Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
aMule, shorewall and a router... :(
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
dmvianna
l33t
l33t


Joined: 22 Mar 2004
Posts: 742
Location: Down Underland

PostPosted: Fri Feb 04, 2005 1:33 pm    Post subject: aMule, shorewall and a router... :( Reply with quote

Hi.

I had the kmyfirewall initscript running for some time in my box. I used to be able to run

Code:
iptables -A INPUT -p tcp --dport 4662 -j ACCEPT
iptables -A INPUT -p udp --dport 4672 -j ACCEPT
iptables -A INPUT -p udp --dport 4675 -j ACCEPT

before running aMule to open the ports, and everything worked fine. But I decided to install shorewall on its place. I have the
Code:
ACCEPT net fw tcp 4662
ACCEPT net fw udp 4672
ACCEPT net fw udp 4675
rules and even tried to put
Code:
ACCEPT fw net tcp 4662
... and all the rest on too. But I keep getting these logs:
Code:
root@thinkpad shorewall # /sbin/shorewall show log
Shorewall-2.0.7 Log at thinkpad - Sex Fev  4 22:56:40 EST 2005

Counters reset Fri Feb  4 22:56:15 EST 2005

Feb  4 22:55:44 rfc1918:DROP:IN=eth0 OUT= SRC=81.39.30.23 DST=192.168.0.5 LEN=48 TOS=0x18 PREC=0x00 TTL=109 ID=15820 DF PROTO=TCP SPT=28604 DPT=4662 WINDOW=65535 RES=0x00 SYN URGP=0
Feb  4 22:55:44 rfc1918:DROP:IN=eth0 OUT= SRC=84.100.250.209 DST=192.168.0.5 LEN=48 TOS=0x18 PREC=0x00 TTL=107 ID=45456 DF PROTO=TCP SPT=1962 DPT=4662 WINDOW=65535 RES=0x00 SYN URGP=0
Feb  4 22:56:11 rfc1918:DROP:IN=eth0 OUT= SRC=62.220.129.170 DST=192.168.0.5 LEN=60 TOS=0x18 PREC=0x00 TTL=45 ID=15012 DF PROTO=TCP SPT=40607 DPT=4662 WINDOW=5840 RES=0x00 SYN URGP=0
Feb  4 22:56:18 rfc1918:DROP:IN=eth0 OUT= SRC=70.84.28.212 DST=192.168.0.5 LEN=60 TOS=0x18 PREC=0x00 TTL=48 ID=43822 DF PROTO=TCP SPT=51521 DPT=4662 WINDOW=5840 RES=0x00 SYN URGP=0
...


The logs report dropping stuff that goes to port 4662 (tcp), from various external IPs.

What happens to aMule is: I get lowid from servers, but when I'm not connected I can receive connections from other uses as normal...

AND nmap says everything's closed but 6001/tcp (for X11).

So how can I make shorewall open those ports for aMule?
_________________
Proprietary is theft. Pierre-Joseph Proudhon, if he had a chance
Powered by a MacBook Pro
Back to top
View user's profile Send private message
dmvianna
l33t
l33t


Joined: 22 Mar 2004
Posts: 742
Location: Down Underland

PostPosted: Fri Feb 04, 2005 1:56 pm    Post subject: Reply with quote

8O

Just got rid of norfc1918,routefilter,dhcp,tcpflags options in the interfaces file. It worked!!! What does that mean??? Is it safe?
_________________
Proprietary is theft. Pierre-Joseph Proudhon, if he had a chance
Powered by a MacBook Pro
Back to top
View user's profile Send private message
rbr28
Tux's lil' helper
Tux's lil' helper


Joined: 09 Feb 2004
Posts: 126

PostPosted: Fri Feb 04, 2005 9:19 pm    Post subject: Reply with quote

It's the norfc part that did it. What that does is it blocks routing of any IP's that are not typically routable, such as the 192.168.x.x ip that your machine has. It's a bit of a security risk to dump that, but a necessary one in your case. You would never want to remove that norfc option for a machine on the internet, because it should definitely not be getting hit with traffic from non-routable ip's.

If you were really paranoid, you could configure the firewall to drop all other non-routable IP addresses fairly easily, without using the norfc option.
Back to top
View user's profile Send private message
dmvianna
l33t
l33t


Joined: 22 Mar 2004
Posts: 742
Location: Down Underland

PostPosted: Sat Feb 05, 2005 12:13 am    Post subject: Reply with quote

How do I do that? :oops:
_________________
Proprietary is theft. Pierre-Joseph Proudhon, if he had a chance
Powered by a MacBook Pro
Back to top
View user's profile Send private message
rbr28
Tux's lil' helper
Tux's lil' helper


Joined: 09 Feb 2004
Posts: 126

PostPosted: Sat Feb 05, 2005 1:59 am    Post subject: Reply with quote

The easiest way I can think of is to use the blacklist. Add blacklist to the options in your in your /etc/shorewall/interfaces file. The file is well documented and you can see what the blacklist option enables. Then edit the /etc/shorewall/blacklist file. Again, it's well commented and simple to setup.

