On Wednesday 02 April 2003 11:05 am, Carlos Ble wrote: > Hi all. Some users from my lan complains to me about emule. > They have a LOWID and can't use their machines as emule servers. > I had checked my firewall and i think all its ok. I went to > http://www.thedonkeynetwork.com/connection_test > from one computer of the lan to test my conection (using even port 80) > and i got a time out message "time out, this means that even did not > receibe a RESET signal; maybe due to a stealth firewal". But.... the > http port is open because iam browsing !!!. Needs emule a special > conntrack ?. I dont know so much about emule, can somebody help me > please? Thanks in advance. EDonkey2000 (emule is a 3rd-party replacement for EDonkey, as is MLDonkey) communicates primarily on TCP 4662. The problem you are facing is that when they connect to a server somewhere, that server will attempt to connect back to them at port 4662, initiating a NEW connection. This means connecting to the public IP they appear to be at, and if you are masquerading several emule/edonkey users then they all have the same public IP. Any attempt from outside to connect to one of these machines as a peer or a server will necessarily be a NEW connection, so conntrack cannot know which local machine is the destination. If only one machine is running, you could DNAT incoming connections from the internet for tcp dport 4662 to that specific client and they would get a HighID. (From a page I'm writing on IM and P2P netfilter issues) TCP 4661 - connect to server TCP 4662 - connect to client TCP 4663 - connect remote GUI to client UDP 4665 - connect to secondary server The only critical port here for incoming connections is 4662, unless they are /really/ running an EDonkey server, in which case they need 4661 incoming as well. For 'normal' p2p file sharing with EDonkey (emule) the client needs 4661 and 4662 outbound, and 4662 inbound. The upshot is that I believe you will only be able to have a single emule/edonkey machine behind a single public IP. Try adding: iptables -t nat -A PREROUTING -p tcp --dport 4662 -j DNAT --to {ip} for one of the emule users, and make sure you ACCEPT that traffic in FORWARD. That user should now get a HighID, and favorable searches and transfers. It is possible that this will allow the others to get HighID's as well, but only the one that is the target of the DNAT would be able to actually serve files, since external queries would never reach the others. I'm not certain if the extra machines would even be able to receive files, I don't know the EDonkey/Overnet (Overnet is a newer completely 'serverless' variant, communicating on TCP port 4662 and an additional random [or manually configured] UDP port) protocols well enough to know if that comes through as a NEW connection or simply a reply to one initiated by the internal client. I suspect that only the DNAT targetted machine would work properly. Finally, if you really want to accomodate these users, you can set up a specific machine as the EDonkey server, running the Linux EDonkey client software, DNAT outside connections to that machine, and allow each of them remote GUI access to that client. They would each have knowledge of and control over each other's transfers, however, which might be undesirable to them... ;^) j
