Find the answer to your Linux question:
Results 1 to 2 of 2
Hi, I was looking at my iptables log and I had some entries in which were from bittorrent, but I'm unsure as to why they've been picked up. I am ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Linux Newbie
    Join Date
    Jun 2005
    Posts
    123

    Bittorrent blocked by iptables


    Hi,

    I was looking at my iptables log and I had some entries in which were from bittorrent, but I'm unsure as to why they've been picked up.

    I am behind a NAT'ing router (Netgear RP614) which acts a firewall. I have forwarded port 17999 to my computer, for bittorrent.

    I have configured rtorrent (the bittorrent client I use) to listen on port 17999.

    Here's my iptables script:
    Code:
    #!/bin/sh
    
    IPT=/usr/sbin/iptables
    EXT=eth0
    
    # Flush all entries
    $IPT -F
    $IPT -X
    $IPT -Z
    
    # This isn't a router
    # Modifying this setting resets all configuration
    # parameters to their default vaules, which is why
    # this setting should be applied first.
    echo "0" > /proc/sys/net/ipv4/ip_forward
    
    # Enable TCP SYN Cookie Protection
    if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then
              echo 1 > /proc/sys/net/ipv4/tcp_syncookies
      fi
    
    echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
    
    # Disable ICMP Redirect Acceptance
    echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
    
    # Do not send Redirect Messages
    echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
    
    # Enable bad error message protection
    echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
    
    # Enable broadcast echo protection
    echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
    
    # Disable source-routed packets
    echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
    
    # Let's enable SYN cookies (to protect against SYN floods):
    echo "1" > /proc/sys/net/ipv4/tcp_syncookies
    
    # Let's disable TCP timestamps to reduce the TCP stack workload:
    echo "0" > /proc/sys/net/ipv4/tcp_timestamps
    
    # POSSIBLY FATAL WHEN USED BEHIND A FIREWALL OR AT UNI
    # Let's enable reverse path filtering for anti-spoofing:
    echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
    # Let's allow redirects from trusted gateways only:
    echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
    
    # Let's log any UFOs which are spotted:
    echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
    
    # Drop all connections by default
    $IPT -P INPUT DROP
    $IPT -P OUTPUT DROP
    $IPT -P FORWARD DROP
    
    # Allow connections through loopback device
    $IPT -A INPUT -i lo -p all -j ACCEPT
    $IPT -A OUTPUT -o lo -p all -j ACCEPT
    
    # Allow incoming connection if they're related or established
    $IPT -A INPUT -i $EXT -m state --state RELATED,ESTABLISHED -j ACCEPT
    
    # Allow connections for BitTorrent (I don't think UDP is required, but it's low-risk)
    $IPT -A INPUT -p tcp --destination-port 17999 -j ACCEPT
    $IPT -A INPUT -p udp --destination-port 17999 -j ACCEPT
    
    # Allow all outgoing packets
    $IPT -A OUTPUT -o $EXT -j ACCEPT
    
    # Logging
    $IPT -A INPUT -j LOG --log-prefix "FIREWALL "
    Now, I'm going to start downloading Gentoo's torrent file. Here's what my firewall log has produced:
    Code:
    Jul 10 20:59:51 desktop kernel: FIREWALL IN=eth0 OUT= MAC=00:50:8d:d7:2c:b6:00:14:6c:0b:1f:de:08:00 SRC=201.86.32.45 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=40 ID=34787 PROTO=TCP SPT=6936 DPT=43576 WINDOW=0 RES=0x00 ACK RST FIN URGP=0
    Jul 10 21:00:15 desktop kernel: FIREWALL IN=eth0 OUT= MAC=00:50:8d:d7:2c:b6:00:14:6c:0b:1f:de:08:00 SRC=72.143.33.119 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=234 ID=46094 PROTO=TCP SPT=41945 DPT=49598 WINDOW=0 RES=0x00 ACK RST FIN URGP=0
    Jul 10 21:00:15 desktop kernel: FIREWALL IN=eth0 OUT= MAC=00:50:8d:d7:2c:b6:00:14:6c:0b:1f:de:08:00 SRC=201.86.32.45 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=39 ID=34795 PROTO=TCP SPT=6936 DPT=43576 WINDOW=0 RES=0x00 ACK RST FIN URGP=0
    Here's my 'netstat -tuanp' (well, the relevant bits, other connections where still SYN_SENT or had been established):
    Code:
    tcp        0      1 192.168.0.2:49598       72.143.33.119:41945     SYN_SENT 3303/rtorrent
    tcp        0      1 192.168.0.2:43576       201.86.32.45:6936       SYN_SENT 3303/rtorrent
    Now, I realise the packets are picked up by iptables because I've told iptables to.

