From: mdew <mdew@mdew.dyndns.org>
To: Rob Sterenborg <rsterenborg@xs4all.nl>
Cc: netfilter <netfilter@lists.netfilter.org>
Subject: RE: opening a port..
Date: 09 Jan 2003 22:51:18 +1300 [thread overview]
Message-ID: <1042105878.487.40.camel@nirvana> (raw)
In-Reply-To: <FD8F124A387AD6119F7900A0D218B321019AA0@hslex01.hslbz.local>
On Thu, 2003-01-09 at 21:21, Rob Sterenborg wrote:
> > > # netstat -an|grep 4662
> > > should tell you if your box is listening at all on port 4662.
> > >
> > > If you run eDonkey server on the firewall box, open port in
> > the INPUT
> > > chain.
> > > If your eDonkey server is *behind* the firewall, open the
> > port in the
> > > FORWARD chain, and add a DNAT rule in the nat table ->
> > PREROUTING chain.
> >
> > the edonkey server is behind the firewall
> >
> > 210.54.175.12--->eth0 (Router) 10.0.0.6(eth1)--->10.0.0.x
> >
> > iptables -t nat -A PREROUTING -p tcp -i eth0 -d 210.54.175.12
> > --dport 4662 -j DNAT --to 10.0.0.6:4662
> > iptables -A FORWARD -p tcp -i eth0 -d 10.0.0.6 --dport 4662 -j ACCEPT
> >
> > like that?
>
> If default policy for FORWARD is ACCEPT then it should work without the
> FORWARD, else you need it.
>
> For me such a setup works.
>
> If you do a netstat -an on the eDonkey box (you don't need netcat to do
> that) and it doesn't report 4662 then eDonkey is not running/listening
> and you can never connect.
>
> About opening ports for eDonkey, from the eDonkey website :
> (http://www.edonkey2000.com/documentation/index.html)
> ====
> 2. Software Firewall
> If you are running software like Norton Personal Firewall, Tiny
> Firewall, Zone Alarm, BlackIce or <...snip...>
> Alternatively, with some more advanced firewalls, or firewall settings
> you will need to open ports 4661 and 4662 TCP for both incoming and out
> going connections, as well as port 4665 UDP for both incoming and
> outgoing connections.
>
> 3. Hardware firewall
> Setting up your hardware firewall is a tad more difficult, but if you
> have one chances are you know what your doing. You will need to set it
> to allow both incoming and outgoing connections on 4661 & 4662 TCP and
> port 4665 UDP.
> ====
> So you need to open more ports than just 4662/tcp I think.
> And IMHO you want a statefull packetfilter, if you haven't made it
> already statefull.
> (iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT)
>
>
> Rob
>
>
ok heres my current script, yes its inefficient, but thats not the major
problem.. 4662 port :/ I relise that theres more ports available for
edonkey to use, but opening ONE port would be a start.
i added "iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j
ACCEPT" without anything happening...
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe ip_nat_irc
/sbin/modprobe ip_nat_ftp
# <<<<< COMPLETE-BLOCKAGE SMB/Samba Traffic >>>>>
iptables -A FORWARD -o eth1 -p tcp --dport 135:139 -j REJECT
iptables -A FORWARD -o eth1 -p udp --dport 135:139 -j REJECT
iptables -A FORWARD -o eth1 -p tcp --sport 135:139 -j REJECT
iptables -A FORWARD -o eth1 -p udp --sport 135:139 -j REJECT
iptables -A FORWARD -o eth0 -p tcp --dport 135:139 -j REJECT
iptables -A FORWARD -o eth0 -p tcp --sport 135:139 -j REJECT
iptables -A FORWARD -o eth0 -p udp --sport 135:139 -j REJECT
iptables -A FORWARD -o eth0 -p udp --dport 135:139 -j REJECT
iptables -A INPUT -i eth0 -p tcp --dport 135:139 -j REJECT
iptables -A INPUT -i eth0 -p udp --dport 135:139 -j REJECT
iptables -A INPUT -i eth0 -p tcp --sport 135:139 -j REJECT
iptables -A INPUT -i eth0 -p udp --sport 135:139 -j REJECT
iptables -A INPUT -i eth1 -p tcp --dport 135:139 -j REJECT
iptables -A INPUT -i eth1 -p udp --dport 135:139 -j REJECT
iptables -A INPUT -i eth1 -p tcp --sport 135:139 -j REJECT
iptables -A INPUT -i eth1 -p udp --sport 135:139 -j REJECT
iptables -A OUTPUT -o eth0 -p tcp --dport 135:139 -j REJECT
iptables -A OUTPUT -o eth0 -p udp --dport 135:139 -j REJECT
iptables -A OUTPUT -o eth0 -p tcp --sport 135:139 -j REJECT
iptables -A OUTPUT -o eth0 -p udp --sport 135:139 -j REJECT
iptables -A OUTPUT -o eth1 -p tcp --dport 135:139 -j REJECT
iptables -A OUTPUT -o eth1 -p udp --dport 135:139 -j REJECT
iptables -A OUTPUT -o eth1 -p tcp --sport 135:139 -j REJECT
iptables -A OUTPUT -o eth1 -p udp --sport 135:139 -j REJECT
iptables -A INPUT -i eth0 -p tcp --dport 113 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 113 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 113 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --sport 113 -j ACCEPT
iptables -A FORWARD -p tcp --dport auth -i eth0 -j ACCEPT
iptables -A FORWARD -p tcp --sport auth -i eth0 -j ACCEPT
iptables -A FORWARD -p tcp --dport auth -i eth1 -j ACCEPT
iptables -A FORWARD -p tcp --sport auth -i eth1 -j ACCEPT
iptables -A FORWARD -o eth0 -p tcp --dport 113 -j ACCEPT
iptables -A FORWARD -o eth1 -p tcp --dport 113 -j ACCEPT
iptables -A FORWARD -i eth0 -p tcp --dport 113 -j ACCEPT
iptables -A FORWARD -i eth1 -p tcp --dport 113 -j ACCEPT
iptables -A FORWARD -p tcp -s 10.0.0.9 --dport 4665 -m limit --limit
1/hour -j ACCEPT
iptables -A FORWARD -p udp -s 10.0.0.9 --dport 4665 -m limit --limit
1/hour -j ACCEPT
iptables -A FORWARD -p udp -s 10.0.0.9 --sport 4665 -m limit --limit
1/hour -j ACCEPT
iptables -A FORWARD -p tcp -s 10.0.0.9 --sport 4665 -m limit --limit
1/hour -j ACCEPT
# Block Outside the Network
iptables -A FORWARD -o eth0 -p tcp --dport 111 -j REJECT
iptables -A INPUT -i eth0 -p tcp --dport 111 -j REJECT
iptables -A FORWARD -o eth0 -p tcp --dport 199 -j REJECT
iptables -A INPUT -i eth0 -p tcp --dport 199 -j REJECT
iptables -A FORWARD -o eth0 -p tcp --dport 826 -j REJECT
iptables -A INPUT -i eth0 -p tcp --dport 826 -j REJECT
iptables -A FORWARD -o eth0 -p tcp --dport 953 -j REJECT
iptables -A INPUT -i eth0 -p tcp --dport 953 -j REJECT
# Block Inside the Network
iptables -A FORWARD -o eth1 -p tcp --dport 111 -j REJECT
iptables -A INPUT -i eth1 -p tcp --dport 111 -j REJECT
iptables -A FORWARD -o eth1 -p tcp --dport 199 -j REJECT
iptables -A INPUT -i eth1 -p tcp --dport 199 -j REJECT
iptables -A FORWARD -o eth1 -p tcp --dport 826 -j REJECT
iptables -A INPUT -i eth1 -p tcp --dport 826 -j REJECT
iptables -A INPUT -i eth1 -p tcp --dport 953 -j REJECT
iptables -A INPUT -i eth0 -p tcp --dport 4661 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 4661 -j ACCEPT
iptables -A INPUT -i eth1 -p udp --dport 4661 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 4661 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --sport 4661 -j ACCEPT
iptables -A INPUT -i eth1 -p udp --sport 4661 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --sport 4661 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 4661 -j ACCEPT
iptables -A FORWARD -o eth0 -p tcp --dport 4661 -j ACCEPT
