Port Forwarding for Azureus

redmap · 04-02-2006, 01:18 AM

I can't get fast downloading with Azureus because of incoming TCP port errors.

The NAT/Firewall test in Azureus said there was a NAT Error. I've managed to now get:
Testing port 57571 ... Unable to test: Invalid port given, or test service failed. Another application may already be using this port.

Running netstat on the PC shows the port is listening. Going to GR (ww.grc.com) lists the port as stealth.

If I add:
-A INPUT -p tcp -m tcp --dport 57571 --tcp-flags SYN,RST,ACK SYN -j ACCEPT

GR sees the port, but it is closed.

Adding:

iptables -t nat -A PREROUTING -p tcp --dport 6881:6889
-j DNAT --to-destination 192.168.1.2

iptables -A FORWARD -s 192.168.1.2 -p tcp --dport 6881:6889
-j ACCEPT

And GR again says the port is "Stealth".

Thanks for any help. I've been doing this for several days without any success.

-redmap

My iptables file:
*nat
:PREROUTING ACCEPT [31:6008]
:POSTROUTING ACCEPT [3:252]
:OUTPUT ACCEPT [4:308]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Mon Oct 20 23:59:41 2003
# Generated by iptables-save v1.2.7a on Mon Oct 20 23:59:41 2003
*filter
:INPUT DROP [3:276]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [99:10703]
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s 192.168.0.0/255.255.255.0 -i eth0 -j DROP
-A INPUT -s 127.0.0.0/255.0.0.0 -i eth0 -j DROP
-A INPUT -p tcp -m tcp --dport 25 --tcp-flags SYN,RST,ACK SYN -j ACCEPT

-A INPUT -p tcp -m tcp --dport 23 --tcp-flags SYN,RST,ACK SYN -j ACCEPT

-A INPUT -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j ACCEPT

-A INPUT -p tcp -m tcp --dport 443 --tcp-flags SYN,RST,ACK SYN -j ACCEPT

-A INPUT -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT

-A INPUT -p tcp -m tcp --dport 2200 --tcp-flags SYN,RST,ACK SYN -j ACCEPT

-A INPUT -p udp -m udp --dport 517 -j ACCEPT
-A INPUT -p udp -m udp --dport 518 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 --tcp-flags SYN,RST,ACK SYN -j ACCEPT

-A INPUT -p tcp -m tcp --dport 143 --tcp-flags SYN,RST,ACK SYN -j ACCEPT

-A INPUT -i eth1 -p tcp -m tcp --sport 68 --dport 67 -j ACCEPT

-A INPUT -i eth1 -p udp -m udp --sport 68 --dport 67 -j ACCEPT

-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8000 --tcp-flags SYN,RST,ACK SYN -j ACCEPT

-A INPUT -s 127.0.0.0/255.0.0.0 -p tcp -m tcp --dport 20 --tcp-flags SYN,RST,ACK SYN -j ACCEPT

-A INPUT -s 127.0.0.0/255.0.0.0 -p tcp -m tcp --dport 21 --tcp-flags SYN,RST,ACK SYN -j ACCEPT

-A INPUT -p tcp -m tcp --dport 20 --tcp-flags SYN,RST,ACK SYN -j ACCEPT

-A INPUT -p tcp -m tcp --dport 21 --tcp-flags SYN,RST,ACK SYN -j ACCEPT

-A INPUT -p udp -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j DROP

rickbot · 04-02-2006, 01:40 AM

considering that the ip you are giving is 192.168.x.x, it sounds like you are behind a router. this might sound like a stupid question but, have you forwarded the same port # to the router that you have opened in your firewall AND set as the azureus listening port? this would explain grc.com showing stealth after all the trouble you've gone to.

redmap · 04-02-2006, 08:47 AM

Quote:

Originally Posted by rickbot

considering that the ip you are giving is 192.168.x.x, it sounds like you are behind a router. this might sound like a stupid question but, have you forwarded the same port # to the router that you have opened in your firewall AND set as the azureus listening port? this would explain grc.com showing stealth after all the trouble you've gone to.

Thanks for replying. I'm so dizzy with all this that I checked for the router. No router. A Netgear hub.

There's a linux box as firewall connected to the outside. The iptables are from the unix box. Its ip address is 192.168.1.1. The 192.168.1.15 address is a PC on the lan running Windows XP.

-redmap

redmap · 04-02-2006, 09:11 AM

BTW, do I need to restart the network after changing iptables?

dopehouse · 04-02-2006, 09:31 AM

Quote:

Originally Posted by redmap

BTW, do I need to restart the network after changing iptables?

No
(LQ.org want's minimum 10 Letters

)

redmap · 04-02-2006, 12:38 PM

Just finished using http://oceanpark.com/notes/firewall_example.html without any luck.

For a couple of minutes I even tried allowing everything. Even that didn't seem to help.

Does anyone have a simple step-by-step elimination process I could use? I keep feeling there's some small setting that's wrong and that I can't see.

-redmap

redmap · 04-02-2006, 01:21 PM

Well, I don't know what happened, but things are working. In desperation I've been making small little changes, random changes, trying the same thing over and over. And for some reason, it's now working. Who says repeating the same actions and expecting a different result is the sign of insanity?

Anyway, for any other desperate person, this last iptables entry worked:

<LAN_IP> is internal ip address (e.g. 192.168.0.2)
<EXT_INT> is external interface (e.g. 'eth0')
<PORT> is tcp port setup in azureus

/sbin/iptables -t nat -A PREROUTING -p tcp -i <EXTINT> --dport <PORT> -j DNAT --to <LANIP>:<PORT>

/sbin/iptables -t nat -A PREROUTING -p udp -i <EXTINT> --dport <PORT> -j DNAT --to <LANIP>:<PORT>

/sbin/iptables -A FORWARD -p tcp -i <EXTINT> -d <LANIP> --dport <PORT> -j ACCEPT

/sbin/iptables -A FORWARD -p udp -i <EXTINT> -d <LANIP> --dport <PORT> -j ACCEPT