    Why do I have a few packets whose destination port is 45000+ (I know high number ports are used for exchanging data, as negotiated by rtorrent and Linux, but why do only a few get picked up?)?

    Is my router failing to correctly NAT those packets?

    Is this a problem on the peer's side?

    Thanks
    Tom

    Note: Given this, I still get great speeds. I max out my connection at 220kbps.

  2. #2
    Linux Newbie
    Join Date
    Jun 2005
    Posts
    123
    I tried it again and got:
    Code:
    Jul 10 21:39:43 desktop kernel: FIREWALL IN=eth0 OUT= MAC=00:50:8d:d7:2c:b6:00:14:6c:0b:1f:de:08:00 SRC=72.143.33.119 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=234 ID=47418 PROTO=TCP SPT=41945 DPT=51280 WINDOW=0 RES=0x00 ACK RST FIN URGP=0 
    Jul 10 21:39:43 desktop kernel: FIREWALL IN=eth0 OUT= MAC=00:50:8d:d7:2c:b6:00:14:6c:0b:1f:de:08:00 SRC=201.86.32.45 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=39 ID=35506 PROTO=TCP SPT=6936 DPT=49235 WINDOW=0 RES=0x00 ACK RST FIN URGP=0 
    Jul 10 21:39:43 desktop kernel: FIREWALL IN=eth0 OUT= MAC=00:50:8d:d7:2c:b6:00:14:6c:0b:1f:de:08:00 SRC=201.86.32.45 DST=192.168.0.2 LEN=56 TOS=0x00 PREC=0x00 TTL=39 ID=35507 PROTO=ICMP TYPE=3 CODE=3 [SRC=82.42.19.158 DST=201.86.32.45 LEN=52 TOS=0x00 PREC=0x00 TTL=53 ID=52050 DF PROTO=TCP INCOMPLETE [8 bytes] ] 
    Jul 10 21:39:46 desktop kernel: FIREWALL IN=eth0 OUT= MAC=00:50:8d:d7:2c:b6:00:14:6c:0b:1f:de:08:00 SRC=72.143.33.119 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=234 ID=47421 PROTO=TCP SPT=41945 DPT=51280 WINDOW=0 RES=0x00 ACK RST FIN URGP=0 
    Jul 10 21:39:46 desktop kernel: FIREWALL IN=eth0 OUT= MAC=00:50:8d:d7:2c:b6:00:14:6c:0b:1f:de:08:00 SRC=201.86.32.45 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=39 ID=35512 PROTO=TCP SPT=6936 DPT=49235 WINDOW=0 RES=0x00 ACK RST FIN URGP=0 
    Jul 10 21:39:46 desktop kernel: FIREWALL IN=eth0 OUT= MAC=00:50:8d:d7:2c:b6:00:14:6c:0b:1f:de:08:00 SRC=201.86.32.45 DST=192.168.0.2 LEN=56 TOS=0x00 PREC=0x00 TTL=39 ID=35513 PROTO=ICMP TYPE=3 CODE=3 [SRC=82.42.19.158 DST=201.86.32.45 LEN=52 TOS=0x00 PREC=0x00 TTL=53 ID=52051 DF PROTO=TCP INCOMPLETE [8 bytes] ] 
    Jul 10 21:39:52 desktop kernel: FIREWALL IN=eth0 OUT= MAC=00:50:8d:d7:2c:b6:00:14:6c:0b:1f:de:08:00 SRC=72.143.33.119 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=234 ID=47426 PROTO=TCP SPT=41945 DPT=51280 WINDOW=0 RES=0x00 ACK RST FIN URGP=0 
