Talk:Firewall
I think that think page should also contain basic Linksys and Dlink router information since you're also trying to attract windows users. -- Juan 21:28, 27 May 2005 (CEST)
Yap. fine now, who's gonna provide that info? ;-P
I'll add linksys information soon. Anyone with a DLink router should also contribute.. =) -- Juan 19:41, 28 May 2005 (CEST)
Um. I thought the == before and after a section automatically creates a menu for the page? Am I wrong?
You're not. But only if there are at least four == sections in the article. Otherwise no menu will be created
I just threw some D-Link info in there, based on what I did on my DI-624 to get aMule to show High ID. I have to admit though that I don't quite get how the Applications page settings relate to the port forwarding in Virtual Servers, unless you do an entry in Virtual Servers for each port in the 4662-4672 range for UDP. Any thoughts? -Sharakan
:-) Thanks for your tips!
The instructions do not work with my Dlink DI-604. When I try and add the Application rule I get a notice saying that there is a conflict with the Virtual Server rule I've just set up. HTH
Cleaning the iptables rules :
I think the basic rules (section 2 : IPTables Configuration) are not really good. If you use (as said in the wiki) :
iptables -A INPUT -p tcp --dport XX -j ACCEPT
it works but to my mind the other lign :
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
does nothing because the first lign accept all state packets (NEW,ESTABLISHED,RELATED,UNTRACKED and INVALID). So the first line accept more the second (but only for the amule ports).
I think we could increase the security by using :
iptables -P INPUT DROP
iptables -A INPUT -p tcp --dport XX -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
The first line is the global policy : we drop all. The second line is the strategy for amule. The third line is the strategy for the other ports.
For aMule,we need the 'ESTABLISHED' and 'RELATED' states to allow the answer to our requests. We need the 'NEW' state to allow the request of the others p2p clients. If we don't allow 'NEW', we are on low ID. (that's the result of my test.)
Perhaps, it's even possible to delete ESTABLISHED or RELATED (only one). It depends on how the answer request are done. (? I don't know. Need further research.)
Of course, you need to add modified lines if XX+3 or UDP are needed.
I don't made direct change on the wiki because I think several persons should test my change to check if I have made an error.
stephane.
---
I use the following rules (well, iptables 1.2.7a):
iptables -A INPUT -p tcp -m tcp --dport 4662 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 4665 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 4672 -j ACCEPT
and aMule works great with them. I don't how much are these the same as yours, stephane. (Policy rule is not included intentionally)
---
My rule for aMule is (iptables v1.2.11) :
iptables -A INPUT -i eth0 -p tcp -m state --state NEW,ESTABLISHED,RELATED --dport 4662 -j ACCEPT
I have disabled the udp port in aMule so I don't need to open them. However, if I had keep them open, I would have these lines too :
iptables -A INPUT -i eth0 -p udp -m state --state NEW,ESTABLISHED,RELATED --dport 4665 -j ACCEPT
iptables -A INPUT -i eth0 -p udp -m state --state NEW,ESTABLISHED,RELATED --dport 4672 -j ACCEPT
I have tested with 'netstat -taupe' and the clients connected to me use the ESTABLISHED state so it seems that I could delete the RELATED state (further tests needed). If it's true, my rule becomes :
iptables -A INPUT -i eth0 -p tcp -m state --state NEW,ESTABLISHED --dport 4662 -j ACCEPT
Your rules check different thing than mine. Perhaps it could be interresting to mix them.
stephane.
AMule High ID from behind a BT Voyager 2100
Anyone know what settings I need to use to get a high ID?
