[Debian Testing] KTorrent iptable rules

[Keessince1988]

Hi!


My firewall does everything what I want from it, except one thing. It doesn't work with KTorrent
KTorrent is completely numb, the downloads are completely frozen. No stats no nothing.

This is what I've tried:

Code:

# KTorrent
$IPTABLES -A INPUT -p tcp --dport 6881 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 6881 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 4444 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 4444 -m state --state NEW -j ACCEPT

$IPTABLES -A OUTPUT -p tcp --dport 6881 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 6881 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 4444 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 4444 -m state --state NEW -j ACCEPT

Below is my complete iptables configuration, the above rules don't match completely but the above is what I've tried to make it work...

Code:

#!/bin/sh
IPTABLES=/sbin/iptables
MODPROBE=/sbin/modprobe
INT_NET=192.168.1.32/28
LO=127.0.0.0/8

#####################################################################
###   Flush existing rules and set chain policy setting to DROP   ###
#####################################################################
echo "[+] Flushing existing iptables rules..."
$IPTABLES -F
$IPTABLES -F -t filter
$IPTABLES -X
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

################################
###   KERNEL modifications   ###
################################
echo "[+] Setting up KERNEL modifications..."
$MODPROBE ip_conntrack
# Disable IP forwarding
echo 0 > /proc/sys/net/ipv4/ip_forward
# Enable IP spoofing protection
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $i; done
# Protect against SYN flood attacks
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

#######################
###   INPUT chain   ###
#######################
echo "[+] Setting up INPUT chain..."
### State tracking rules
$IPTABLES -A INPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options
$IPTABLES -A INPUT -m state --state INVALID -j DROP
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
### ACCEPT rules for allowing connections in
### Loopback
$IPTABLES -A INPUT -i lo -s $LO -d $LO -m state --state NEW -j ACCEPT
# SSH
$IPTABLES -A INPUT -p tcp --dport 22 --syn -m state --state NEW -m recent --set --name SSH
$IPTABLES -A INPUT -p tcp --dport 22 --syn -m state --state NEW -m recent --update --seconds 120 --hitcount 4 --rttl --name SSH -j DROP
$IPTABLES -A INPUT -p tcp --dport 22 --syn -m state --state NEW -j ACCEPT
### Anti-spoofing rules
$IPTABLES -A INPUT -d $INT_NET -j LOG --log-prefix "SPOOFED PACKET " 
$IPTABLES -A INPUT -d $INT_NET -j DROP
### Default INPUT LOG rule
$IPTABLES -A INPUT ! -i lo -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options

########################
###   OUTPUT chain   ###
########################
echo "[+] Setting up OUTPUT chain..."
### State tracking rules
$IPTABLES -A OUTPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options
$IPTABLES -A OUTPUT -m state --state INVALID -j DROP
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
### ACCEPT rules for allowing connections out
# Loopback
$IPTABLES -A OUTPUT -o lo -s $LO -d $LO -m state --state NEW -j ACCEPT
# SSH
$IPTABLES -A OUTPUT -p tcp --dport 22 --syn -m state --state NEW -j ACCEPT
# Whois
$IPTABLES -A OUTPUT -p tcp --dport 43 --syn -m state --state NEW -j ACCEPT
# DNS
$IPTABLES -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
# HTTP
$IPTABLES -A OUTPUT -p tcp --dport 80 --syn -m state --state NEW -j ACCEPT
# NTP
$IPTABLES -A OUTPUT -p udp --dport 123 -m state --state NEW -j ACCEPT
# HTTPS
$IPTABLES -A OUTPUT -p tcp --dport 443 --syn -m state --state NEW -j ACCEPT
# MSN
$IPTABLES -A OUTPUT -p tcp --dport 1863 --syn -m state --state NEW -j ACCEPT
# RWhois
$IPTABLES -A OUTPUT -p tcp --dport 4321 --syn -m state --state NEW -j ACCEPT
# Google Talk
$IPTABLES -A OUTPUT -p tcp --dport 5222 --syn -m state --state NEW -j ACCEPT
# KTorrent
$IPTABLES -A OUTPUT -p tcp --dport 6881 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 6881 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 4444 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 4444 -m state --state NEW -j ACCEPT
# IRC
#$IPTABLES -A OUTPUT -p tcp --dport 6667 -m state --state NEW -j ACCEPT
# Teamspeak Voice 
$IPTABLES -A OUTPUT -p udp --dport 9987 -m state --state NEW -j ACCEPT
# Teamspeak Serverquery
$IPTABLES -A OUTPUT -p tcp --dport 10011 --syn -m state --state NEW -j ACCEPT
# Teamspeak Update Server
#$IPTABLES -A OUTPUT -p udp --dport 17384 -m state --state NEW -j ACCEPT
# Teamspeak Filetransfer
$IPTABLES -A OUTPUT -p tcp --dport 30033 --syn -m state --state NEW -j ACCEPT
# Ping
$IPTABLES -A OUTPUT -s $INT_NET -p icmp --icmp-type echo-request -j ACCEPT
### Default OUTPUT LOG rule
$IPTABLES -A OUTPUT ! -o lo -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options