    Jul 10 21:39:52 desktop kernel: FIREWALL IN=eth0 OUT= MAC=00:50:8d:d7:2c:b6:00:14:6c:0b:1f:de:08:00 SRC=201.86.32.45 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=39 ID=35516 PROTO=TCP SPT=6936 DPT=49235 WINDOW=0 RES=0x00 ACK RST FIN URGP=0 
    Jul 10 21:39:52 desktop kernel: FIREWALL IN=eth0 OUT= MAC=00:50:8d:d7:2c:b6:00:14:6c:0b:1f:de:08:00 SRC=201.86.32.45 DST=192.168.0.2 LEN=56 TOS=0x00 PREC=0x00 TTL=39 ID=35517 PROTO=ICMP TYPE=3 CODE=3 [SRC=82.42.19.158 DST=201.86.32.45 LEN=52 TOS=0x00 PREC=0x00 TTL=53 ID=52052 DF PROTO=TCP INCOMPLETE [8 bytes] ] 
    Jul 10 21:40:04 desktop kernel: FIREWALL IN=eth0 OUT= MAC=00:50:8d:d7:2c:b6:00:14:6c:0b:1f:de:08:00 SRC=72.143.33.119 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=234 ID=47442 PROTO=TCP SPT=41945 DPT=51280 WINDOW=0 RES=0x00 ACK RST FIN URGP=0 
    Jul 10 21:40:04 desktop kernel: FIREWALL IN=eth0 OUT= MAC=00:50:8d:d7:2c:b6:00:14:6c:0b:1f:de:08:00 SRC=201.86.32.45 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=39 ID=35521 PROTO=TCP SPT=6936 DPT=49235 WINDOW=0 RES=0x00 ACK RST FIN URGP=0 
    Jul 10 21:40:04 desktop kernel: FIREWALL IN=eth0 OUT= MAC=00:50:8d:d7:2c:b6:00:14:6c:0b:1f:de:08:00 SRC=201.86.32.45 DST=192.168.0.2 LEN=56 TOS=0x00 PREC=0x00 TTL=39 ID=35522 PROTO=ICMP TYPE=3 CODE=3 [SRC=82.42.19.158 DST=201.86.32.45 LEN=52 TOS=0x00 PREC=0x00 TTL=53 ID=52053 DF PROTO=TCP INCOMPLETE [8 bytes] ] 
    Jul 10 21:40:09 desktop kernel: FIREWALL IN=eth0 OUT= MAC=00:50:8d:d7:2c:b6:00:09:6b:40:db:9c:08:00 SRC=192.168.0.3 DST=192.168.0.2 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=59663 DF PROTO=TCP SPT=2730 DPT=1396 WINDOW=65535 RES=0x00 SYN URGP=0
    Jul 10 21:40:28 desktop kernel: FIREWALL IN=eth0 OUT= MAC=00:50:8d:d7:2c:b6:00:14:6c:0b:1f:de:08:00 SRC=72.143.33.119 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=234 ID=47453 PROTO=TCP SPT=41945 DPT=51280 WINDOW=0 RES=0x00 ACK RST FIN URGP=0 
    Jul 10 21:40:28 desktop kernel: FIREWALL IN=eth0 OUT= MAC=00:50:8d:d7:2c:b6:00:14:6c:0b:1f:de:08:00 SRC=201.86.32.45 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=39 ID=35530 PROTO=TCP SPT=6936 DPT=49235 WINDOW=0 RES=0x00 ACK RST FIN URGP=0 
    Jul 10 21:43:01 desktop kernel: FIREWALL IN=eth0 OUT= MAC=00:50:8d:d7:2c:b6:00:14:6c:0b:1f:de:08:00 SRC=81.192.123.253 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=254 ID=0 DF PROTO=TCP SPT=29335 DPT=46138 WINDOW=0 RES=0x00 RST URGP=0
    This is similar output. I posted it in case what I posted earlier wasn't enough.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •