# getting KDE Connect to work with IPTables [solved]

## hunky

So I know mostly nothing about iptables but just got it going - and noticed it blocks kdeconnect (as one would expect I guess).

I found these rules somewhere to get me started until at least I learn a bit more about it (not really wanting to learn but will so I don't have to bother you guys):

```
#!/bin/bash

iptables -F

iptables -X

iptables -Z

iptables -P INPUT DROP

iptables -P FORWARD DROP

iptables -P OUTPUT ACCEPT

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT

iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT

iptables -A INPUT -p icmp --icmp-type 12 -j ACCEPT

iptables -A INPUT -p tcp --syn --dport 113 -j REJECT --reject-with tcp-reset

ip6tables -F

ip6tables -X

ip6tables -Z

ip6tables -P INPUT DROP

ip6tables -P FORWARD DROP

ip6tables -P OUTPUT ACCEPT

ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

ip6tables -A INPUT -i lo -j ACCEPT

ip6tables -A INPUT -m conntrack --ctstate INVALID -j DROP

ip6tables -A INPUT -s fe80::/10 -p ipv6-icmp -j ACCEPT

ip6tables -A INPUT -p udp -m conntrack --ctstate NEW -j REJECT --reject-with icmp6-port-unreachable

ip6tables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
```

Kdeconnect uses ports 1714:1764 apparently on tcp and udp. So in googling I found these two lines that I added to the above file and put them just above where the ip6tables -F lines start:

```
#added by jim - kdeconnect ports

iptables -A INPUT -i enp2s0 -m iprange --src-range 192.168.1.1-192.168.1.254 -p tcp --match multiport --dports 1714:1764 -j ACCEPT

iptables -A INPUT -i enp2s0 -m iprange --src-range 192.168.1.1-192.168.1.254 -p udp --match multiport --dports 1714:1764 -j ACCEPT
```

With that, in calling the file, I get this error:

```
iptables: No chain/target/match by that name.

iptables: No chain/target/match by that name.

```

So something is wrong. Thinking I could simplify it somehow - not sure if it is choking on my net interface enp2s0 since most examples seem to use eth0 or similar.  Ip range could perhaps be 192.168.1.0/24 or whatever syntax.. but not sure how to write it. Or perhaps I have a misconfigured kernel?

Help would be appreciated. Otherwise I just stop iptables and this file (named firewall.sh) and connect my phone with kdeconnect.. but .. hassle.

thx, JDLast edited by hunky on Sat Feb 11, 2017 8:34 pm; edited 1 time in total

----------

## Hu

That error usually means that one or more of the features you tried to use is not available in the current kernel.  Since that line looks overly specified for what you want, you may be able to make it work by reducing the features used, rather than by changing the kernel.

You are correct that the use of --src-range is an unnecessary complication here.  You could switch to using a /24 with functionally the same effect.  You are correct that this rule matches only traffic on interface enp2s0.  If that is not the name of your interface, it will not match any traffic.

Using such a wide range of ports is a bit unusual.  I hope that means only that all those are possibilities that might happen depending on configuration, not that all of them are likely to occur over repeated uses in the same configuration.  However, the obvious citation for this says exactly what you wrote.  The expedient low security solution would be to declare that anything on the LAN segment is trusted and remove the multiport qualifier.  If you do not want to do this (perhaps because there are services on the system that even LAN peers should not access), you need either to get multiport to work or you need to get KDEConnect to be more predictable.  For multiport, you need CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y (or =m and loaded) in your kernel.  If this is not sufficient to resolve your problem, please post the output of zgrep -e _NF_ -e NETFILTER /proc/config.gz.

----------

## hunky

Many thanks Hu for the helpful reply.

I was about to give it up and so I installed ufw as I found examples on that for kdeconnect. It has a check-requirements script that did point to some kernel problems and some googling led me to fixes that let that script pass successfully. The one you mentioned was definitely one of them. However, trying my iptables script above still produced those errors. So before enabling ufw, I simplified those rules to this (enp2s0 is my interface name but not needed):

```
iptables -A INPUT -s 192.168.1.0/24 -p tcp --match multiport --dports 1714:1764 -j ACCEPT

iptables -A INPUT -s 192.168.1.0/24 -p udp --match multiport --dports 1714:1764 -j ACCEPT
```

And that works fine. Kde Connect works fine with that.

As far as the range of ports seeming excessive, I agree. But I'm busy enough of non-computer stuff that I don't want to dive too deep into that. My lan is just myself and my wife at home (she's on Mac), so don't think there are threats within the lan, so perhaps the rules above are ok.

I did take a look at that last command you gave:

```
zgrep -e _NF_ -e NETFILTER /proc/config.gz

gzip: /proc/config.gz: No such file or directory

```

If that indicates another problem perhaps you could help with that. Otherwise, I could mark this solved.

[edit] I went ahead and found the proc - config.gz in the kernel and set it so it works now.

----------

## Hu

To elaborate on my point about LAN security: though the only humans authorized to use the LAN are you and your wife, it is increasingly common to buy "smart" devices that connect to the LAN (televisions are a major offender).  These devices typically have atrocious security and, if compromised, could be used as a springboard to attack the LAN.  If you have such a device, you might want to place it on a separate subnet or change the source rules so that only the specific devices you trust not to get compromised can match.

----------

## hunky

Thanks again Hu. I had that nagging notion about this. Good ideas. I suppose since my computer is the only one using kdeconnect I could specify just my ip address rather than the whole network. I assume that would work. Otherwise I'll have to do some googling on getting my particular router to do subnets.   /jim

----------

