iptables-mldonkey help

donziggy · 08-17-2006, 04:33 PM

i need some help configuring iptables..
i have a headless gentoo box that connects to the internet through eth1. through eth0 it's connected to this pc (it gets ip 192.168.0.150). i'm running mldonkey on the gentoo box and i connect to it using web interface. surprisingly i got it to work, but it seems that i get low id. i guess port forwarding is not ok.
i have iptables currently configured like this:

Code:

# Generated by iptables-save v1.3.5 on Thu Aug 17 21:28:20 2006
*nat
:PREROUTING ACCEPT [34240:2417965]
:POSTROUTING ACCEPT [738:36799]
:OUTPUT ACCEPT [2766:171850]
-A PREROUTING -i eth1 -p tcp -m tcp --dport 50000 -j DNAT --to-destination 192.168.0.150
-A PREROUTING -i eth1 -p tcp -m tcp --dport 6883 -j DNAT --to-destination 192.168.0.150
-A PREROUTING -i eth1 -p tcp -m tcp --dport 4662 -j DNAT --to-destination 192.168.0.150
-A PREROUTING -i eth1 -p tcp -m tcp --dport 4080 -j DNAT --to-destination 192.168.0.150
-A PREROUTING -i eth1 -p tcp -m tcp --dport 4001 -j DNAT --to-destination 192.168.0.150
-A PREROUTING -i eth1 -p udp -m udp --dport 4672 -j DNAT --to-destination 192.168.0.150
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.150
-A PREROUTING -i eth1 -p udp -m udp --dport 80 -j DNAT --to-destination 192.168.0.150
-A PREROUTING -i eth1 -p tcp -m tcp --dport 110 -j DNAT --to-destination 192.168.0.150
-A PREROUTING -i eth1 -p tcp -m tcp --dport 21 -j DNAT --to-destination 192.168.0.150
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
# Completed on Thu Aug 17 21:28:20 2006
# Generated by iptables-save v1.3.5 on Thu Aug 17 21:28:20 2006
*mangle
:PREROUTING ACCEPT [142902:24055160]
:INPUT ACCEPT [113985:10993600]
:FORWARD ACCEPT [28917:13061560]
:OUTPUT ACCEPT [55657:7917248]
:POSTROUTING ACCEPT [84595:20981166]
COMMIT
# Completed on Thu Aug 17 21:28:20 2006
# Generated by iptables-save v1.3.5 on Thu Aug 17 21:28:20 2006
*filter
:INPUT ACCEPT [108139:10504142]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [55657:7917248]
-A INPUT -i eth2 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -i ! eth0 -p udp -m udp --dport 67 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i ! eth0 -p udp -m udp --dport 53 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth1 -p tcp -m tcp --dport 20:25 -j ACCEPT
-A INPUT -i eth1 -p udp -m udp --dport 20:25 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth1 -p udp -m udp --dport 80 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 137:139 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 426 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 445 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 50000 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 6883 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 4662 -j ACCEPT
-A INPUT -i eth1 -p udp -m udp --dport 4672 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 4080 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 4001 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 4661 -j ACCEPT
-A INPUT -i eth1 -p udp -m udp --dport 4661 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 3000 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 4242 -j ACCEPT
-A INPUT -i eth1 -p udp -m udp --dport 3000 -j ACCEPT
-A INPUT -i eth1 -p udp -m udp --dport 4242 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 4711 -j ACCEPT
-A INPUT -i eth1 -p udp -m udp --dport 4665 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 7231 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 7711 -j ACCEPT
-A INPUT -i ! eth0 -p tcp -m tcp --dport 0:1023 -j DROP
-A INPUT -i ! eth0 -p udp -m udp --dport 0:1023 -j DROP
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth2 -j DROP
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth0 -j DROP
-A FORWARD -s 192.168.0.0/255.255.0.0 -i eth0 -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -j ACCEPT
-A FORWARD -s 192.168.0.0/255.255.0.0 -i eth2 -j ACCEPT
COMMIT
# Completed on Thu Aug 17 21:28:20 2006

can anyone help me with forwarding ports correctly so that i wouldn't get a low id?

thanks, ziga

blackhole54 · 08-17-2006, 10:07 PM

I notice that you are, for example, port forwarding tcp/4662 and also have a rule in your INPUT chain for ACCEPTing it. There may be other examples; I didn't analyze the whole thing. Once you port forward a packet, it is no longer available to the machine it came in on. So I would imagine one of these rules is wrong. If you are running the mldonkey client on the box with these firewall rules, do you want to be port forwarding at all?

Also, you might be able to add some rules using the LOG target (-j LOG) as an investigative tool to see what happens to packets the donkey server is sending you.

I hope this helps.

donziggy · 08-18-2006, 12:16 AM

Quote:

Once you port forward a packet, it is no longer available to the machine it came in on.

THANKS! this helps. i didn't know this