Bittorrent blocked by iptables
I was looking at my iptables log and I had some entries in which were from bittorrent, but I'm unsure as to why they've been picked up.
I am behind a NAT'ing router (Netgear RP614) which acts a firewall. I have forwarded port 17999 to my computer, for bittorrent.
I have configured rtorrent (the bittorrent client I use) to listen on port 17999.
Here's my iptables script:
Now, I'm going to start downloading Gentoo's torrent file. Here's what my firewall log has produced:
# Flush all entries
# This isn't a router
# Modifying this setting resets all configuration
# parameters to their default vaules, which is why
# this setting should be applied first.
echo "0" > /proc/sys/net/ipv4/ip_forward
# Enable TCP SYN Cookie Protection
if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
# Disable ICMP Redirect Acceptance
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
# Do not send Redirect Messages
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
# Enable bad error message protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Enable broadcast echo protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Disable source-routed packets
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
# Let's enable SYN cookies (to protect against SYN floods):
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
# Let's disable TCP timestamps to reduce the TCP stack workload:
echo "0" > /proc/sys/net/ipv4/tcp_timestamps
# POSSIBLY FATAL WHEN USED BEHIND A FIREWALL OR AT UNI
# Let's enable reverse path filtering for anti-spoofing:
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
# Let's allow redirects from trusted gateways only:
echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
# Let's log any UFOs which are spotted:
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
# Drop all connections by default
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
# Allow connections through loopback device
$IPT -A INPUT -i lo -p all -j ACCEPT
$IPT -A OUTPUT -o lo -p all -j ACCEPT
# Allow incoming connection if they're related or established
$IPT -A INPUT -i $EXT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow connections for BitTorrent (I don't think UDP is required, but it's low-risk)
$IPT -A INPUT -p tcp --destination-port 17999 -j ACCEPT
$IPT -A INPUT -p udp --destination-port 17999 -j ACCEPT
# Allow all outgoing packets
$IPT -A OUTPUT -o $EXT -j ACCEPT
$IPT -A INPUT -j LOG --log-prefix "FIREWALL "
Here's my 'netstat -tuanp' (well, the relevant bits, other connections where still SYN_SENT or had been established):
Jul 10 20:59:51 desktop kernel: FIREWALL IN=eth0 OUT= MAC=00:50:8d:d7:2c:b6:00:14:6c:0b:1f:de:08:00 SRC=18.104.22.168 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=40 ID=34787 PROTO=TCP SPT=6936 DPT=43576 WINDOW=0 RES=0x00 ACK RST FIN URGP=0
Jul 10 21:00:15 desktop kernel: FIREWALL IN=eth0 OUT= MAC=00:50:8d:d7:2c:b6:00:14:6c:0b:1f:de:08:00 SRC=22.214.171.124 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=234 ID=46094 PROTO=TCP SPT=41945 DPT=49598 WINDOW=0 RES=0x00 ACK RST FIN URGP=0
Jul 10 21:00:15 desktop kernel: FIREWALL IN=eth0 OUT= MAC=00:50:8d:d7:2c:b6:00:14:6c:0b:1f:de:08:00 SRC=126.96.36.199 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=39 ID=34795 PROTO=TCP SPT=6936 DPT=43576 WINDOW=0 RES=0x00 ACK RST FIN URGP=0
Now, I realise the packets are picked up by iptables because I've told iptables to.
tcp 0 1 192.168.0.2:49598 188.8.131.52:41945 SYN_SENT 3303/rtorrent
tcp 0 1 192.168.0.2:43576 184.108.40.206:6936 SYN_SENT 3303/rtorrent
Why do I have a few packets whose destination port is 45000+ (I know high number ports are used for exchanging data, as negotiated by rtorrent and Linux, but why do only a few get picked up?)?
Is my router failing to correctly NAT those packets?
Is this a problem on the peer's side?
Note: Given this, I still get great speeds. I max out my connection at 220kbps.