The IP's that the norfc1918 would normally block include the following:

10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

The first two ranges you can block completely. If you look at the comments in /etc/shorewall/rules, you can see what syntax you use for specifying the ranges. You can do exactly as above for the first two, in your blacklist...just put 10.0.0.0/8 and 172.16.0.0/12 in your blacklist file.

The last range you would have to break up, because that includes your IP. Do something like 192.168.0.0-192.168.0.4 and 192.168.0.6-192.168.255.255. I say that because your IP in your post was 192.168.0.5 .

You don't need to specify port or protocol in the blacklist, because you would want to block everything form these IP's.

Doing all that would give you the same effect as norfc1918, except for letting your ip pass through the firewall. If you do all that, make sure too, that you always get the same IP on that machine. If you are using DHCP from a home router or something, you can usually set a reservation in the router so that you do get the same IP all the time. If you don't do that, you could get a different 192.168.x.x address when you reboot, and you would have problems again.

There are other alternatives too, such as leaving a range open in your firewall, that is the same as the IP range used by DHCP on your router. I'd say that's really a last resort though, if you can reserve the IP with your particular setup.

Also, someone else may have a better idea than using the blacklist. There are other ways such as just specifying those IP's in the rules file, but you'd get pretty much the same effect.
Back to top
View user's profile Send private message
dmvianna
l33t
l33t


Joined: 22 Mar 2004
Posts: 742
Location: Down Underland

PostPosted: Sat Feb 05, 2005 2:53 am    Post subject: Reply with quote

Thanks, rbr18.

Completely blocking subnets works, but I can't find a syntax that would work for ranges within subnets.

I can't find anything like it in http://shorewall.net/Documentation.htm#Blacklist either. Can shorewall do that?
_________________
Proprietary is theft. Pierre-Joseph Proudhon, if he had a chance
Powered by a MacBook Pro
Back to top
View user's profile Send private message
rbr28
Tux's lil' helper
Tux's lil' helper


Joined: 09 Feb 2004
Posts: 126

PostPosted: Sat Feb 05, 2005 10:26 pm    Post subject: Reply with quote

The text below is from the Shorewall documentation:


Beginning with Shorewall 2.2.0, if you kernel and iptables have iprange match support, you may use IP address ranges in Shorewall configuration file entries; IP address ranges have the syntax <low IP address>-<high IP address>. Example: 192.168.1.5-192.168.1.12.

To see if your kernel and iptables have the required support, use the shorewall check command:

>~ shorewall check
...
Shorewall has detected the following iptables/netfilter capabilities:
NAT: Available
Packet Mangling: Available
Multi-port Match: Available
Connection Tracking Match: Available
Packet Type Match: Not available
Policy Match: Available
Physdev Match: Available
IP range Match: Available <--------------
Back to top
View user's profile Send private message
dmvianna
l33t
l33t


Joined: 22 Mar 2004
Posts: 742
Location: Down Underland

PostPosted: Sat Feb 05, 2005 10:58 pm    Post subject: Reply with quote

Code:
Shorewall has detected the following iptables/netfilter capabilities:
   NAT: Available
   Packet Mangling: Available
   Multi-port Match: Available
   Connection Tracking Match: Available
Verifying Configuration...


I use shorewall 2.0.7 and iptables 1.2.9, kernel 2.6.9. My kernel was compiled with IP range match support. Shorewall also reported that it does not support the 'check' command.
_________________
Proprietary is theft. Pierre-Joseph Proudhon, if he had a chance
Powered by a MacBook Pro
Back to top
View user's profile Send private message
infirit
l33t
l33t


Joined: 11 Jan 2003
Posts: 778
Location: Hoofddorp / The Netherlands

PostPosted: Mon Oct 24, 2005 5:24 pm    Post subject: Reply with quote

I would like to share my shorewall rules on my linksys router running openwrt 8) for amule. I have setup rules that forward connections on emule ports tcp 4663 and udp 4673 to my workstation. Hope it is usefull for someone :wink:

Code:
DNAT   net             loc:192.168.1.127            tcp     4663 #muleTCP
DNAT   net             loc:192.168.1.127            udp     4673 #muleUDP
ACCEPT   loc             net            tcp     4663 #muleTCP
ACCEPT   loc             net            udp     4673 #muleUDP

_________________
EASY TO INSTALL = Difficult to install, but instruction manual has pictures.
Join the adopt an unanswered post initiative today
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum