Find the answer to your Linux question:
Results 1 to 2 of 2
Hi, I was looking at my iptables log and I had some entries in which were from bittorrent, but I'm unsure as to why they've been picked up. I am ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. 07-10-2007 #1
    TomX
    TomX is offline
    Linux Newbie
    Join Date
    Jun 2005
    Posts
    123

    Bittorrent blocked by iptables

    Hi,

    I was looking at my iptables log and I had some entries in which were from bittorrent, but I'm unsure as to why they've been picked up.

    I am behind a NAT'ing router (Netgear RP614) which acts a firewall. I have forwarded port 17999 to my computer, for bittorrent.

    I have configured rtorrent (the bittorrent client I use) to listen on port 17999.

    Here's my iptables script:
    Code:
    #!/bin/sh

IPT=/usr/sbin/iptables
EXT=eth0

# Flush all entries
$IPT -F
$IPT -X
$IPT -Z

# This isn't a router
# Modifying this setting resets all configuration
# parameters to their default vaules, which is why
# this setting should be applied first.
echo "0" > /proc/sys/net/ipv4/ip_forward

# Enable TCP SYN Cookie Protection
if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then
          echo 1 > /proc/sys/net/ipv4/tcp_syncookies
  fi

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

# Disable ICMP Redirect Acceptance
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

# Do not send Redirect Messages
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects

# Enable bad error message protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

# Enable broadcast echo protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Disable source-routed packets
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

# Let's enable SYN cookies (to protect against SYN floods):
echo "1" > /proc/sys/net/ipv4/tcp_syncookies

# Let's disable TCP timestamps to reduce the TCP stack workload:
echo "0" > /proc/sys/net/ipv4/tcp_timestamps

# POSSIBLY FATAL WHEN USED BEHIND A FIREWALL OR AT UNI
# Let's enable reverse path filtering for anti-spoofing:
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
# Let's allow redirects from trusted gateways only:
echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects

# Let's log any UFOs which are spotted:
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians

# Drop all connections by default
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP

# Allow connections through loopback device
$IPT -A INPUT -i lo -p all -j ACCEPT
$IPT -A OUTPUT -o lo -p all -j ACCEPT

# Allow incoming connection if they're related or established
$IPT -A INPUT -i $EXT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow connections for BitTorrent (I don't think UDP is required, but it's low-risk)
$IPT -A INPUT -p tcp --destination-port 17999 -j ACCEPT
$IPT -A INPUT -p udp --destination-port 17999 -j ACCEPT

# Allow all outgoing packets
$IPT -A OUTPUT -o $EXT -j ACCEPT

# Logging
$IPT -A INPUT -j LOG --log-prefix "FIREWALL "
    Now, I'm going to start downloading Gentoo's torrent file. Here's what my firewall log has produced:
    Code:
    Jul 10 20:59:51 desktop kernel: FIREWALL IN=eth0 OUT= MAC=00:50:8d:d7:2c:b6:00:14:6c:0b:1f:de:08:00 SRC=201.86.32.45 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=40 ID=34787 PROTO=TCP SPT=6936 DPT=43576 WINDOW=0 RES=0x00 ACK RST FIN URGP=0
Jul 10 21:00:15 desktop kernel: FIREWALL IN=eth0 OUT= MAC=00:50:8d:d7:2c:b6:00:14:6c:0b:1f:de:08:00 SRC=72.143.33.119 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=234 ID=46094 PROTO=TCP SPT=41945 DPT=49598 WINDOW=0 RES=0x00 ACK RST FIN URGP=0
Jul 10 21:00:15 desktop kernel: FIREWALL IN=eth0 OUT= MAC=00:50:8d:d7:2c:b6:00:14:6c:0b:1f:de:08:00 SRC=201.86.32.45 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=39 ID=34795 PROTO=TCP SPT=6936 DPT=43576 WINDOW=0 RES=0x00 ACK RST FIN URGP=0
    Here's my 'netstat -tuanp' (well, the relevant bits, other connections where still SYN_SENT or had been established):
    Code:
    tcp        0      1 192.168.0.2:49598       72.143.33.119:41945     SYN_SENT 3303/rtorrent
tcp        0      1 192.168.0.2:43576       201.86.32.45:6936       SYN_SENT 3303/rtorrent
    Now, I realise the packets are picked up by iptables because I've told iptables to.

    Why do I have a few packets whose destination port is 45000+ (I know high number ports are used for exchanging data, as negotiated by rtorrent and Linux, but why do only a few get picked up?)?

    Is my router failing to correctly NAT those packets?

    Is this a problem on the peer's side?

    Thanks
    Tom

    Note: Given this, I still get great speeds. I max out my connection at 220kbps.
    Reply With Quote Reply With Quote
  2. 07-10-2007 #2
    TomX
    TomX is offline
    Linux Newbie
    Join Date
    Jun 2005
    Posts
    123
    I tried it again and got:
    Code:
    Jul 10 21:39:43 desktop kernel: FIREWALL IN=eth0 OUT= MAC=00:50:8d:d7:2c:b6:00:14:6c:0b:1f:de:08:00 SRC=72.143.33.119 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=234 ID=47418 PROTO=TCP SPT=41945 DPT=51280 WINDOW=0 RES=0x00 ACK RST FIN URGP=0 
Jul 10 21:39:43 desktop kernel: FIREWALL IN=eth0 OUT= MAC=00:50:8d:d7:2c:b6:00:14:6c:0b:1f:de:08:00 SRC=201.86.32.45 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=39 ID=35506 PROTO=TCP SPT=6936 DPT=49235 WINDOW=0 RES=0x00 ACK RST FIN URGP=0 
Jul 10 21:39:43 desktop kernel: FIREWALL IN=eth0 OUT= MAC=00:50:8d:d7:2c:b6:00:14:6c:0b:1f:de:08:00 SRC=201.86.32.45 DST=192.168.0.2 LEN=56 TOS=0x00 PREC=0x00 TTL=39 ID=35507 PROTO=ICMP TYPE=3 CODE=3 [SRC=82.42.19.158 DST=201.86.32.45 LEN=52 TOS=0x00 PREC=0x00 TTL=53 ID=52050 DF PROTO=TCP INCOMPLETE [8 bytes] ] 
Jul 10 21:39:46 desktop kernel: FIREWALL IN=eth0 OUT= MAC=00:50:8d:d7:2c:b6:00:14:6c:0b:1f:de:08:00 SRC=72.143.33.119 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=234 ID=47421 PROTO=TCP SPT=41945 DPT=51280 WINDOW=0 RES=0x00 ACK RST FIN URGP=0 
Jul 10 21:39:46 desktop kernel: FIREWALL IN=eth0 OUT= MAC=00:50:8d:d7:2c:b6:00:14:6c:0b:1f:de:08:00 SRC=201.86.32.45 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=39 ID=35512 PROTO=TCP SPT=6936 DPT=49235 WINDOW=0 RES=0x00 ACK RST FIN URGP=0 
Jul 10 21:39:46 desktop kernel: FIREWALL IN=eth0 OUT= MAC=00:50:8d:d7:2c:b6:00:14:6c:0b:1f:de:08:00 SRC=201.86.32.45 DST=192.168.0.2 LEN=56 TOS=0x00 PREC=0x00 TTL=39 ID=35513 PROTO=ICMP TYPE=3 CODE=3 [SRC=82.42.19.158 DST=201.86.32.45 LEN=52 TOS=0x00 PREC=0x00 TTL=53 ID=52051 DF PROTO=TCP INCOMPLETE [8 bytes] ] 
Jul 10 21:39:52 desktop kernel: FIREWALL IN=eth0 OUT= MAC=00:50:8d:d7:2c:b6:00:14:6c:0b:1f:de:08:00 SRC=72.143.33.119 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=234 ID=47426 PROTO=TCP SPT=41945 DPT=51280 WINDOW=0 RES=0x00 ACK RST FIN URGP=0 
