ipf, ipnat and Bittorrent
Paul
paul at theharbour.eclipse.co.uk
Wed Feb 16 13:04:11 GMT 2005
I am trying to forward bittorrent ports on FreeBSD 5.3 with ipf and ipnat.
But the bittorrent indicator stays yellow which means it isn't set up
correctly. Also, I don't get as many connections to peers as I should and
download speeds are very poor. My ipnat.rules and ipf.rules files are shown
below:
ipnat.rules:
#Rules for ipnat
#This line says to map outbound traffic to your public IP address
map tun0 192.168.0.0/24 -> 0/32 portmap tcp/udp auto
#bittorrent
rdr tun0 0/32 port 6881 -> 192.168.0.3 port 6881 tcp/udp
rdr tun0 0/32 port 6882 -> 192.168.0.3 port 6882 tcp/udp
rdr tun0 0/32 port 6883 -> 192.168.0.3 port 6883 tcp/udp
rdr tun0 0/32 port 6884 -> 192.168.0.3 port 6884 tcp/udp
rdr tun0 0/32 port 6885 -> 192.168.0.3 port 6885 tcp/udp
rdr tun0 0/32 port 6886 -> 192.168.0.3 port 6886 tcp/udp
rdr tun0 0/32 port 6887 -> 192.168.0.3 port 6887 tcp/udp
rdr tun0 0/32 port 6888 -> 192.168.0.3 port 6888 tcp/udp
rdr tun0 0/32 port 6889 -> 192.168.0.3 port 6889 tcp/udp
rdr tun0 0/32 port 6890 -> 192.168.0.3 port 6890 tcp/udp
ipf.rules:
#####################################################################
#
# IP packet filtering rules (firewall)
#
# If you change this file, run
# ipf -Fa -f /etc/ipf.rules
# to update kernel tables
# All rules are "quick" so go strictly top to bottom
# Don't bug loopback
#
pass out quick on lo0
pass in quick on lo0
# Don't bother the inside interface either
#
pass out quick on sis0
pass in quick on sis0
#####################################################################
#
# First, we deal with bogus packets.
#
# Block any inherently bad packets coming in from the outside world.
# These include ICMP redirect packets and IP fragments so short the
# filtering rules won't be able to examine the whole UDP/TCP header.
#
block in log quick on tun0 proto icmp from any to any icmp-type redir
block in log quick on tun0 proto tcp/udp all with short
# Block any IP spoofing atempts. (Packets "from" non-routable
# addresses shouldn't be coming in from the outside).
#
block in quick on tun0 from 192.168.0.0/16 to any
block in quick on tun0 from 127.0.0.0/8 to any
block in quick on tun0 from 172.16.0.0/12 to any
block in quick on tun0 from 10.0.0.0/8 to any
block in quick on tun0 from 0.0.0.0/8 to any
block in quick on tun0 from 169.254.0.0/16 to any
block in quick on tun0 from 192.0.2.0/24 to any
block in quick on tun0 from 204.152.64.0/23 to any
block in quick on tun0 from 224.0.0.0/3 to any
block in quick on tun0 from 255.255.255.255/32 to any
# Kill all source-routed packets
#
block in quick on tun0 all with opt lsrr
block in quick on tun0 all with opt ssrr
# Don't allow non-routable packets to leave our network
#
block out quick on tun0 from any to 192.168.0.0/16
block out quick on tun0 from any to 127.0.0.0/8
block out quick on tun0 from any to 172.16.0.0/12
block out quick on tun0 from any to 10.0.0.0/8
block out quick on tun0 from any to 0.0.0.0/8
block out quick on tun0 from any to 169.254.0.0/16
block out quick on tun0 from any to 192.0.2.0/24
block out quick on tun0 from any to 204.152.64.0/23
block out quick on tun0 from any to 224.0.0.0/3
block out quick on tun0 from any to 255.255.255.255/32
#
#####################################################################
#####################################################################
#
# Now the normal filtering rules
#
# ICMP: allow incoming ping and traceroute only
#
pass in quick on tun0 proto icmp from any to any icmp-type echorep
pass in quick on tun0 proto icmp from any to any icmp-type echo
pass in quick on tun0 proto icmp from any to any icmp-type timex
pass in quick on tun0 proto icmp from any to any icmp-type unreach
block in log quick on tun0 proto icmp from any to any
# TCP: Allow various incoming services. Only match
# SYN packets, and allow the state table to handle the rest of the
# connection.
#
pass in quick on tun0 proto tcp from any to any port = ssh flags S keep
frags keep state
pass in quick on tun0 proto tcp from any to any port = http flags S keep
frags keep state
pass in quick on tun0 proto tcp from any to any port = 443 flags S keep
frags keep state
pass in quick on tun0 proto tcp from any to any port = ftp keep state
pass in quick on tun0 proto tcp from any to any port = 3306 flags S keep
frags keep state
pass in quick on tun0 proto tcp from any to any port 6880 >< 6891 flags S
keep state
pass in quick on tun0 proto udp from any to any port 6880 >< 6891 keep state
# Of course we need to allow packets coming in as replies to our
# connections so we keep state. Strictly speaking, with packets
# coming from our network we don't have to only match SYN,
# and it's rather unlikely that there will be any fragments. But
# what the hell.
#
pass out quick on tun0 proto tcp from any to any flags S keep frags keep
state
pass out quick on tun0 proto udp from any to any keep state
pass out quick on tun0 proto icmp from any to any keep state
# End of rules. Block everything to all ports, all protocols and return
# RST (TCP) or ICMP/port-unreachable (UDP). Don't forget to rewrite the
# source address of the "port unreachable" message, hence -as-dest
#
block return-rst in log quick on tun0 proto tcp from any to any
block return-icmp-as-dest in log quick on tun0 proto udp from any to any
block in quick all
#
# End of file
#
#####################################################################
More information about the freebsd-questions
mailing list