BitTorrent issues / NAT forwarding problems in Shorewall

Message

Murel · Post by **Murel** » Sun Nov 13, 2005 9:55 pm

I'm trying to configure my firewall to work with BitTorrent. Right now I'm just using btdownloadgui.py with the original bittorrent...I'm going to mess with azureus after I'm sure this works, because right now azureus takes about 3 minutes to start up and I think it's having issues with my firewall.

When I start btdownloadgui.py and open a torrent, it just hangs and doesn't download anything. I've tried five or so different torrents with the same results.

I'm using shorewall and the generic "one machine" firewall that comes from the shorewall site. I can browse the website, check email etc with this configuration. I understand I'll have to add something (suggestions?) to allow for new incoming requests, but I don't understand why it's not even letting me send out to request new connections. Here's my shorewall files:

zones:

#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS\
fw firewall
net ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

rules (I added the last line for BitTorrent):

# Reject Ping from the "bad" net zone.. and prevent your log from being flooded..

DropPing net $FW

# Permit all ICMP traffic FROM the firewall TO the net zone

ACCEPT $FW net icmp

# Opening ports for BitTorrent

ACCEPT fw net tcp 6969,6881:6999
ACCEPT net fw tcp 6969,6881:6999

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

policy:

#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
$FW net ACCEPT
net all DROP info
# The FOLLOWING POLICY MUST BE LAST
all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

I know this sort of question has been covered a lot, but honestly I'm a network idiot and nothing is working. The intention of the line in rules is to say "Allow all traffic on ports 6881:6999", but I don't think that's what I'm saying.

I've tried adding various DNAT lines, with little understanding and in desperation, copied from various websites but I always get errors when I restart shorewall. I do have a router but as far as I know the router doesn't do anything but forward requests to my computer, nothing else.

Any ideas at all?

edit: I was reading more about this here: http://dessent.net/btfaq/#ports. I went to the link mentioned

BitTorrent will usually work fine in a NAT (network address translation) environment, since it can function with only outbound connections. Such environments generally include all situations where multiple computers share one publicly-visible IP address, most commonly: computers on a home network sharing a cable or xDSL connection. If you are unsure of whether you have NAT or not, then try this link which will try to determine if you are behind a NAT gateway.

and discovered that I am using NAT (because of my router I'm sure). But regardless it says that BitTorrent should be able to work with only outbound connections, which I believe describes my situation perfectly. So I really don't understand why it's not working

JPMRaptor · Post by **JPMRaptor** » Sun Nov 13, 2005 10:23 pm

I've never used shorewall so I may be way off, but should

ACCEPT fw net tcp 6969,6881:6999
ACCEPT net fw tcp 6969,6881:6999

actually be

ACCEPT $FW net tcp 6969,6881:6999
ACCEPT net $FW tcp 6969,6881:6999

I say that because in everything else you posted it is "$FW" instead of just "fw".

Murel · Post by **Murel** » Sun Nov 13, 2005 10:28 pm

I think they're the same thing. I just confirmed this by changing fw to $FW and restarting shorewall. It gives the same messages when it processes the rules file as it does with fw.

Murel · Post by **Murel** » Sun Nov 13, 2005 10:44 pm

I don't think it's the firewall. I just took shorewall out of rc-update and rebooted, and I had the same problem.

However I did get some different torrents and try those, and those are downloading albeit super slowly. I even restarted shorewall, and it's still downloading. So now the questions to get through are

1) how to get bittorrent to work with nat
2) why is azureus so dog slow on bootup

edit: I'm trying to get the NAT set up. I add the following to rules (numbers of course instead of bracketed things):

DNAT net loc:<my local ip> tcp 6969
DNAT net loc:<my local ip> tcp 6881:6889

when I restarted shorewall I get
"Error: Undefined Server Zone in rule "DNAT net loc:<my local ip> tcp 6969"

and then the shorewall startup aborts.

I think the problem is that it doesn't like the "loc:" statement. I'm not sure why though. I got the phrasing of it from various websites and even checked it against the documentation on the shorewall site. Maybe it's because I'm using the single machine configuration from shorewall? I don't know.

edit 2: I figured the NAT stuff out. I had to configure something in my router to forward stuff to my computer. Now I'm trying to get Azureus to work and it's giving me permissions denied problems when I run it as non-root and I start to download a torrent. Investigating...

edit 3: /sigh...NAT works when my firewall is off. When I turn the firewall on it chokes. Plus I still don't know about the permissions thing.

If anyone has any ideas please let me know. But this has totally not been worth the 7 hours I've put into this today, so now it's way low priority.

hyperlite100 · Post by **hyperlite100** » Wed Nov 30, 2005 4:56 am

Have you tried firestarter as a firewall?

davidblewett · Post by **davidblewett** » Wed Nov 30, 2005 2:57 pm

Is the firewall seperate from the machine that is opening BitTorrent? If so, you need to use DNAT. I have an old machine as the firewall for my home network, and this is what I have:

Code: Select all

#nano -w /etc/shorewall/rules
DNAT            net             loc:192.168.0.245       tcp     6881:6890,6894:6999
DNAT            net             loc:192.168.0.245       udp     6881:6990,6894:6999

Basically telling the firewall to transfer any connection attempts from the outside internet to the IP inside, for the port ranges listed.

cfd · Post by **cfd** » Thu Dec 01, 2005 6:32 pm

I have the same setup that davidblewett has. I have the same lines in my shorewall rules. My BitTorrent applications still fail to seed properly (if that is the correct term) due to NAT failures. The only other guess I have to why is from the shorwall FAQ.

You have a more basic problem with your local system (the one that you are trying to forward to) such as an incorrect default gateway (it should be set to the IP address of your firewall's internal interface).
(http://www.shorewall.net/FAQ.htm#faq1a)

I don't know how to test that the gateway for the destingation computer is set correclty. I can only assume it is b/c all other NATed traffic works fine.

Here is a recent post with a bit more detail of my issue (http://forums.gentoo.org/viewtopic-t-40 ... ight-.html).

I really am losing my mind on this one.