# iTunes college subnet sharing + ANY firewall = no go

## mpeg4v3

After trying any firewall I could think of (iptables, shorewall, FreeBSD 5.3, m0n0wall 1.2b3, 1.2b5), I still can't get this working. 

NEW POST:

For people that need a bit more clear of a picture:

~~College Dorm Subnet~~ ----> |Gentoo Router/Firewall| ----> ~~Local Network Subnet~~

I'm trying to get iTunes shares from the college subnet to show up in the local network subnet.

iTunes broadcasts rendezvous communication to multicast IP address 224.0.0.251, port 5353, then, once communication is initiated, connections are made via port 3689. I can't get it to forward successfully. Any help would be GREATLY appreciated as I am at a complete and utter loss as to what I can do to get this working successfully.

ORIGINAL POST:

I'm currently in a dorm, and as such I'm on one big network. I can see about 40 people on my iTunes shared list at any given time.

However, I want to make my own network behind my own custom shorewall/iptables-based firewall/router. I've got it all setup, except for one little thing: I can't get iTunes sharing to work!

Now, I've gotten it working before with m0n0wall, such that I could see the 40 or so people that are sharing their music through that firewall, however, no matter what rule combinations I try, I can't get it to forward correctly.

Ports used:

tcp 3689 (for iTunes sharing)

udp 5353 sent to multicast address 224.0.0.251 (for Rendevous for iTunes clients to communicate)

The iTunes sharing portion of my shorewall config:

```

ACCEPT  net             all             tcp     -       3689

ACCEPT  net             all             udp     -       3689

ACCEPT  net             all             udp     5353

ACCEPT  net             all             tcp     5353

ACCEPT  net             all             udp     -       5353

ACCEPT  net             all             tcp     -       5353

ACCEPT  net             fw:224.0.0.0/4

ACCEPT  net             fw:224.0.0.0/4  udp     5353

ACCEPT  net             loc:224.0.0.0/4

ACCEPT  net             loc:224.0.0.0/4 udp     5353

ACCEPT  fw              loc:224.0.0.0/4

ACCEPT  fw              loc:224.0.0.0/4 udp     5353

```

Yes, there's a lot of rules, and some are redundant. Right now I don't care about security, efficency, or redundancy as much as I care about getting this working. For all intents and purposes, it seems like it should work.

Now, I believe the problem is the multicast broadcast iTunes sends out on port 5353. Seeing as how it is multicast, the router isn't supposed to forward it. But I thought I had configured this to allow these multicast broadcasts... but it still doesn't work.

Does anyone have any ideas? I don't want to go back to m0n0wall (for my own reasons), but I will if I have to.Last edited by mpeg4v3 on Tue Mar 01, 2005 1:54 am; edited 2 times in total

----------

## mpeg4v3

I've spent a good 5 hours or so just trying to get this damned thing to work, and still no success. It seems like every single possible combination I put into shorewall or my own iptables file just doesn't work. 

Has anyone gotten any sort of iTunes forwarding working before?

----------

## mpeg4v3

Umm, anyone?

----------

## mpeg4v3

this'll be my last bump

as usual, seemingly no one on the entire internet has my problem. I can google for hours upon end and come up with nothing that for sure fixes my problems.

----------

## j-m

OK, the advice is really simple. Learn iptables and forget about shorewall. Most firewall-related problems other people have encountered on similar forums are caused by shorewall or other similar "semi-intelligent" netfilter front-ends.

 :Rolling Eyes: 

----------

## rbr28

Shorewall is one solid product and if a user can't get that working, I certainly wouldn't suggest they learn Iptables instead.  The whole idea of the iptables front ends is to simplify things, and they do that very well.   I've used shorewall for years in an enterprise environment and at home, and never had problems.

As for your problem, your rules seem overly complex.  How did you begin to setup shorewall?  First make sure you have the latest version, 2.2.x.  You might have to get it from the unstable tree.

Second, get the sample configuration files from shorewall.net.  If you go into the documentation and look at the quickstart guide, you can find the link to the one-interface sample files.  Start with those basic config files they provide you with.  Then restart your firewall and try to share files.  It will obviously fail.  Check your logs to see what shorewall is blocking.  Typically I use metalog and sort all my shorewall stuff into a different log, to make this kind of thing easier.  If you watch your logs when you do stuff, it should make it very obvious what is being blocked and what you need to open up.  

If you have trouble, it often helps to start simple.  For example, you have ip addresses restricted for a particular zone.  Don't do that to start.   Just open those ports up to all IP's first and get that working, then narrow it down.

----------

## mpeg4v3

don't let the rules I posted mislead you- I have tried forwarding to all IPs. I've tried it with a plain iptables script and with shorewall setups. I've tried forwarding ports 3689 and 5353 to all IPs, one specific IP, a range of IPs... I've tried forwarding the multicast address 224.0.0.251 to the same various IPs, I've tried ACCEPT, I've tried DNAT, I've tried everything I can think of. Every time, nothing.

