Difference between revisions of "Firewall"
(=IPTables Configuration=) |
GonoszTopi (Talk | contribs) (Restored accidentally lost chapter) |
||
(53 intermediate revisions by 23 users not shown) | |||
Line 1: | Line 1: | ||
− | <center>'''English''' | [[Firewall-es| | + | <center> |
+ | '''English''' | | ||
+ | [[Firewall-de|Deutsch]] | | ||
+ | [[Firewall-es|Español]] | | ||
+ | [[Firewall-cn|简体中文]] | ||
+ | </center> | ||
− | == | + | == Firewalls == |
+ | By default, firewalls and routers block incoming ports. To achieve the best results with aMule, you need to configure your firewall or router to open certain ports which aMule uses. (The port numbers are configurable in preferences). See [[FAQ eD2k-Kademlia#Which ports do I have to configure in a firewall or router to run aMule?|the FAQ]]. | ||
− | + | In particular, to be given an [[FAQ eD2k-Kademlia#What is LowID and HighID?|eD2k HighID]], port 4662 TCP must be listening (i.e. opened in your firewall and forwarded in your router). To have an optimal ED2K experience, two more port should be enabled for listening as well: UDP ports 4672 and 4665. If you are using Kad and your router is doing NAT (Network Address Translation), you should prevent your router from remapping the port of outgoing UDP port 4672 packets. This might help if you have a high ID but Kad status is 'firewalled'. | |
+ | :'''Note''' As of mid-December 2006, aMule (CVS) has [[Universal Plug and Play]] (uPnP) capabilities which you can use to automatically configure the ports on your router, provided your router supports uPnP. This functionality is still being tested and should appear soon in an official release. | ||
+ | |||
+ | === SuSE === | ||
+ | '''[http://www.suse.com SuSE Linux]''' users try [[Firewall_SuSE|this HowTo]]. | ||
+ | |||
+ | === RedHat / Fedora Core === | ||
+ | '''[http://fedora.redhat.com RedHat / Fedora Core]''' users try [[Firewall_Fedora|this HowTo]]. | ||
+ | |||
+ | === IPTables Configuration === | ||
If you set [http://www.ietf.org/rfc/rfc793.txt TCP] port in [[aMule]] to XX and [http://www.faqs.org/rfcs/rfc768.html UDP] port to YY then you have to set your firewall like this: | If you set [http://www.ietf.org/rfc/rfc793.txt TCP] port in [[aMule]] to XX and [http://www.faqs.org/rfcs/rfc768.html UDP] port to YY then you have to set your firewall like this: | ||
Line 19: | Line 34: | ||
''iptables -P OUTPUT ACCEPT'' | ''iptables -P OUTPUT ACCEPT'' | ||
− | or specifying special rules. | + | or specifying special rules: |
+ | |||
+ | If your OUTPUT rules is DROP(iptables -P OUTPUT DROP) you have to allow the 2 UDP port.<br> | ||
+ | iptables -A OUTPUT -p udp --sport '''XX+3''' -j ACCEPT<br> | ||
+ | iptables -A OUTPUT -p udp --sport '''YY''' -j ACCEPT<br> | ||
+ | |||
+ | There is also some random source port [http://www.ncftp.com/ncftpd/doc/misc/ephemeral_ports.html ephemeral_ports] that you have to allow in your output rules. | ||
'''NOTE:''' for [http://www.mandrake.com Mandrake] 10.0 Official and [http://www.iptables.org iptables] you may have to change the multi-port entry to ''iptables -A INPUT -p udp --dport '''XX:ZZ''' -j ACCEPT'' where ''XX'' is the same [http://www.ietf.org/rfc/rfc793.txt TCP] port number used in first line and ''ZZ'' is that number plus 3 (eg: ''4662:4665'') | '''NOTE:''' for [http://www.mandrake.com Mandrake] 10.0 Official and [http://www.iptables.org iptables] you may have to change the multi-port entry to ''iptables -A INPUT -p udp --dport '''XX:ZZ''' -j ACCEPT'' where ''XX'' is the same [http://www.ietf.org/rfc/rfc793.txt TCP] port number used in first line and ''ZZ'' is that number plus 3 (eg: ''4662:4665'') | ||
Line 33: | Line 54: | ||
''iptables -t nat -A PREROUTING -i $EXTIF -p tcp --destination-port $EMULEPORT -j DNAT --to-destination $EMULEHOST:$EMULEPORT''<br> | ''iptables -t nat -A PREROUTING -i $EXTIF -p tcp --destination-port $EMULEPORT -j DNAT --to-destination $EMULEHOST:$EMULEPORT''<br> | ||
''iptables -t nat -A PREROUTING -i $EXTIF -p udp --destination-port $EMULEUDP -j DNAT --to-destination $EMULEHOST:$EMULEUDP''<br> | ''iptables -t nat -A PREROUTING -i $EXTIF -p udp --destination-port $EMULEUDP -j DNAT --to-destination $EMULEHOST:$EMULEUDP''<br> | ||
− | ''iptables -t nat -A PREROUTING -i $EXTIF -p udp --destination-port $EMULEUDP2 -j DNAT --to-destination $EMULEHOST:$EMULEUDP2'' | + | ''iptables -t nat -A PREROUTING -i $EXTIF -p udp --destination-port $EMULEUDP2 -j DNAT --to-destination $EMULEHOST:$EMULEUDP2'' |
− | + | ||
You also should make sure that your FORWARD-string is set up correctly. Usually, you will have an entry like this: | You also should make sure that your FORWARD-string is set up correctly. Usually, you will have an entry like this: | ||
Line 50: | Line 70: | ||
Once everything is set, you can check [http://www.amule.org/testport.php here] if your ports are now open. | Once everything is set, you can check [http://www.amule.org/testport.php here] if your ports are now open. | ||
− | + | See also [[FAQ eD2k-Kademlia#Why does Kademlia still say it is firewalled?|the FAQ]] on "Why does Kademlia still say it is firewalled?" | |
− | + | == Routers == | |
+ | Here is a list of routers and how to set them up to forward their ports to [[aMule]]. | ||
− | At this point, you should see a table with 6 columns. The columns are: Application, Start | + | In the descriptions below, examples are using the default ports (that is, ''4662'' for the [[Standard client TCP port]], ''4672'' for the [[Extended client UDP port]] and ''4665'' for the [[Extended server requests UDP port]]. |
+ | |||
+ | === Linksys WRT54GSV4 === | ||
+ | #Open your web browser, ''http://192.168.1.1'' and log into it | ||
+ | #Go under ''Gaming applications'' | ||
+ | #Now forward the ports to your computer: | ||
+ | ##[[Standard client TCP port]] | ||
+ | ###Change both ''Ports start'' and ''End'' to ''4662'' | ||
+ | ###In the next field set ''TCP'' | ||
+ | ###In the field, the last 3 digits of your LAN [[IP address|IP]] | ||
+ | ##[[Extended client UDP port]] | ||
+ | ###Change both ''Ports start'' and ''End'' to ''4672'' | ||
+ | ###In the next field set ''UDP'' | ||
+ | ###In the field, the last 3 digits of your LAN [[IP address|IP]] | ||
+ | ##[[Extended server requests UDP port]] | ||
+ | ###Change both ''Ports start'' and ''End'' to ''4665'' | ||
+ | ###In the next field set ''UDP'' | ||
+ | ###In the field, the last 3 digits of your LAN [[IP address|IP]] | ||
+ | #Now check ''Enable'' | ||
+ | #And click ''Save settings'' | ||
+ | #Then restart aMule :) | ||
+ | |||
+ | === [http://www.linksys.com Linksys] Router configuration === | ||
+ | This portion of the wiki applies only to stock versions of the [http://www.linksys.com Linksys] firmware. If you are using a [http://www.linksys.com Linksys] router running a variant of the [[GPL]] code, please follow the guides directly above as you are most likely using iptables. | ||
+ | |||
+ | Log into your [http://www.linksys.com Linksys] router. After successfully logging in, click on the main menu link labeled '''Applications & Gaming''' after which you should see an additional submenu list for this section. Make sure you are under the correct submenu by clicking '''Port Range Forwarding'''. | ||
+ | |||
+ | At this point, you should see a table with 6 columns. The columns are: ''Application'', ''Start to'', ''End'', ''Protocol'', ''IP Address'', ''Enable''. | ||
'''The Application column'''<br> | '''The Application column'''<br> | ||
Line 60: | Line 108: | ||
'''The Start to -> End column'''<br> | '''The Start to -> End column'''<br> | ||
− | Start and end ports. '''Start to''' should be 4662 but, in the end, this should reflect whatever port you have defined in [[aMule]] Preferences -> Connection -> Client TCP Port. '''End''' should be 4672 but, in the end, this should reflect whatever port you have defined in [[aMule]] Preferences -> Connection -> eMule extended UDP Port. | + | Start and end ports. '''Start to''' should be ''4662'' but, in the end, this should reflect whatever port you have defined in [[aMule]] ''Preferences'' -> ''Connection'' -> ''Client TCP Port''. '''End''' should be ''4672'' but, in the end, this should reflect whatever port you have defined in [[aMule]] ''Preferences'' -> ''Connection'' -> ''eMule extended UDP Port''. |
− | + | ||
I suggest using 2 separate entries for each port unless this is not possible. | I suggest using 2 separate entries for each port unless this is not possible. | ||
'''The Protocol column'''<br> | '''The Protocol column'''<br> | ||
− | Protocol to listen for. If you use one line to open your [[aMule]] ports, set this option to '''Both'''. If you use a separate entry line for each, select option '''TCP''' for Client TCP Port and option '''UDP''' for eMule extended UDP Port. | + | Protocol to listen for. If you use one line to open your [[aMule]] ports, set this option to '''Both'''. If you use a separate entry line for each, select option '''TCP''' for [[FAQ_eD2k-Kademlia#What_does_each_port_do?|Client TCP Port]] and option '''UDP''' for [[eMule]] [[FAQ_eD2k-Kademlia#What_does_each_port_do?|extended UDP Port]]. |
'''The IP Address column'''<br> | '''The IP Address column'''<br> | ||
− | Internal IP | + | Internal [[IP address]] to forward requests to. This is typically the internal (private) [[IP address]] of the computer that will use [[aMule]]. |
'''The Enable column'''<br> | '''The Enable column'''<br> | ||
Line 75: | Line 123: | ||
After adding your rule, make sure you save your settings. You can verify whether your rules work by [http://www.amule.org/testport.php testing your ports]. | After adding your rule, make sure you save your settings. You can verify whether your rules work by [http://www.amule.org/testport.php testing your ports]. | ||
− | == DLink Router configuration == | + | === [http://www.dlink.com DLink] Router configuration === |
− | + | Log in to your [http://www.dlink.com DLink] router. There are three steps to take to enable your [[aMule]] [[port]]s. | |
+ | |||
+ | '''IP Address setup''' | ||
+ | |||
+ | In the Home tab, click the DHCP button. This page displays the current [[IP address]]es assigned by the router, both static and dynamic. Look for the name or MAC address of the computer you'll be running [[aMule]] on. If your computer is receiving dynamically assigned [[IP address]]es, you will have to change your settings every so often if your [[IP address]] changes. To avoid this, use the Static DHCP section, and perform the following steps: | ||
+ | |||
+ | *'''Name''': Type in the name of your computer here, could be anything | ||
+ | *'''IP''': The [[IP address]] you want the router to always assign to your computer | ||
+ | *'''MAC Address''': The MAC address of your computer. You should be already connected to the router, so you can find your computer in the ''DHCP Client'' drop-down menu, and click clone, to populate this number | ||
+ | *Click ''Apply'' | ||
+ | |||
+ | Now your computer will always receive the same [[IP address]]. | ||
+ | |||
+ | Now click on the ''Advanced'' tab, and there are two areas that need to be updated: | ||
+ | |||
