Difference between revisions of "Talk:Firewall"

From AMule Project FAQ
Jump to: navigation, search
 
(5 intermediate revisions by 4 users not shown)
Line 15: Line 15:
  
 
The instructions do not work with my Dlink DI-604. When I try and add the Application rule I get a notice saying that there is a conflict with the Virtual Server rule I've just set up. HTH
 
The instructions do not work with my Dlink DI-604. When I try and add the Application rule I get a notice saying that there is a conflict with the Virtual Server rule I've just set up. HTH
 +
 +
 +
----
 +
 +
Cleaning the iptables rules :
 +
I think the basic rules (section 2 :  IPTables Configuration) are not really good.
 +
If you use (as said in the wiki) :
 +
 +
iptables -A INPUT -p tcp --dport XX -j ACCEPT
 +
 +
it works but to my mind the other lign :
 +
 +
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 +
 +
does nothing because the first lign accept all state packets (NEW,ESTABLISHED,RELATED,UNTRACKED and INVALID). So the first line accept more the second (but only for the amule ports).
 +
 +
I think we could increase the security by using :
 +
 +
iptables -P INPUT DROP
 +
 +
iptables -A INPUT -p tcp --dport XX -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
 +
 +
iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
 +
 +
The first line is the global policy : we drop all.
 +
The second line is the strategy for amule.
 +
The third line is the strategy for the other ports.
 +
 +
For aMule,we need the 'ESTABLISHED' and 'RELATED' states to allow the answer to our requests. We need the 'NEW' state to allow the request of the others p2p clients. If we don't allow 'NEW', we are on low ID. (that's the result of my test.)
 +
 +
Perhaps, it's even possible to delete ESTABLISHED or RELATED (only one). It depends on how the answer request are done. (? I don't know. Need further research.)
 +
 +
Of course, you need to add modified lines if XX+3 or UDP are needed.
 +
 +
I don't made direct change on the wiki because I think several persons should test my change to check if I have made an error.
 +
 +
stephane.
 +
 +
---
 +
 +
I use the following rules (well, [http://www.netfilter.org/ iptables] 1.2.7a):
 +
 +
iptables -A INPUT -p tcp -m tcp --dport 4662 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
 +
 +
iptables -A INPUT -p udp -m udp --dport 4665 -j ACCEPT
 +
 +
iptables -A INPUT -p udp -m udp --dport 4672 -j ACCEPT
 +
 +
and [[aMule]] works great with them. I don't how much are these the same as yours, stephane. (Policy rule is not included intentionally)
 +
 +
[[User:GonoszTopi|GonoszTopi]]
 +
 +
 +
---
 +
 +
My rule for aMule is (iptables v1.2.11) :
 +
 +
iptables -A INPUT -i eth0 -p tcp -m state --state NEW,ESTABLISHED,RELATED --dport 4662 -j ACCEPT
 +
 +
I have disabled the udp port in aMule so I don't need to open them. However, if I had keep them open, I would have these lines too :
 +
 +
iptables -A INPUT -i eth0 -p udp -m state --state NEW,ESTABLISHED,RELATED --dport 4665 -j ACCEPT
 +
 +
iptables -A INPUT -i eth0 -p udp -m state --state NEW,ESTABLISHED,RELATED --dport 4672 -j ACCEPT
 +
 +
I have tested with 'netstat -taupe' and the clients connected to me use the ESTABLISHED state so it seems that I could delete the RELATED state (further tests needed). If it's true, my rule becomes :
 +
 +
iptables -A INPUT -i eth0 -p tcp -m state --state NEW,ESTABLISHED --dport 4662 -j ACCEPT
 +
 +
 +
Your rules check different thing than mine. Perhaps it could be interresting to mix them.
 +
 +
stephane.
 +
 +
----
 +
 +
AMule High ID from behind a BT Voyager 2100
 +
 +
Anyone know what settings I need to use to get a high ID?
 +
 +
'''No idea. Just go to NAT configuration or port forwarding configuration and open the apropiate ports. Google for "eMule ports voyager 2100" and you will most likely find something usefull. Greets'''
 +
 +
I'm trying to get HighID and am trying to understand: do I need a static IP?
 +
 +
Should [[port forwarding]] redirect to this page?
 +
 +
Thanks - Krop

Latest revision as of 01:51, 14 April 2008

I think that think page should also contain basic Linksys and Dlink router information since you're also trying to attract windows users. -- Juan 21:28, 27 May 2005 (CEST)

Yap. fine now, who's gonna provide that info? ;-P

I'll add linksys information soon. Anyone with a DLink router should also contribute.. =) -- Juan 19:41, 28 May 2005 (CEST)

Um. I thought the == before and after a section automatically creates a menu for the page? Am I wrong?

You're not. But only if there are at least four == sections in the article. Otherwise no menu will be created

I just threw some D-Link info in there, based on what I did on my DI-624 to get aMule to show High ID. I have to admit though that I don't quite get how the Applications page settings relate to the port forwarding in Virtual Servers, unless you do an entry in Virtual Servers for each port in the 4662-4672 range for UDP. Any thoughts? -Sharakan

:-) Thanks for your tips!

The instructions do not work with my Dlink DI-604. When I try and add the Application rule I get a notice saying that there is a conflict with the Virtual Server rule I've just set up. HTH



Cleaning the iptables rules :

I think the basic rules (section 2 : IPTables Configuration) are not really good. If you use (as said in the wiki) :

iptables -A INPUT -p tcp --dport XX -j ACCEPT

it works but to my mind the other lign :

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

does nothing because the first lign accept all state packets (NEW,ESTABLISHED,RELATED,UNTRACKED and INVALID). So the first line accept more the second (but only for the amule ports).

I think we could increase the security by using :

iptables -P INPUT DROP

iptables -A INPUT -p tcp --dport XX -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT

The first line is the global policy : we drop all. The second line is the strategy for amule. The third line is the strategy for the other ports.

For aMule,we need the 'ESTABLISHED' and 'RELATED' states to allow the answer to our requests. We need the 'NEW' state to allow the request of the others p2p clients. If we don't allow 'NEW', we are on low ID. (that's the result of my test.)

Perhaps, it's even possible to delete ESTABLISHED or RELATED (only one). It depends on how the answer request are done. (? I don't know. Need further research.)

Of course, you need to add modified lines if XX+3 or UDP are needed.

I don't made direct change on the wiki because I think several persons should test my change to check if I have made an error.

stephane.

---

I use the following rules (well, iptables 1.2.7a):

iptables -A INPUT -p tcp -m tcp --dport 4662 --tcp-flags SYN,RST,ACK SYN -j ACCEPT

iptables -A INPUT -p udp -m udp --dport 4665 -j ACCEPT

iptables -A INPUT -p udp -m udp --dport 4672 -j ACCEPT

and aMule works great with them. I don't how much are these the same as yours, stephane. (Policy rule is not included intentionally)

GonoszTopi


---

My rule for aMule is (iptables v1.2.11) :

iptables -A INPUT -i eth0 -p tcp -m state --state NEW,ESTABLISHED,RELATED --dport 4662 -j ACCEPT

I have disabled the udp port in aMule so I don't need to open them. However, if I had keep them open, I would have these lines too :

iptables -A INPUT -i eth0 -p udp -m state --state NEW,ESTABLISHED,RELATED --dport 4665 -j ACCEPT

iptables -A INPUT -i eth0 -p udp -m state --state NEW,ESTABLISHED,RELATED --dport 4672 -j ACCEPT

I have tested with 'netstat -taupe' and the clients connected to me use the ESTABLISHED state so it seems that I could delete the RELATED state (further tests needed). If it's true, my rule becomes :

iptables -A INPUT -i eth0 -p tcp -m state --state NEW,ESTABLISHED --dport 4662 -j ACCEPT


Your rules check different thing than mine. Perhaps it could be interresting to mix them.

stephane.


AMule High ID from behind a BT Voyager 2100

Anyone know what settings I need to use to get a high ID?

No idea. Just go to NAT configuration or port forwarding configuration and open the apropiate ports. Google for "eMule ports voyager 2100" and you will most likely find something usefull. Greets

I'm trying to get HighID and am trying to understand: do I need a static IP?

Should port forwarding redirect to this page?

Thanks - Krop