#########################
###   FORWARD chain   ###
#########################
echo "[+] Setting up FORWARD chain..."
### State tracking rules
$IPTABLES -A FORWARD -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options
$IPTABLES -A FORWARD -m state --state INVALID -j DROP
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
### Anti-spoofing rules
$IPTABLES -A FORWARD -d $INT_NET -j LOG --log-prefix "SPOOFED PACKET "
$IPTABLES -A FORWARD -d $INT_NET -j DROP
### Default FORWARD LOG rule
$IPTABLES -A FORWARD ! -i lo -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options

[Keessince1988]

Nobody has a clue?

[unspawn]

With Bittorrent your machine is both client and server (so you'll need to allow both --state ESTABLISHED,RELATED as well as --state NEW) for a range of ports. Talking of which Bittorrent uses a port range, IIRC 6881 - 6990, and both UDP and TCP.

A lot of firewall issues can be cleared up if you know what you're looking for. You could adjust your firewall rules wrt the above, use catchall "-j LOG" rules on both eth0 ingress and egress, see what gets blocked and then adjust your firewall rules again. People often forget they can use "-j LOG" rules for troubleshooting purposes.

[Keessince1988]

That didn't work, KTorrent uses port 6881 and 4444 (in the settings). But it also uses allot of random ports for the trackers, so it's very hard to apply an iptables to that.

Does anyone have a working configuration with iptables and KTorrent?

[Lazydog]

I would suggest you start LOGing your dropped/rejected packets to see what the torrent might be looking for and then adjust your firewall accordingly.

[Keessince1988]

As you can see my iptables does log, and when I launch KTorrent all kinds of random ports appear on my screen. So I don't have a clue. KTorrent isn't an unpopular client, so isn't there somebody with a nice configuration out there?

[Keessince1988]

Example log:

Code:

[11599.944779] DROP IN= OUT=eth0 SRC=192.168.1.33 DST=109.182.118.171 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=39593 DF PROTO=TCP SPT=43518 DPT=44021 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A002B1B1A0000000001030307) 
[11599.944901] DROP IN= OUT=eth0 SRC=192.168.1.33 DST=109.255.190.184 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=41539 DF PROTO=TCP SPT=55150 DPT=37657 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A002B1B1A0000000001030307) 
[11599.945026] DROP IN= OUT=eth0 SRC=192.168.1.33 DST=109.65.124.53 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=8258 DF PROTO=TCP SPT=52650 DPT=14942 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A002B1B1A0000000001030307) 
[11599.945146] DROP IN= OUT=eth0 SRC=192.168.1.33 DST=110.36.56.119 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=8102 DF PROTO=TCP SPT=59933 DPT=61851 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A002B1B1A0000000001030307) 
[11599.945276] DROP IN= OUT=eth0 SRC=192.168.1.33 DST=110.93.80.56 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=57822 DF PROTO=TCP SPT=50639 DPT=52918 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A002B1B1A0000000001030307) 
[11599.945399] DROP IN= OUT=eth0 SRC=192.168.1.33 DST=112.201.128.145 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=49884 DF PROTO=TCP SPT=50949 DPT=54186 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A002B1B1A0000000001030307) 
[11599.945518] DROP IN= OUT=eth0 SRC=192.168.1.33 DST=112.202.199.23 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=61447 DF PROTO=TCP SPT=39133 DPT=13492 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A002B1B1A0000000001030307) 
[11599.945639] DROP IN= OUT=eth0 SRC=192.168.1.33 DST=112.202.93.155 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=54592 DF PROTO=TCP SPT=53178 DPT=11058 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A002B1B1A0000000001030307) 
[11599.945759] DROP IN= OUT=eth0 SRC=192.168.1.33 DST=113.193.153.230 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=36263 DF PROTO=TCP SPT=48404 DPT=12515 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A002B1B1A0000000001030307) 
[11599.945879] DROP IN= OUT=eth0 SRC=192.168.1.33 DST=113.53.78.36 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=21966 DF PROTO=TCP SPT=38183 DPT=34536 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A002B1B1A0000000001030307) 
[11599.945999] DROP IN= OUT=eth0 SRC=192.168.1.33 DST=114.27.22.73 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=54348 DF PROTO=TCP SPT=50097 DPT=7038 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A002B1B1A0000000001030307) 
[11599.946116] DROP IN= OUT=eth0 SRC=192.168.1.33 DST=114.76.180.170 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=25208 DF PROTO=TCP SPT=38966 DPT=35289 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A002B1B1A0000000001030307) 
[11599.946233] DROP IN= OUT=eth0 SRC=192.168.1.33 DST=114.76.38.121 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=44178 DF PROTO=TCP SPT=41346 DPT=54689 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A002B1B1A0000000001030307) 
[11599.946351] DROP IN= OUT=eth0 SRC=192.168.1.33 DST=116.73.45.68 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=19061 DF PROTO=TCP SPT=54263 DPT=22888 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A002B1B1A0000000001030307) 
[11599.946471] DROP IN= OUT=eth0 SRC=192.168.1.33 DST=117.196.231.237 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=44116 DF PROTO=TCP SPT=39666 DPT=17568 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A002B1B1A0000000001030307) 
[11599.946588] DROP IN= OUT=eth0 SRC=192.168.1.33 DST=117.200.1.62 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=57324 DF PROTO=TCP SPT=37630 DPT=47663 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A002B1B1A0000000001030307) 
[11599.946708] DROP IN= OUT=eth0 SRC=192.168.1.33 DST=118.137.235.58 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=8258 DF PROTO=TCP SPT=55113 DPT=32207 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A002B1B1A0000000001030307) 
[11599.946827] DROP IN= OUT=eth0 SRC=192.168.1.33 DST=119.155.32.111 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=18843 DF PROTO=TCP SPT=42284 DPT=17312 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A002B1B1A0000000001030307) 
[11599.946945] DROP IN= OUT=eth0 SRC=192.168.1.33 DST=120.60.132.68 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=12910 DF PROTO=TCP SPT=42152 DPT=34624 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A002B1B1A0000000001030307) 
[11599.947064] DROP IN= OUT=eth0 SRC=192.168.1.33 DST=121.120.82.152 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=48717 DF PROTO=TCP SPT=59398 DPT=26021 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A002B1B1A0000000001030307)

These logs only popup with KTorrent active...

[Lazydog]

This firewall is it on an end device or is traffic passing through it?

[Keessince1988]

This firewall is it on an end device or is traffic passing through it?

This firewall is applied on my desktop, there is also a more basic firewall on my router.

[Keessince1988]

So no one uses KTorrent and Iptables together? The two pieces of software looked quite popular to me. I'll try mailing lists and the official forum of KTorrent...