| View previous topic :: View next topic |
| Author |
Message |
Murel
n00b
Joined: 28 Oct 2005
Posts: 20
|
 Posted: Sun Nov 13, 2005 9:55 pm Post subject: BitTorrent issues / NAT forwarding problems in Shorewall |
 |
|
I'm trying to configure my firewall to work with BitTorrent. Right now I'm just using btdownloadgui.py with the original bittorrent...I'm going to mess with azureus after I'm sure this works, because right now azureus takes about 3 minutes to start up and I think it's having issues with my firewall.
When I start btdownloadgui.py and open a torrent, it just hangs and doesn't download anything. I've tried five or so different torrents with the same results.
I'm using shorewall and the generic "one machine" firewall that comes from the shorewall site. I can browse the website, check email etc with this configuration. I understand I'll have to add something (suggestions?) to allow for new incoming requests, but I don't understand why it's not even letting me send out to request new connections. Here's my shorewall files:
zones:
| Quote: | #ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS\
fw firewall
net ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE |
rules (I added the last line for BitTorrent):
| Quote: | # Reject Ping from the "bad" net zone.. and prevent your log from being flooded..
DropPing net $FW
# Permit all ICMP traffic FROM the firewall TO the net zone
ACCEPT $FW net icmp
# Opening ports for BitTorrent
ACCEPT fw net tcp 6969,6881:6999
ACCEPT net fw tcp 6969,6881:6999
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE |
policy:
| Quote: | #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
$FW net ACCEPT
net all DROP info
# The FOLLOWING POLICY MUST BE LAST
all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
I know this sort of question has been covered a lot, but honestly I'm a network idiot and nothing is working. The intention of the line in rules is to say "Allow all traffic on ports 6881:6999", but I don't think that's what I'm saying.
I've tried adding various DNAT lines, with little understanding and in desperation, copied from various websites but I always get errors when I restart shorewall. I do have a router but as far as I know the router doesn't do anything but forward requests to my computer, nothing else.
Any ideas at all?
edit: I was reading more about this here: http://dessent.net/btfaq/#ports. I went to the link mentioned
| Quote: | | BitTorrent will usually work fine in a NAT (network address translation) environment, since it can function with only outbound connections. Such environments generally include all situations where multiple computers share one publicly-visible IP address, most commonly: computers on a home network sharing a cable or xDSL connection. If you are unsure of whether you have NAT or not, then try this link which will try to determine if you are behind a NAT gateway. |
and discovered that I am using NAT (because of my router I'm sure). But regardless it says that BitTorrent should be able to work with only outbound connections, which I believe describes my situation perfectly. So I really don't understand why it's not working 
Last edited by Murel on Sun Nov 13, 2005 11:07 pm; edited 1 time in total |
|
| Back to top |
|
 |
JPMRaptor
Guru
Joined: 04 Oct 2002
Posts: 410
Location: Maryland
|
| Posted: Sun Nov 13, 2005 10:23 pm Post subject: |
|
|
I've never used shorewall so I may be way off, but should
| Quote: | ACCEPT fw net tcp 6969,6881:6999
ACCEPT net fw tcp 6969,6881:6999 |
actually be
| Quote: | ACCEPT $FW net tcp 6969,6881:6999
ACCEPT net $FW tcp 6969,6881:6999 |
I say that because in everything else you posted it is "$FW" instead of just "fw".
_________________
Underwater photo gallery
New pictures, Oct 2005 |
|
| Back to top |
|
|
Murel
n00b
Joined: 28 Oct 2005
Posts: 20
|
| Posted: Sun Nov 13, 2005 10:28 pm Post subject: |
|
|
| I think they're the same thing. I just confirmed this by changing fw to $FW and restarting shorewall. It gives the same messages when it processes the rules file as it does with fw. |
|
| Back to top |
|
|
Murel
n00b
Joined: 28 Oct 2005
Posts: 20
|
| Posted: Sun Nov 13, 2005 10:44 pm Post subject: |
|
|
I don't think it's the firewall. I just took shorewall out of rc-update and rebooted, and I had the same problem.
However I did get some different torrents and try those, and those are downloading albeit super slowly. I even restarted shorewall, and it's still downloading. So now the questions to get through are
1) how to get bittorrent to work with nat
2) why is azureus so dog slow on bootup
edit: I'm trying to get the NAT set up. I add the following to rules (numbers of course instead of bracketed things):
DNAT net loc:<my local ip> tcp 6969
DNAT net loc:<my local ip> tcp 6881:6889
when I restarted shorewall I get
"Error: Undefined Server Zone in rule "DNAT net loc:<my local ip> tcp 6969"
and then the shorewall startup aborts.
I think the problem is that it doesn't like the "loc:" statement. I'm not sure why though. I got the phrasing of it from various websites and even checked it against the documentation on the shorewall site. Maybe it's because I'm using the single machine configuration from shorewall? I don't know.
edit 2: I figured the NAT stuff out. I had to configure something in my router to forward stuff to my computer. Now I'm trying to get Azureus to work and it's giving me permissions denied problems when I run it as non-root and I start to download a torrent. Investigating...
edit 3: /sigh...NAT works when my firewall is off. When I turn the firewall on it chokes. Plus I still don't know about the permissions thing.
If anyone has any ideas please let me know. But this has totally not been worth the 7 hours I've put into this today, so now it's way low priority. |
|
| Back to top |
|
|
hyperlite100
n00b
Joined: 06 Dec 2004
Posts: 12
Location: Canada
|
| Posted: Wed Nov 30, 2005 4:56 am Post subject: |
|
|
| Have you tried firestarter as a firewall? |
|
| Back to top |
|
|
davidblewett
Apprentice
Joined: 15 Feb 2004
Posts: 274
Location: Indiana
|
| Posted: Wed Nov 30, 2005 2:57 pm Post subject: |
|
|
Is the firewall seperate from the machine that is opening BitTorrent? If so, you need to use DNAT. I have an old machine as the firewall for my home network, and this is what I have:
| Code: | #nano -w /etc/shorewall/rules
DNAT net loc:192.168.0.245 tcp 6881:6890,6894:6999
DNAT net loc:192.168.0.245 udp 6881:6990,6894:6999
|
Basically telling the firewall to transfer any connection attempts from the outside internet to the IP inside, for the port ranges listed.
_________________
No guilt in life, no fear in death
this is the power of Christ in me
From lifes first cry to final breath
Jesus commands my destiny
-- Newsboys, "In Christ Alone", "Adoration: The Worship Album" |
|
| Back to top |
|
|
cfd
n00b
Joined: 15 Jan 2004
Posts: 18
Location: Midwest, USA
|
| Posted: Thu Dec 01, 2005 6:32 pm Post subject: |
|
|
I have the same setup that davidblewett has. I have the same lines in my shorewall rules. My BitTorrent applications still fail to seed properly (if that is the correct term) due to NAT failures. The only other guess I have to why is from the shorwall FAQ.
| Quote: | You have a more basic problem with your local system (the one that you are trying to forward to) such as an incorrect default gateway (it should be set to the IP address of your firewall's internal interface).
(http://www.shorewall.net/FAQ.htm#faq1a) |
I don't know how to test that the gateway for the destingation computer is set correclty. I can only assume it is b/c all other NATed traffic works fine.
Here is a recent post with a bit more detail of my issue (https://forums.gentoo.org/viewtopic-t-407197-start-0-postdays-0-postorder-asc-highlight-.html).
I really am losing my mind on this one.
_________________
:wq |
|
| Back to top |
|
|
|
Networking & Security