iptables -A FORWARD -o eth1 -p tcp --dport 4661 -j ACCEPT
iptables -A FORWARD -o eth1 -p udp --dport 4661 -j ACCEPT
iptables -A FORWARD -o eth0 -p udp --dport 4661 -j ACCEPT
iptables -A FORWARD -o eth0 -p udp --sport 4661 -j ACCEPT
iptables -A FORWARD -o eth1 -p udp --sport 4661 -j ACCEPT
ptables -A FORWARD -o eth0 -p tcp --sport 4661 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 4662 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 4662 -j ACCEPT
iptables -A INPUT -i eth1 -p udp --dport 4662 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 4662 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --sport 4662 -j ACCEPT
iptables -A INPUT -i eth1 -p udp --sport 4662 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --sport 4662 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 4662 -j ACCEPT
iptables -A FORWARD -o eth0 -p tcp --dport 4662 -j ACCEPT
iptables -A FORWARD -o eth1 -p tcp --dport 4662 -j ACCEPT
iptables -A FORWARD -o eth1 -p udp --dport 4662 -j ACCEPT
iptables -A FORWARD -o eth0 -p udp --dport 4662 -j ACCEPT
iptables -A FORWARD -o eth0 -p udp --sport 4662 -j ACCEPT
iptables -A FORWARD -o eth1 -p udp --sport 4662 -j ACCEPT
iptables -A FORWARD -o eth1 -p tcp --sport 4662 -j ACCEPT
iptables -A FORWARD -o eth0 -p tcp --sport 4662 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 4665 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 4665 -j ACCEPT
iptables -A INPUT -i eth1 -p udp --dport 4665 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 4665 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --sport 4665 -j ACCEPT
iptables -A INPUT -i eth1 -p udp --sport 4665 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --sport 4665 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 4665 -j ACCEPT
iptables -A FORWARD -o eth0 -p tcp --dport 4665 -j ACCEPT
iptables -A FORWARD -o eth1 -p tcp --dport 4665 -j ACCEPT
iptables -A FORWARD -o eth1 -p udp --dport 4665 -j ACCEPT
iptables -A FORWARD -o eth0 -p udp --dport 4665 -j ACCEPT
iptables -A FORWARD -o eth0 -p udp --sport 4665 -j ACCEPT
iptables -A FORWARD -o eth1 -p udp --sport 4665 -j ACCEPT
iptables -A FORWARD -o eth1 -p tcp --sport 4665 -j ACCEPT
iptables -A FORWARD -o eth0 -p tcp --sport 4665 -j ACCEPT
next prev parent reply other threads:[~2003-01-09 9:51 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-01-08 12:12 opening a port mdew
2003-01-08 12:33 ` Dharmendra.T
2003-01-08 12:52 ` mdew
2003-01-08 14:24 ` Rob Sterenborg
2003-01-09 1:58 ` mdew
2003-01-09 2:41 ` mdew
2003-01-09 4:55 ` Dharmendra.T
2003-01-09 6:16 ` mdew
2003-01-09 6:26 ` Dharmendra.T
2003-01-09 6:45 ` mdew
2003-01-09 6:53 ` Dharmendra.T
2003-01-09 7:04 ` mdew
2003-01-09 8:04 ` Jörg Esser
2003-01-09 8:36 ` mdew
2003-01-09 8:11 ` Dharmendra.T
2003-01-09 8:24 ` mdew
2003-01-09 20:38 ` Athan
2003-01-09 8:21 ` Rob Sterenborg
2003-01-09 9:51 ` mdew [this message]
2003-01-09 10:35 ` Rob Sterenborg
2003-01-08 14:40 ` Rodrigo Hidalgo
2003-01-09 4:10 ` Dharmendra.T
2003-01-08 13:02 ` Robert Botha
2003-01-08 12:53 ` mdew
2003-01-08 13:54 ` Raymond Leach
[not found] <FD8F124A387AD6119F7900A0D218B321561E53@hslex01.hslbz.local>
2003-01-09 10:40 ` Rob Sterenborg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1042105878.487.40.camel@nirvana \
--to=mdew@mdew.dyndns.org \
--cc=netfilter@lists.netfilter.org \
--cc=rsterenborg@xs4all.nl \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.