An interesting tid bit though, is that if I run tcpdump on my powerbook with iTunes open, it'll show, of course, it's own DAAP info. However, if I leave that running and run mDNSBrowse _daap._tcp on my firewall, my fw will show all of the 40 or so people's DAAP responses... but the interesting thing is, on my powerbook behind the firewall, tcpdump will list a few of the mdns entries, but iTunes won't pick anything up, and it ONLY happens when I run mDNSBrowse on the firewall.

I'm completely at a loss. I don't know how to just simply get the damned thing forwarded, and trust me, I've tried pretty much every combination I can think of.

----------

## rbr28

You need to simplify things.  Opening things up in your firewall should never be a very difficult task.  Set up your rules so that everything is open.  You should just have one outgoing and one incoming rule allowing everything.  Then see if it works.  If it still doesn't work, then it's one of the options in your interfaces file.  Post your log output after setting your rules to allow everything if it still does not work, post your /etc/shorewall/interfaces file and zone file too.

----------

## mattjgalloway

Thanks for the help I got from this post!

I simply opened up TCP port 3689 and UDP port 5353. My iptables commands are:

iptables -t filter -A INPUT --protocol tcp  --destination-port 3689 -j ACCEPT

iptables -t filter -A INPUT --protocol udp  --destination-port 5353 -j ACCEPT

I use kmyfirewall btw.

----------

## mpeg4v3

My script at the most basic, what I started with:

```

#!/bin/sh

IPT='/sbin/iptables'

# Set Interface Values

EXTIF='bond0'

INTIF='eth1'

# Enable IP Forwarding in the kernel

/bin/echo 1 > /proc/sys/net/ipv4/ip_forward

# Flush rules and delete chains

$IPT -F

$IPT -X

# Log Accept/Drop/Reject

$IPT -N ACCEPT1 2> /dev/null

$IPT -A ACCEPT1 -j LOG --log-prefix 'ACCEPT1:'

$IPT -A ACCEPT1 -j ACCEPT

$IPT -N DROP1 2> /dev/null

$IPT -A DROP1 -j LOG --log-prefix 'DROP1:'

$IPT -A DROP1 -j DROP

$IPT -N REJECT1 2> /dev/null

$IPT -A REJECT1 -j LOG --log-prefix 'REJECT1:'

$IPT -A REJECT1 -j REJECT

# Enable masquerading to allow LAN internet access

$IPT -t nat -A POSTROUTING -o $EXTIF -s 192.168.0.0/24 -j MASQUERADE

# Forward LAN traffic from $INTIF to the Internet on $EXTIF

$IPT -A FORWARD -i $INTIF -m state --state NEW,ESTABLISHED -j ACCEPT

$IPT -A OUTPUT -o $INTIF -m state --state NEW,ESTABLISHED -j ACCEPT

# SSH Server allow

$IPT -A INPUT -i $EXTIF --protocol tcp --dport 22 -j ACCEPT

# iTunes allow

$IPT -A FORWARD -p tcp --dport 3689 -j ACCEPT1

$IPT -A FORWARD -p udp --dport 5353 -j ACCEPT1

# Block out all other Internet access on $EXTIF

$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

```

I've tried everything I can think of for the iTunes section. As it is there, nothing, at all, shows up in logs. However, if I change the iTunes 5353 rule to -A INPUT, it will log the packets... but they still won't go to my internal network.

I've tried plenty of other scripts as well. I've shorewall, I've tried every permutation I can think of. I know I'm missing something but I just can't see what it is.

----------

## mpeg4v3

does anyone have any advice for how I can modify that simple script to work? I just simply can't get it working.

----------

## mpeg4v3

last bump I make... can anyone offer any advice? It would be greatly appreciated.

----------

## mpeg4v3

bump because after three weeks I've tried Gentoo, FreeBSD 5.3, and m0n0wall 1.2b3 & 1.2b5 and I still can't get iTunes shares to show up on the firewall'd subnet.

For people that need a bit more clear of a picture:

~~College Dorm Subnet~~ ----> |Gentoo Router/Firewall| ----> ~~Local Network Subnet~~

I'm trying to get iTunes shares from the college subnet to show up in the local network subnet.

iTunes broadcasts rendezvous communication to multicast IP address 224.0.0.251, port 5353, then, once communication is initiated, connections are made via port 3689. I can't get it to forward successfully.

----------

## yonosoytu

The problem with your approach is that you forget one thing: Rendezvous/Bonjour comunication starts with a TTL (time-to-live) of 1 so any router will decrement this value and drop the packet without fowarding or routing it.

You will have to play with TTL target of IPTables (not in standard IPTables, though) to reincrement TTL of the Rendezvous/Bonjour packets back to 1.

I've heard that new mDNSResponder (the one that comes with Mac OS X 10.4) will work across subsnets, but I don't know how yet.

Anyway, if you can't make IPTables work you can try with this mDNS reflector that I can say that works, but I didn't like the idea of having a daemon running and I give up (I haven't try IPTables way because my Debian install doesn't come with that patch applied).

----------

