Firewall Peer to Peer
This page explains how to enable Peer 2 peer with iptables.
Concept
You need to:
- open INPUT destination ports
- allow OUTPUT TO/FROM particular ports
TODO: add schema
Mandatory output
All the clever things are done in the shell function.
# ------------------------------------------------------------------------------
# IPv4 ; IPv6 functions
# ------------------------------------------------------------------------------
IPTABLES=`which iptables`
IP6TABLES=`which ip6tables`
# These functions have been created by Dimitri Gribenko
function ipt4 {
[ "$DO_IPV4" = "1" ] && $IPTABLES "$@"
}
function ipt6 {
[ "$DO_IPV6" = "1" ] && $IP6TABLES "$@"
}
function ipt46 {
ipt4 "$@"
ipt6 "$@"
}
# ------------------------------------------------------------------------------
# INPUT / OUTPUT filtering functions
# Author: Guillaume Diaz
# ------------------------------------------------------------------------------
# usage: inputFiltering <String:protocol> <Int:port> <String:comment> <Boolean:limit[optional]>
#
# ex: inputFiltering tcp 22 SSH true
# inputFiltering tcp 3306 MySQL
function inputFiltering {
DEST_PROTOCOL=$1
DEST_PORT=$2
RULE_COMMENT=$3
LIMIT=$4
if [[ ! -z "$LIMIT" ]]
then
ipt46 -A INPUT -p $DEST_PROTOCOL --dport $DEST_PORT -m limit --limit 3/min --limit-burst 10 -m comment --comment "$RULE_COMMENT" -j ACCEPT
else
ipt46 -A INPUT -p $DEST_PROTOCOL --dport $DEST_PORT -m comment --comment "$RULE_COMMENT" -j ACCEPT
fi
}
# To allow OUTPUT for both: TOWARDS a particular destination port + FROM a particular source port as well (same port as destination)
# usage: outputFiltering <protocol> <port> <comment>
#
# ex: outputFiltering tcp 22 "SSH"
# outputFiltering tcp 3306
function outputFilteringWithSource {
DEST_PROTOCOL=$1
DEST_PORT=$2
RULE_COMMENT=$3
log_progress_msg "Outside << Host | allow output: $DEST_PROTOCOL $DEST_PORT - $RULE_COMMENT"
# Allow source port in case of NAT
ipt46 -A OUTPUT -p $DEST_PROTOCOL --dport $DEST_PORT -m comment --comment "$RULE_COMMENT" -j ACCEPT
ipt46 -A OUTPUT -p $DEST_PROTOCOL --sport $DEST_PORT -m comment --comment "$RULE_COMMENT" -j ACCEPT
}
# ------------------------------------------------------------------------------
# P2P
# ------------------------------------------------------------------------------
function peerToPeer {
INCOMING_PORT=$1
OUTGOING_PORT=$2
RULE_COMMENT=$3
# INPUT
inputFiltering udp $INCOMING_PORT $RULE_COMMENT
inputFiltering tcp $INCOMING_PORT $RULE_COMMENT
# OUTPUT
outputFilteringWithSource udp $OUTGOING_PORT $RULE_COMMENT
outputFilteringWithSource tcp $OUTGOING_PORT $RULE_COMMENT
# Trick to fix issues (it will slow the bandwidth) - NOT recommended!!
#ipt4 -t raw -I PREROUTING -p udp --dport $OUTGOING_PORT -j NOTRACK
#ipt4 -t raw -I OUTPUT -p udp --sport $OUTGOING_PORT -j NOTRACK
#ipt4 -t raw -I PREROUTING -p tcp --dport $OUTGOING_PORT -j NOTRACK
#ipt4 -t raw -I OUTPUT -p tcp --sport $OUTGOING_PORT -j NOTRACK
}
#Usage
...
## Deluge Torrent client (ports must be open on both UDP + TCP)
# source: https://wiki.archlinux.org/index.php/deluge
# 56881-56889 for incoming connections
# 56881-57200 for outgoing connections.
peerToPeer 56881:56889 56881:57200 "Deluge (peer 2 peer)"
...
