# aMule, shorewall and a router... :(

## dmvianna

Hi.

I had the kmyfirewall initscript running for some time in my box. I used to be able to run

```
iptables -A INPUT -p tcp --dport 4662 -j ACCEPT

iptables -A INPUT -p udp --dport 4672 -j ACCEPT

iptables -A INPUT -p udp --dport 4675 -j ACCEPT
```

before running aMule to open the ports, and everything worked fine. But I decided to install shorewall on its place. I have the

```
ACCEPT net fw tcp 4662

ACCEPT net fw udp 4672

ACCEPT net fw udp 4675
```

 rules and even tried to put

```
ACCEPT fw net tcp 4662
```

... and all the rest on too. But I keep getting these logs:

```
root@thinkpad shorewall # /sbin/shorewall show log

Shorewall-2.0.7 Log at thinkpad - Sex Fev  4 22:56:40 EST 2005

Counters reset Fri Feb  4 22:56:15 EST 2005

Feb  4 22:55:44 rfc1918:DROP:IN=eth0 OUT= SRC=81.39.30.23 DST=192.168.0.5 LEN=48 TOS=0x18 PREC=0x00 TTL=109 ID=15820 DF PROTO=TCP SPT=28604 DPT=4662 WINDOW=65535 RES=0x00 SYN URGP=0 

Feb  4 22:55:44 rfc1918:DROP:IN=eth0 OUT= SRC=84.100.250.209 DST=192.168.0.5 LEN=48 TOS=0x18 PREC=0x00 TTL=107 ID=45456 DF PROTO=TCP SPT=1962 DPT=4662 WINDOW=65535 RES=0x00 SYN URGP=0 

Feb  4 22:56:11 rfc1918:DROP:IN=eth0 OUT= SRC=62.220.129.170 DST=192.168.0.5 LEN=60 TOS=0x18 PREC=0x00 TTL=45 ID=15012 DF PROTO=TCP SPT=40607 DPT=4662 WINDOW=5840 RES=0x00 SYN URGP=0 

Feb  4 22:56:18 rfc1918:DROP:IN=eth0 OUT= SRC=70.84.28.212 DST=192.168.0.5 LEN=60 TOS=0x18 PREC=0x00 TTL=48 ID=43822 DF PROTO=TCP SPT=51521 DPT=4662 WINDOW=5840 RES=0x00 SYN URGP=0 

...

```

The logs report dropping stuff that goes to port 4662 (tcp), from various external IPs.

What happens to aMule is: I get lowid from servers, but when I'm not connected I can receive connections from other uses as normal...

AND nmap says everything's closed but 6001/tcp (for X11).

So how can I make shorewall open those ports for aMule?

----------

## dmvianna

 :Shocked: 

Just got rid of norfc1918,routefilter,dhcp,tcpflags options in the interfaces file. It worked!!! What does that mean??? Is it safe?

----------

## rbr28

It's the norfc part that did it.  What that does is it blocks routing of any IP's that are not typically routable, such as the 192.168.x.x ip that your machine has.  It's a bit of a security risk to dump that, but a necessary one in your case.  You would never want to remove that norfc option for a machine on the internet, because it should definitely not be getting hit with traffic from non-routable ip's.  

If you were really paranoid, you could configure the firewall to drop all other non-routable IP addresses fairly easily, without using the norfc option.

----------

## dmvianna

How do I do that?   :Embarassed: 

----------

## rbr28

The easiest way I can think of is to use the blacklist.  Add blacklist to the options in your in your /etc/shorewall/interfaces file.  The file is well documented and you can see what the blacklist option enables.  Then edit the /etc/shorewall/blacklist file.  Again, it's well commented and simple to setup.  

The IP's that the norfc1918 would normally block include the following:

10.0.0.0        -   10.255.255.255  (10/8 prefix)

172.16.0.0      -   172.31.255.255  (172.16/12 prefix)

192.168.0.0     -   192.168.255.255 (192.168/16 prefix)

The first two ranges you can block completely.   If you look at the comments in /etc/shorewall/rules, you can see what syntax you use for specifying the ranges.  You can do exactly as above for the first two, in your blacklist...just put 10.0.0.0/8 and 172.16.0.0/12 in your blacklist file.

The last range you would have to break up, because that includes your IP.    Do something like 192.168.0.0-192.168.0.4 and 192.168.0.6-192.168.255.255.  I say that because your IP in your post was 192.168.0.5 .  

You don't need to specify port or protocol in the blacklist, because you would want to block everything form these IP's.

Doing all that would give you the same effect as norfc1918, except for letting your ip pass through the firewall.  If you do all that, make sure too, that you always get the same IP on that machine.  If you are using DHCP from a home router or something, you can usually set a reservation in the router so that you do get the same IP all the time.  If you don't do that, you could get a different 192.168.x.x address when you reboot, and you would have problems again.  

There are other alternatives too, such as leaving a range open in your firewall, that is the same as the IP range used by DHCP on your router.  I'd say that's really a last resort though, if you can reserve the IP with your particular setup.

Also, someone else may have a better idea than using the blacklist.  There are other ways such as just specifying those IP's in the rules file, but you'd get pretty much the same effect.

----------

## dmvianna

Thanks, rbr18.

Completely blocking subnets works, but I can't find a syntax that would work for ranges within subnets.

I can't find anything like it in http://shorewall.net/Documentation.htm#Blacklist either. Can shorewall do that?

----------

## rbr28

The text below is from the Shorewall documentation:

Beginning with Shorewall 2.2.0, if you kernel and iptables have iprange match support, you may use IP address ranges in Shorewall configuration file entries; IP address ranges have the syntax <low IP address>-<high IP address>. Example: 192.168.1.5-192.168.1.12.

To see if your kernel and iptables have the required support, use the shorewall check command:

>~ shorewall check

... 

Shorewall has detected the following iptables/netfilter capabilities:

   NAT: Available

   Packet Mangling: Available

   Multi-port Match: Available

   Connection Tracking Match: Available

   Packet Type Match: Not available

   Policy Match: Available

   Physdev Match: Available

   IP range Match: Available <--------------

----------

## dmvianna

```
Shorewall has detected the following iptables/netfilter capabilities:

   NAT: Available

   Packet Mangling: Available

   Multi-port Match: Available

   Connection Tracking Match: Available

Verifying Configuration...
```

I use shorewall 2.0.7 and iptables 1.2.9, kernel 2.6.9. My kernel was compiled with IP range match support. Shorewall also reported that it does not support the 'check' command.

----------

## infirit

I would like to share my shorewall rules on my linksys router running openwrt   :Cool:  for amule. I have setup rules that forward connections on emule ports tcp 4663 and udp 4673 to my workstation. Hope it is usefull for someone   :Wink: 

```
DNAT   net             loc:192.168.1.127            tcp     4663 #muleTCP

DNAT   net             loc:192.168.1.127            udp     4673 #muleUDP

ACCEPT   loc             net            tcp     4663 #muleTCP

ACCEPT   loc             net            udp     4673 #muleUDP
```

----------

