Re: Problems with firewall and emule

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wednesday 02 April 2003 21:49, Joel Newkirk wrote:
> On Wednesday 02 April 2003 11:05 am, Carlos Ble wrote:
> > Hi all. Some users from my lan complains to me about emule.
> > They have a LOWID and can't use their machines as emule servers.
> > I had checked my firewall and i think all its ok. I went to
> > http://www.thedonkeynetwork.com/connection_test
> > from one computer of the lan to test my conection (using even port 80)
> > and i got a time out message "time out, this means that even did not
> > receibe a RESET signal; maybe due to a stealth firewal". But.... the
> > http port is open because iam browsing !!!.  Needs emule a special
> > conntrack ?. I dont know so much about emule, can somebody help me
> > please? Thanks in advance.
>
> EDonkey2000 (emule is a 3rd-party replacement for EDonkey, as is
> MLDonkey) communicates primarily on TCP 4662.  The problem you are
> facing is that when they connect to a server somewhere, that server will
> attempt to connect back to them at port 4662, initiating a NEW
> connection.  This means connecting to the public IP they appear to be
> at, and if you are masquerading several emule/edonkey users then they
> all have the same public IP.  Any attempt from outside to connect to one
> of these machines as a peer or a server will necessarily be a NEW
> connection, so conntrack cannot know which local machine is the
> destination.  If only one machine is running, you could DNAT incoming
> connections from the internet for tcp dport 4662 to that specific client
> and they would get a HighID.
>
> (From a page I'm writing on IM and P2P netfilter issues)
>
> TCP 4661 - connect to server
> TCP 4662 - connect to client
> TCP 4663 - connect remote GUI to client
> UDP 4665 - connect to secondary server
>
> The only critical port here for incoming connections is 4662, unless they
> are /really/ running an EDonkey server, in which case they need 4661
> incoming as well.  For 'normal' p2p file sharing with EDonkey (emule)
> the client needs 4661 and 4662 outbound, and 4662 inbound.
>
> The upshot is that I believe you will only be able to have a single
> emule/edonkey machine behind a single public IP.  Try adding:
> iptables -t nat -A PREROUTING -p tcp --dport 4662 -j DNAT --to {ip}
> for one of the emule users, and make sure you ACCEPT that traffic in
> FORWARD.  That user should now get a HighID, and favorable searches and
> transfers.  It is possible that this will allow the others to get
> HighID's as well, but only the one that is the target of the DNAT would
> be able to actually serve files, since external queries would never
> reach the others.  I'm not certain if the extra machines would even be
> able to receive files, I don't know the EDonkey/Overnet (Overnet is a
> newer completely 'serverless' variant, communicating on TCP port 4662
> and an additional random [or manually configured] UDP port) protocols
> well enough to know if that comes through as a NEW connection or simply
> a reply to one initiated by the internal client.  I suspect that only
> the DNAT targetted machine would work properly.
>
> Finally, if you really want to accomodate these users, you can set up a
> specific machine as the EDonkey server, running the Linux EDonkey client
> software, DNAT outside connections to that machine, and allow each of
> them remote GUI access to that client.  They would each have knowledge
> of and control over each other's transfers, however, which might be
> undesirable to them...  ;^)
>
> j

Thank you very very much.Im very grateful with your answer. 
I really had though that there is only one public ip for all lan users, but 
i didn't know the way in what edonkey works. 
I think the best solution is to install a edonkey server but i have more 
problems because from the lan to the internet there are two linux boxes 
(double masquerade) that makes diferent things. One for radius and other 
things and other to load balancing, dns server, squid ... 
Finally, i think lan users gonna keep with lowid status :(
I'll try to use only one linux box but its so dificult and maybe so heavy for 
the kernel to support all the jobs.

-- 
             \ /
___.nn(00)nn.___  
Carlos Ble    
email: 
 carlosble@xxxxxxxx , 
 alu2388@xxxxxxxxxx,
 tecnico@xxxxxxxxxxxxxxxxxxxxx
Tlf: +34 660872440. 
irc: kharly_ 
jabber id: kharly@xxxxxxxxxx
------
Impulsado por Debian GNU/Linux


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux