Difference between revisions of "Firewall Peer to Peer"

(Created page with "Category:Linux This page explains how to enable Peer 2 peer with iptables. =Concept= You need to: * open INPUT destination ports * allow OUTPUT TO/FROM particular ports...")
 
(No difference)

Latest revision as of 22:17, 29 November 2017


This page explains how to enable Peer 2 peer with iptables.

Concept

You need to:

  • open INPUT destination ports
  • allow OUTPUT TO/FROM particular ports


TODO: add schema


Mandatory output

All the clever things are done in the shell function.

# ------------------------------------------------------------------------------
# IPv4 ; IPv6 functions
# ------------------------------------------------------------------------------
IPTABLES=`which iptables`
IP6TABLES=`which ip6tables`
 
# These functions have been created by Dimitri Gribenko
function ipt4 {
    [ "$DO_IPV4" = "1" ] && $IPTABLES "$@"
}
function ipt6 {
    [ "$DO_IPV6" = "1" ] && $IP6TABLES "$@"
}
function ipt46 {
    ipt4 "$@"
    ipt6 "$@"
}

# ------------------------------------------------------------------------------
# INPUT / OUTPUT filtering functions 
# Author: Guillaume Diaz
# ------------------------------------------------------------------------------

# usage:   inputFiltering <String:protocol> <Int:port> <String:comment> <Boolean:limit[optional]>
#
#    ex:   inputFiltering tcp 22 SSH true
#          inputFiltering tcp 3306 MySQL
function inputFiltering {
    DEST_PROTOCOL=$1
    DEST_PORT=$2
    RULE_COMMENT=$3
     LIMIT=$4
 
    if [[ ! -z "$LIMIT" ]]
    then
        ipt46 -A INPUT -p $DEST_PROTOCOL --dport $DEST_PORT -m limit --limit 3/min --limit-burst 10 -m comment --comment "$RULE_COMMENT" -j ACCEPT
    else
        ipt46 -A INPUT -p $DEST_PROTOCOL --dport $DEST_PORT -m comment --comment "$RULE_COMMENT" -j ACCEPT
    fi
}

# To allow OUTPUT for both: TOWARDS a particular destination port + FROM a particular source port as well (same port as destination)
# usage:   outputFiltering <protocol> <port> <comment>
#
#    ex:   outputFiltering tcp 22 "SSH"
#          outputFiltering tcp 3306
function outputFilteringWithSource {
    DEST_PROTOCOL=$1
    DEST_PORT=$2
    RULE_COMMENT=$3
 
    log_progress_msg "Outside << Host | allow output: $DEST_PROTOCOL $DEST_PORT - $RULE_COMMENT"
    # Allow source port in case of NAT
    ipt46 -A OUTPUT -p $DEST_PROTOCOL --dport $DEST_PORT -m comment --comment "$RULE_COMMENT" -j ACCEPT
    ipt46 -A OUTPUT -p $DEST_PROTOCOL --sport $DEST_PORT -m comment --comment "$RULE_COMMENT" -j ACCEPT
}
 
# ------------------------------------------------------------------------------
# P2P
# ------------------------------------------------------------------------------

function peerToPeer {
    INCOMING_PORT=$1
    OUTGOING_PORT=$2
    RULE_COMMENT=$3

    # INPUT
    inputFiltering udp $INCOMING_PORT $RULE_COMMENT
    inputFiltering tcp $INCOMING_PORT $RULE_COMMENT

    # OUTPUT
    outputFilteringWithSource udp $OUTGOING_PORT $RULE_COMMENT
    outputFilteringWithSource tcp $OUTGOING_PORT $RULE_COMMENT
    
    # Trick to fix issues (it will slow the bandwidth) - NOT recommended!!
    #ipt4 -t raw -I PREROUTING -p udp --dport $OUTGOING_PORT -j NOTRACK
    #ipt4 -t raw -I OUTPUT -p udp --sport $OUTGOING_PORT -j NOTRACK
    #ipt4 -t raw -I PREROUTING -p tcp --dport $OUTGOING_PORT -j NOTRACK
    #ipt4 -t raw -I OUTPUT -p tcp --sport $OUTGOING_PORT -j NOTRACK
}   



#Usage
...

## Deluge Torrent client (ports must be open on both UDP + TCP)
# source: https://wiki.archlinux.org/index.php/deluge
# 56881-56889 for incoming connections 
# 56881-57200 for outgoing connections. 
peerToPeer 56881:56889 56881:57200 "Deluge (peer 2 peer)"



...