+ | '''Virtual Server''' | ||
+ | *Click the ''Virtual Server'' button. This page forwards external requests to a specific internal [[IP address]] in your network | ||
+ | *Click ''Enabled'' | ||
+ | *Enter a name in the ''Name'' entry box, eg ''aMule TCP'' | ||
+ | *Enter your static [[IP address]] in the ''Private IP'' box | ||
+ | *Select [http://www.ietf.org/rfc/rfc793.txt TCP] in ''Protocol type'' | ||
+ | *Private [[port]] is the [[port]] that the router will forward the requests to on your computer. This can be anything, a good value is the default [[aMule]] [http://www.ietf.org/rfc/rfc793.txt TCP] [[port]], ''4662'' | ||
+ | *Public [[port]] is the [[port]] that the router will receive requests on. Again, a good value is the [[aMule]] [http://www.ietf.org/rfc/rfc793.txt TCP] [[port]] of ''4662'' | ||
+ | *Schedule is the times at which the port is open. Select ''Always'', or whatever times you wish | ||
+ | *Click ''Apply'' | ||
+ | |||
+ | '''Applications''' | ||
+ | *Click the ''Applications'' button. This page allows you to enter a range of [[port]]s to open for application usage | ||
+ | *Click ''Enabled'' | ||
+ | *Enter the [http://www.ietf.org/rfc/rfc793.txt TCP] [[port]] in the first ''Trigger Port'' box, a good value being ''4662'' | ||
+ | *Select ''Trigger Type'' as [http://www.ietf.org/rfc/rfc793.txt TCP] | ||
+ | *In ''Public Port'', enter the range from your [[aMule]] [http://www.ietf.org/rfc/rfc793.txt TCP] [[port]] to your [[aMule]] [http://www.faqs.org/rfcs/rfc768.html UDP] [[port]], usually ''4662''-''4672'' | ||
+ | *Select ''UDP'' as the ''Public Type'' | ||
+ | *Click ''Apply'' | ||
+ | |||
+ | You should now be all set, assuming that your computer firewall is setup to allow access on the selected [[port]]s. | ||
+ | |||
+ | '''Alternate Configuration (ie instead of Applications) for D-Link ''' | ||
+ | *Go back to virtual server and set 2 other virtual servers for the UDP ports | ||
+ | (It works only that way on my D-Link DI-804HV) | ||
+ | |||
+ | *Virtual server aMuleUDP4665 - select your IP address and UDP and 4665 (port) | ||
+ | |||
+ | *Virtual Server aMuleUDP4672 - select your ip address and UDP and 4672 (port) | ||
+ | |||
+ | (disable the above amule applications if you did try and it do not work). | ||
+ | Then you shoudl have all arrows green ( and 3 virtual servers running for amule, 1 for TCP and 2 for UDP). | ||
+ | |||
+ | '''Another Alternate Configuration (using Firewall rules) for D-Link (tested on D-Link DI-624) ''' | ||
+ | *Click on ''Advanced'' tab then click on ''Firewall''. This page can be used to setup firewall rules directly '''Without ANY further settings in ''Virtual server'' or ''Applications'' tabs''' | ||
+ | |||
+ | *Click ''Enabled'' | ||
+ | |||
+ | *Enter your preferred name for the rule (must be unique) | ||
+ | |||
+ | *Select ''WAN'' as source interface and ''*'' for source IP Range Start (IP Range End can be left blank) | ||
+ | |||
+ | *Select ''LAN'' as destination interface and enter the static IP of your PC running aMule for destination IP Range Start (IP Range End can be left blank) | ||
+ | |||
+ | *Select ''*'' as destination protocol | ||
+ | |||
+ | *Enter ''4662-4672'' as destination port range | ||
+ | |||
+ | *Select your preferred scheduling | ||
+ | |||
+ | *Click apply | ||
+ | |||
+ | '''IMPORTANT NOTE''': disable all existing entries for aMule you may have specified in ''Virtual server'' or ''Applications'' tabs. | ||
+ | |||
+ | *Reboot your router to be sure new configuration is applied (''Tools'' -> ''Misc''). | ||
+ | |||
+ | |||
+ | === [http://www.belkin.com Belkin] Router configuration === | ||
+ | Log in to your Belkin router: [http://192.168.2.1 192.168.2.1]. You will be following these steps twice: once to create a [http://www.ietf.org/rfc/rfc793.txt TCP] record, and again to create a UDP record. | ||
+ | |||
+ | *Click the ''Virtual Servers'' link in the ''Firewall'' section on the left. This page forwards external requests to a specific internal [[IP address]] in your network | ||
+ | *Pick the first empty row | ||
+ | *Check ''Enabled'' | ||
+ | *Enter any name you like in the ''Description'' entry box, eg: ''aMule TCP/UDP'' | ||
+ | *For the ''Inbound port'' entry boxes, enter ''4660'' and ''4712''. | ||
+ | *Select ''TCP'' or ''UDP'' out of the ''Type'' dropdown. If you already have one set up, pick the other. | ||
+ | *For ''Private IP address'' enter the IP address the router assigned your machine. There are many ways to find this. Ubuntu users might want to use gnome-nettool (Network Tools) and look at the IPv4 entry under the appropriate network interface. If you like the terminal, type ifconfig and look for the inet addr entry. If you're in Windows, you can type ipconfig from the command line. No matter how you do it, the number should look like 192.168.2.x where x is the number you will be entering. | ||
+ | *''Private port'' is the [[port]] that the router will forward the requests to on your computer. Though this can be anything, the default [[aMule]] port is 4662 for TCP and 4672 for UDP. Entering ''4660'' and ''4712'', same as the inbound port range above, will cover other possible ports. | ||
+ | *Repeat the steps above to make sure you have an entry for both TCP and another entry for UDP. | ||
+ | *Click ''Apply'' | ||
+ | *If you have aMule open, go to it click ''Disconnect''. When the button changes, click ''Connect''. Kad should no longer be firewalled and you should not get another Low ID error. If you do still have issues, make sure you completed all the steps correctly by testing your ports: [http://www.amule.org/testport.php http://www.amule.org/testport.php] | ||
+ | |||
+ | Keep in mind that the ''Private IP address'' number could change if you're ever disconnected from the router, because it is dynamically assigned by default. | ||
+ | |||
+ | === Netgear router === | ||
+ | First, go to your router control page, locate at [http://routerlogin.net/start.htm http://routerlogin.net/start.htm]. Then, on the left side of the screen, under the Advanced group of options, click "Port Forwarding/Port Triggering." Click the "Add Custom Service" button, name it aMule1 (or whatever), set it as a TCP-only forwarding, with the starting and ending port being 4662 and the server IP address being whatever local address you're using (probably 192.168.1.2, if you're the only one connected to the router, but check), and click Apply. Repeat the process with aMule2 and aMule 3, using UDP-only ports for both and starting and ending ports of 4665 and 4672, respectively. (That is, the same starting and ending port within aMule2 and aMule3, but aMule2=4665 and aMule3=4672.) Make sure that iptables is properly set up on the machine which will run aMule (as above), and you're done. | ||
+ | |||
+ | Not all Netgear routers are the same, evidently, because on the DG834G it's more complicated. Go to the router's configuration page: | ||
+ | # Select '''Services''' from the '''''Content Filtering''''' menu | ||
+ | # Add your three rules (1 x TCP, 2 x UDP) based on your aMule Connection preferences | ||
+ | # Select '''Firewall Rules''' from the same menu | ||
+ | # Add all three rules as ''Inbound Services'' | ||
+ | # Add both UDP rules as ''Outbound Services'' (only one of these is crucial but I add the other just in case) | ||
+ | |||
+ | === TRENDnet router TW100 === | ||
