LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-17-2006, 04:33 PM   #1
donziggy
LQ Newbie
 
Registered: Aug 2006
Posts: 6

Rep: Reputation: 0
iptables-mldonkey help


i need some help configuring iptables..
i have a headless gentoo box that connects to the internet through eth1. through eth0 it's connected to this pc (it gets ip 192.168.0.150). i'm running mldonkey on the gentoo box and i connect to it using web interface. surprisingly i got it to work, but it seems that i get low id. i guess port forwarding is not ok.
i have iptables currently configured like this:
Code:
# Generated by iptables-save v1.3.5 on Thu Aug 17 21:28:20 2006
*nat
:PREROUTING ACCEPT [34240:2417965]
:POSTROUTING ACCEPT [738:36799]
:OUTPUT ACCEPT [2766:171850]
-A PREROUTING -i eth1 -p tcp -m tcp --dport 50000 -j DNAT --to-destination 192.168.0.150
-A PREROUTING -i eth1 -p tcp -m tcp --dport 6883 -j DNAT --to-destination 192.168.0.150
-A PREROUTING -i eth1 -p tcp -m tcp --dport 4662 -j DNAT --to-destination 192.168.0.150
-A PREROUTING -i eth1 -p tcp -m tcp --dport 4080 -j DNAT --to-destination 192.168.0.150
-A PREROUTING -i eth1 -p tcp -m tcp --dport 4001 -j DNAT --to-destination 192.168.0.150
-A PREROUTING -i eth1 -p udp -m udp --dport 4672 -j DNAT --to-destination 192.168.0.150
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.150
-A PREROUTING -i eth1 -p udp -m udp --dport 80 -j DNAT --to-destination 192.168.0.150
-A PREROUTING -i eth1 -p tcp -m tcp --dport 110 -j DNAT --to-destination 192.168.0.150
-A PREROUTING -i eth1 -p tcp -m tcp --dport 21 -j DNAT --to-destination 192.168.0.150
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
# Completed on Thu Aug 17 21:28:20 2006
# Generated by iptables-save v1.3.5 on Thu Aug 17 21:28:20 2006
*mangle
:PREROUTING ACCEPT [142902:24055160]
:INPUT ACCEPT [113985:10993600]
:FORWARD ACCEPT [28917:13061560]
:OUTPUT ACCEPT [55657:7917248]
:POSTROUTING ACCEPT [84595:20981166]
COMMIT
# Completed on Thu Aug 17 21:28:20 2006
# Generated by iptables-save v1.3.5 on Thu Aug 17 21:28:20 2006
*filter
:INPUT ACCEPT [108139:10504142]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [55657:7917248]
-A INPUT -i eth2 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -i ! eth0 -p udp -m udp --dport 67 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i ! eth0 -p udp -m udp --dport 53 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth1 -p tcp -m tcp --dport 20:25 -j ACCEPT
-A INPUT -i eth1 -p udp -m udp --dport 20:25 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth1 -p udp -m udp --dport 80 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 137:139 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 426 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 445 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 50000 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 6883 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 4662 -j ACCEPT
-A INPUT -i eth1 -p udp -m udp --dport 4672 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 4080 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 4001 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 4661 -j ACCEPT
-A INPUT -i eth1 -p udp -m udp --dport 4661 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 3000 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 4242 -j ACCEPT
-A INPUT -i eth1 -p udp -m udp --dport 3000 -j ACCEPT
-A INPUT -i eth1 -p udp -m udp --dport 4242 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 4711 -j ACCEPT
-A INPUT -i eth1 -p udp -m udp --dport 4665 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 7231 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 7711 -j ACCEPT
-A INPUT -i ! eth0 -p tcp -m tcp --dport 0:1023 -j DROP
-A INPUT -i ! eth0 -p udp -m udp --dport 0:1023 -j DROP
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth2 -j DROP
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth0 -j DROP
-A FORWARD -s 192.168.0.0/255.255.0.0 -i eth0 -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -j ACCEPT
-A FORWARD -s 192.168.0.0/255.255.0.0 -i eth2 -j ACCEPT
COMMIT
# Completed on Thu Aug 17 21:28:20 2006
can anyone help me with forwarding ports correctly so that i wouldn't get a low id?

thanks, ziga
 
Old 08-17-2006, 10:07 PM   #2
blackhole54
Senior Member
 
Registered: Mar 2006
Posts: 1,896

Rep: Reputation: 61
I notice that you are, for example, port forwarding tcp/4662 and also have a rule in your INPUT chain for ACCEPTing it. There may be other examples; I didn't analyze the whole thing. Once you port forward a packet, it is no longer available to the machine it came in on. So I would imagine one of these rules is wrong. If you are running the mldonkey client on the box with these firewall rules, do you want to be port forwarding at all?

Also, you might be able to add some rules using the LOG target (-j LOG) as an investigative tool to see what happens to packets the donkey server is sending you.

I hope this helps.
 
Old 08-18-2006, 12:16 AM   #3
donziggy
LQ Newbie
 
Registered: Aug 2006
Posts: 6

Original Poster
Rep: Reputation: 0
Quote:
Once you port forward a packet, it is no longer available to the machine it came in on.
THANKS! this helps. i didn't know this
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Iptables and MLDonkey Web Interface Lars79 Slackware 1 01-11-2006 02:25 AM
iptables v1.2.9: Unknown arg `/sbin/iptables' Try `iptables -h' or 'iptables --help' Niceman2005 Linux - Security 4 12-29-2005 08:20 PM
Mldonkey raffaello Linux - Software 1 10-23-2004 02:02 PM
Mldonkey inescapeableus Linux - Newbie 7 03-02-2004 03:59 PM
IPTables and mldonkey synecdoche Linux - Software 1 08-05-2003 11:21 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:02 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration