p tcp,udp --dport 6346 -j ACCEPT

Should probably be something more like:
iptables -A FORWARD -i eth1 -o eth0 -s 10.0.0.3 -p tcp --dport 6346 --sport 1024: -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -s 10.0.0.3 -p udp --dport 6346 --sport 1024: -j ACCEPT

I would also recommend changing the Masquerade rule to:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

doing it by the source address is a little risky because someone spoofing the internal IP from the outside, might be able to get the firewall to mistakenly masquerade the spoofed traffic as coming from the firewall machine itself. In theory it should be recognized as Martian traffic, but limiting the masquerading to only outbound traffic is a little safer IMO. If you really only want the gnutella masqueraded and nothing else, then you can still do something like this:
iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 10.0.0.3 --dport 6346 -j MASQUERADE

Second, do I need to add anything to allow the Gnutella host to send replies back to systems that connect to it? How about allow it to connect out?
Your mileage may vary when it comes to allowing replies and stuff through, so you may need to add a rule allowing related and establish traffic through like this as well:
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT