ipf, ipnat and Bittorrent

Paul paul at theharbour.eclipse.co.uk
Wed Feb 16 13:04:11 GMT 2005 

I am trying to forward bittorrent ports on FreeBSD 5.3 with ipf and ipnat.
But the bittorrent indicator stays yellow which means it isn't set up
correctly.  Also, I don't get as many connections to peers as I should and
download speeds are very poor.  My ipnat.rules and ipf.rules files are shown
below:

 

ipnat.rules:

 

#Rules for ipnat

 

#This line says to map outbound traffic to your public IP address

map tun0 192.168.0.0/24 -> 0/32 portmap tcp/udp auto

 

#bittorrent

rdr tun0 0/32 port 6881 -> 192.168.0.3 port 6881 tcp/udp

rdr tun0 0/32 port 6882 -> 192.168.0.3 port 6882 tcp/udp

rdr tun0 0/32 port 6883 -> 192.168.0.3 port 6883 tcp/udp

rdr tun0 0/32 port 6884 -> 192.168.0.3 port 6884 tcp/udp

rdr tun0 0/32 port 6885 -> 192.168.0.3 port 6885 tcp/udp

rdr tun0 0/32 port 6886 -> 192.168.0.3 port 6886 tcp/udp

rdr tun0 0/32 port 6887 -> 192.168.0.3 port 6887 tcp/udp

rdr tun0 0/32 port 6888 -> 192.168.0.3 port 6888 tcp/udp

rdr tun0 0/32 port 6889 -> 192.168.0.3 port 6889 tcp/udp

rdr tun0 0/32 port 6890 -> 192.168.0.3 port 6890 tcp/udp

 

 

 

 

 

ipf.rules:

 

#####################################################################

#

# IP packet filtering rules (firewall)

#

 

# If you change this file, run

#    ipf -Fa -f /etc/ipf.rules

# to update kernel tables

 

# All rules are "quick" so go strictly top to bottom

 

#  Don't bug loopback

#

pass out quick on lo0

pass in quick on lo0

 

#  Don't bother the inside interface either

#

pass out quick on sis0

pass in quick on sis0

 

#####################################################################

#

#  First, we deal with bogus packets.

#

 

#  Block any inherently bad packets coming in from the outside world.

#  These include ICMP redirect packets and IP fragments so short the

#  filtering rules won't be able to examine the whole UDP/TCP header.

#

block in log quick on tun0 proto icmp from any to any icmp-type redir

block in log quick on tun0 proto tcp/udp all with short

 

#  Block any IP spoofing atempts.  (Packets "from" non-routable

#  addresses shouldn't be coming in from the outside).

#

block in quick on tun0 from 192.168.0.0/16 to any

block in quick on tun0 from 127.0.0.0/8    to any

block in quick on tun0 from 172.16.0.0/12  to any

block in quick on tun0 from 10.0.0.0/8     to any

block in quick on tun0 from 0.0.0.0/8      to any

block in quick on tun0 from 169.254.0.0/16 to any

block in quick on tun0 from 192.0.2.0/24   to any

block in quick on tun0 from 204.152.64.0/23 to any

block in quick on tun0 from 224.0.0.0/3    to any

block in quick on tun0 from 255.255.255.255/32 to any

 

#  Kill all source-routed packets

#

block in quick on tun0 all with opt lsrr

block in quick on tun0 all with opt ssrr

 

#  Don't allow non-routable packets to leave our network

#

block out quick on tun0 from any to 192.168.0.0/16

block out quick on tun0 from any to 127.0.0.0/8

block out quick on tun0 from any to 172.16.0.0/12

block out quick on tun0 from any to 10.0.0.0/8

block out quick on tun0 from any to 0.0.0.0/8

block out quick on tun0 from any to 169.254.0.0/16

block out quick on tun0 from any to 192.0.2.0/24

block out quick on tun0 from any to 204.152.64.0/23

block out quick on tun0 from any to 224.0.0.0/3

block out quick on tun0 from any to 255.255.255.255/32

 

#

#####################################################################

 

 

#####################################################################

#

#  Now the normal filtering rules

#

 

#  ICMP: allow incoming ping and traceroute only

#

pass in quick on tun0 proto icmp from any to any icmp-type echorep

pass in quick on tun0 proto icmp from any to any icmp-type echo

pass in quick on tun0 proto icmp from any to any icmp-type timex

pass in quick on tun0 proto icmp from any to any icmp-type unreach

block in log quick on tun0 proto icmp from any to any

 

#  TCP: Allow various incoming services. Only match

#  SYN packets, and allow the state table to handle the rest of the

#  connection.

#

pass in quick on tun0 proto tcp from any to any port = ssh flags S keep
frags keep state

pass in quick on tun0 proto tcp from any to any port = http flags S keep
frags keep state

pass in quick on tun0 proto tcp from any to any port = 443 flags S keep
frags keep state

pass in quick on tun0 proto tcp from any to any port = ftp keep state

pass in quick on tun0 proto tcp from any to any port = 3306 flags S keep
frags keep state

pass in quick on tun0 proto tcp from any to any port 6880 >< 6891 flags S
keep state

pass in quick on tun0 proto udp from any to any port 6880 >< 6891 keep state

 

#  Of course we need to allow packets coming in as replies to our

#  connections so we keep state. Strictly speaking, with packets

#  coming from our network we don't have to only match SYN,

#  and it's rather unlikely that there will be any fragments. But

#  what the hell.

#

pass out quick on tun0 proto tcp  from any to any flags S keep frags keep
state

pass out quick on tun0 proto udp  from any to any keep state

pass out quick on tun0 proto icmp from any to any keep state

 

#  End of rules. Block everything to all ports, all protocols and return

#  RST (TCP) or ICMP/port-unreachable (UDP). Don't forget to rewrite the

#  source address of the "port unreachable" message, hence -as-dest

#

block return-rst in log quick on tun0 proto tcp from any to any

block return-icmp-as-dest in log quick on tun0 proto udp from any to any

block in quick all

 

#

#  End of file

#

#####################################################################

More information about the freebsd-questions mailing list