Jul 10 21:39:52 desktop kernel: FIREWALL IN=eth0 OUT= MAC=00:50:8d:d7:2c:b6:00:14:6c:0b:1f:de:08:00 SRC=201.86.32.45 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=39 ID=35516 PROTO=TCP SPT=6936 DPT=49235 WINDOW=0 RES=0x00 ACK RST FIN URGP=0 
Jul 10 21:39:52 desktop kernel: FIREWALL IN=eth0 OUT= MAC=00:50:8d:d7:2c:b6:00:14:6c:0b:1f:de:08:00 SRC=201.86.32.45 DST=192.168.0.2 LEN=56 TOS=0x00 PREC=0x00 TTL=39 ID=35517 PROTO=ICMP TYPE=3 CODE=3 [SRC=82.42.19.158 DST=201.86.32.45 LEN=52 TOS=0x00 PREC=0x00 TTL=53 ID=52052 DF PROTO=TCP INCOMPLETE [8 bytes] ] 
Jul 10 21:40:04 desktop kernel: FIREWALL IN=eth0 OUT= MAC=00:50:8d:d7:2c:b6:00:14:6c:0b:1f:de:08:00 SRC=72.143.33.119 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=234 ID=47442 PROTO=TCP SPT=41945 DPT=51280 WINDOW=0 RES=0x00 ACK RST FIN URGP=0 
Jul 10 21:40:04 desktop kernel: FIREWALL IN=eth0 OUT= MAC=00:50:8d:d7:2c:b6:00:14:6c:0b:1f:de:08:00 SRC=201.86.32.45 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=39 ID=35521 PROTO=TCP SPT=6936 DPT=49235 WINDOW=0 RES=0x00 ACK RST FIN URGP=0 
Jul 10 21:40:04 desktop kernel: FIREWALL IN=eth0 OUT= MAC=00:50:8d:d7:2c:b6:00:14:6c:0b:1f:de:08:00 SRC=201.86.32.45 DST=192.168.0.2 LEN=56 TOS=0x00 PREC=0x00 TTL=39 ID=35522 PROTO=ICMP TYPE=3 CODE=3 [SRC=82.42.19.158 DST=201.86.32.45 LEN=52 TOS=0x00 PREC=0x00 TTL=53 ID=52053 DF PROTO=TCP INCOMPLETE [8 bytes] ] 
Jul 10 21:40:09 desktop kernel: FIREWALL IN=eth0 OUT= MAC=00:50:8d:d7:2c:b6:00:09:6b:40:db:9c:08:00 SRC=192.168.0.3 DST=192.168.0.2 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=59663 DF PROTO=TCP SPT=2730 DPT=1396 WINDOW=65535 RES=0x00 SYN URGP=0
Jul 10 21:40:28 desktop kernel: FIREWALL IN=eth0 OUT= MAC=00:50:8d:d7:2c:b6:00:14:6c:0b:1f:de:08:00 SRC=72.143.33.119 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=234 ID=47453 PROTO=TCP SPT=41945 DPT=51280 WINDOW=0 RES=0x00 ACK RST FIN URGP=0 
Jul 10 21:40:28 desktop kernel: FIREWALL IN=eth0 OUT= MAC=00:50:8d:d7:2c:b6:00:14:6c:0b:1f:de:08:00 SRC=201.86.32.45 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=39 ID=35530 PROTO=TCP SPT=6936 DPT=49235 WINDOW=0 RES=0x00 ACK RST FIN URGP=0 
Jul 10 21:43:01 desktop kernel: FIREWALL IN=eth0 OUT= MAC=00:50:8d:d7:2c:b6:00:14:6c:0b:1f:de:08:00 SRC=81.192.123.253 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=254 ID=0 DF PROTO=TCP SPT=29335 DPT=46138 WINDOW=0 RES=0x00 RST URGP=0
    This is similar output. I posted it in case what I posted earlier wasn't enough.
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules