Get Firefox!

Welcome to buchanan1.net

J.R. Buchanan

http://www.buchanan1.net

FreeRice
The Literacy Site
StumbleUpon

Gnutella (BearShare) behind a Linux firewall

10MR01, J.R. Buchanan

A while back, I tried Gnutella (as well as Newtella and BearShare, I presume that Gnotella, ToadNode, and LimeWire would be similar) on a machine behind a Linux ipchains firewall which also does IP Masquerading.

It did not work. I could initiate connections, but got no search results back. I checked with what was then still called DejaNews (It's Google as I write this), and found no help. A little research of my own showed that the problem occurred when the remote peer tried to connect back on port 6346. It could not for two reasons. First, even though I was allowing all outgoing connections, that port was blocked by my firewall when the other peer tried to connect, second, the local peer was not running on the firewall machine, it was on a Windows machine hidden behind the IP Masquerading that the firewall machine was doing. Solving the first problem should be obvious to anyone who has successfully set up an ipchains firewall. The second is simple as well, but less obvious, so I'll document it here.

To make a service on a machine that is hidden behind a Linux firewall doing IP Masquerading, you use a feature called "Port Forwarding". When port forwarding is enabled, any connection attempts made to a forwarded port on the external interface of your firewall machine are redirected to the specified IP address on your local network.

The first thing that you have to do is make sure that port forwarding is compiled into your kernel.

It looks like you can tell if you already have port forwarding enabled by typing: 

jbuchana@grimalkin$ ls -l /proc/net/ip_masq/portfw
-r--r--r--   1 root     root            0 Mar 10 19:41 /proc/net/ip_masq/portfw
jbuchana@grimalkin$

On my firewall, this file was not present, I already knew that port forwarding was not included in the kernel I had compiled a few months earlier. I recompiled, and included it. I did not try it as a module, I compiled it directly into the kernel.

BTW, port forwarding is marked "Experimental" in my 2.2.15 kernel source, it works just fine though.

There is more information on port forwarding at http://www.monmouth.demon.co.uk/ipsubs/portforwarding.html

NOTE: 4 years later, this link is dead, don't you sometimes hate the WWW? OTOH, you shouldn't be using ipchains and a 2.2 kernel anymore as I update this in August 2005. I mostly leave this article for historical reasons.

Once you have port forwarding set up, you enable it with the "ipmasqadm" command. This was already present on my machine, based on some articles I found with DejaGoogle, you might have to download and install/compile it on some distributions. There are download pointers at the above port forwarding URL.

At this point you are ready to add the forwarding command to the end of your firewall script. Here is the line I use: 

ipmasqadm portfw -a -P tcp -L $LOCAL_IP 6346 -R 192.168.0.4 6346

Obviously, the Windows machine with BearShare on it is at IP 192.168.0.4, and $LOCAL_IP is the local IP address of the external interface.

At this point, BearShare and Newtella worked for me, I have not gone back and tried any of the others, they should probably work as well.

Don't forget to open up port 6346 for incoming connections on your external interface!

Also make sure that you have (as much as is reasonable) faith in your firewall rules, I notice that when I run BearShare for a while, I start getting a lot of rejected packets that seem to have nothing to do with Gnutella-like operations, when I shut it off, they taper off to the usual 20 per day or so.

Copyright © 1994-2008 J.R. Buchanan, Last update 8/10/08

The Hunger Site