# BitTorrent issues / NAT forwarding problems in Shorewall

## Murel

I'm trying to configure my firewall to work with BitTorrent. Right now I'm just using btdownloadgui.py with the original bittorrent...I'm going to mess with azureus after I'm sure this works, because right now azureus takes about 3 minutes to start up and I think it's having issues with my firewall.

When I start btdownloadgui.py and open a torrent, it just hangs and doesn't download anything. I've tried five or so different torrents with the same results. 

I'm using shorewall and the generic "one machine" firewall that comes from the shorewall site. I can browse the website, check email etc with this configuration. I understand I'll have to add something (suggestions?) to allow for new incoming requests, but I don't understand why it's not even letting me send out to request new connections. Here's my shorewall files:

zones:

 *Quote:*   

> #ZONE	TYPE	OPTIONS			IN			OUT
> 
> #					OPTIONS			OPTIONS\
> 
> fw	firewall
> ...

 

rules (I added the last line for BitTorrent):

 *Quote:*   

> # Reject Ping from the "bad" net zone.. and prevent your log from being flooded..
> 
> DropPing	net		$FW
> 
> # Permit all ICMP traffic FROM the firewall TO the net zone
> ...

 

policy:

 *Quote:*   

> #SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
> 
> $FW		net		ACCEPT
> 
> net		all		DROP		info
> ...

 

I know this sort of question has been covered a lot, but honestly I'm a network idiot and nothing is working. The intention of the line in rules is to say "Allow all traffic on ports 6881:6999", but I don't think that's what I'm saying.

I've tried adding various DNAT lines, with little understanding and in desperation, copied from various websites but I always get errors when I restart shorewall. I do have a router but as far as I know the router doesn't do anything but forward requests to my computer, nothing else.

Any ideas at all?

edit: I was reading more about this here: http://dessent.net/btfaq/#ports. I went to the link mentioned

 *Quote:*   

> BitTorrent will usually work fine in a NAT (network address translation) environment, since it can function with only outbound connections. Such environments generally include all situations where multiple computers share one publicly-visible IP address, most commonly: computers on a home network sharing a cable or xDSL connection. If you are unsure of whether you have NAT or not, then try this link which will try to determine if you are behind a NAT gateway.

 

and discovered that I am using NAT (because of my router I'm sure). But regardless it says that BitTorrent should be able to work with only outbound connections, which I believe describes my situation perfectly. So I really don't understand why it's not working  :Sad: Last edited by Murel on Sun Nov 13, 2005 11:07 pm; edited 1 time in total

----------

## JPMRaptor

I've never used shorewall so I may be way off, but should

 *Quote:*   

> ACCEPT fw net tcp 6969,6881:6999
> 
> ACCEPT net fw tcp 6969,6881:6999 

 

actually be

 *Quote:*   

> ACCEPT $FW net tcp 6969,6881:6999
> 
> ACCEPT net $FW tcp 6969,6881:6999 

 

I say that because in everything else you posted it is "$FW" instead of just "fw".

----------

## Murel

I think they're the same thing. I just confirmed this by changing fw to $FW and restarting shorewall. It gives the same messages when it processes the rules file as it does with fw.

----------

## Murel

I don't think it's the firewall. I just took shorewall out of rc-update and rebooted, and I had the same problem.

However I did get some different torrents and try those, and those are downloading albeit super slowly. I even restarted shorewall, and it's still downloading. So now the questions to get through are

1) how to get bittorrent to work with nat

2) why is azureus so dog slow on bootup

edit: I'm trying to get the NAT set up. I add the following to rules (numbers of course instead of bracketed things):

DNAT net loc:<my local ip> tcp 6969

DNAT net loc:<my local ip> tcp 6881:6889

when I restarted shorewall I get

"Error: Undefined Server Zone in rule "DNAT net loc:<my local ip> tcp 6969"

and then the shorewall startup aborts. 

I think the problem is that it doesn't like the "loc:" statement. I'm not sure why though. I got the phrasing of it from various websites and even checked it against the documentation on the shorewall site. Maybe it's because I'm using the single machine configuration from shorewall? I don't know.

edit 2: I figured the NAT stuff out. I had to configure something in my router to forward stuff to my computer. Now I'm trying to get Azureus to work and it's giving me permissions denied problems when I run it as non-root and I start to download a torrent. Investigating...

edit 3: /sigh...NAT works when my firewall is off. When I turn the firewall on it chokes. Plus I still don't know about the permissions thing. 

If anyone has any ideas please let me know. But this has totally not been worth the 7 hours I've put into this today, so now it's way low priority.

----------

## hyperlite100

Have you tried firestarter as a firewall?

----------

## davidblewett

Is the firewall seperate from the machine that is opening BitTorrent? If so, you need to use DNAT. I have an old machine as the firewall for my home network, and this is what I have:

```
#nano -w /etc/shorewall/rules

DNAT            net             loc:192.168.0.245       tcp     6881:6890,6894:6999

DNAT            net             loc:192.168.0.245       udp     6881:6990,6894:6999

```

Basically telling the firewall to transfer any connection attempts from the outside internet to the IP inside, for the port ranges listed.

----------

## cfd

I have the same setup that davidblewett has. I have the same lines in my shorewall rules. My BitTorrent applications still fail to seed properly (if that is the correct term) due to NAT failures. The only other guess I have to why is from the shorwall FAQ. 

 *Quote:*   

> You have a more basic problem with your local system (the one that you are trying to forward to) such as an incorrect default gateway (it should be set to the IP address of your firewall's internal interface).
> 
> (http://www.shorewall.net/FAQ.htm#faq1a)

 

I don't know how to test that the gateway for the destingation computer is set correclty. I can only assume it is b/c all other  NATed traffic works fine.

Here is a recent post with a bit more detail of my issue (https://forums.gentoo.org/viewtopic-t-407197-start-0-postdays-0-postorder-asc-highlight-.html).

I really am losing my mind on this one.

----------