+ | First connect to your router: usually open a browser and type directly the router IP address: such as 192.168.0.1 (or 192.168.1.1), then the login box should appear ( depending on your router config) - if so answer the message log message with ‘admin’ as username and nothing as password (or you password if | ||
+ | you did set one). | ||
+ | |||
+ | Then On the left side Menu, Select Internet and thenselect Advanced Setup (Advanced Internet). Then click/select, [Special Applications]: | ||
+ | |||
+ | Add or replace 2 lines in the Special Applications list: | ||
+ | (Try not to remove something which you are using and which is already enabled) | ||
+ | (just add the new application for amule at the end in position Nr. 5 or Nr.6 in the list for example): | ||
+ | |||
+ | Create the entries as follows: | ||
+ | |||
+ | amuleU4665 TCP-4665-4665 UDP-4665-4665 | ||
+ | |||
+ | amuleU4672 TCP-4672-4672 UDP-4672-4672 ) | ||
+ | |||
+ | (In my Application List the “amuleU4665” and “amule4672” are in Nr1 and Nr2 but it can be in any position in your list). | ||
+ | |||
+ | ->Click on the small box [ ] on the left for both lines of your amuleUxxxx applications to enable the special applications to work! | ||
+ | |||
+ | Then click on [Save], then click on [Close] | ||
+ | |||
+ | Then click on [Save] again on the page – Advanced Internet . | ||
+ | |||
+ | The next and last step is to click on the “Virtual Servers” menu on the left side, then the “Virtual Server page will appear”: | ||
+ | |||
+ | Add a new virtual server named like: AmuleTCP | ||
+ | |||
+ | Select your computer* IP Address: in the DropDown Menu | ||
+ | |||
+ | Select: TCP | ||
+ | |||
+ | Write the 4662 Port and 4662 port (both fields the same port) | ||
+ | |||
+ | Then [Add as new server] | ||
+ | |||
+ | Then you are set to have High ID and Kad ON. Finished with the Low-ID, yellow arrows and Kad Firewalled. Now all you arrows should be green and you should have access to Kad and ed2K. | ||
+ | |||
+ | ''Important Note:'' | ||
+ | *Be careful in the case that your computer is using the DHCP protocol (ie to obtain IP address from the router). | ||
+ | The router might not give all the time the same IP address to your computer. | ||
+ | (normally it does so... but sometimes it can change). | ||
+ | You have two solutions if you see that you have a low- ID then: (2 solutions) | ||
+ | |||
+ | 1) log back to the router go back to the virtual server, select the amuleTCP virtual server that you created and just reselect you computer in the “PC(server)” entry box. And select [Update this server] and log out. It should do the job. | ||
+ | |||
+ | Or an alternative solution : | ||
+ | |||
+ | 2)You can Set-up your computer with a fixed IP address if you want. If this problem of low-ID happens too often because you DHCP router gives different IP address to your computer, then you can put your computer in static mode or DHCP reserved address. But you need to know your DNS server(s) before to do that – so check with your ISP which are your DNS servers. Then configure your computer to run with a fixed DHCP/ Static address / Manual Address (name depends what OS you are running). For that go to your network settings and put the P address you want, and the gateway (you router IP address) and the DNS from your ISP – All this to be done ion the Other / PC Database (Admin) page of the router. | ||
+ | |||
+ | '''In the case that your TRENDNet router crashes or stop forwarding any''' traffic from/to your aMule computer . (it happened to me), then : | ||
+ | |||
+ | - reduce the Connection limit (in Preferences->Connection) to 100 (or to 50) | ||
+ | - reduce the "Max new connections / 5 secs" (in Preferences->Core Tweaks) to 10 (or to 5) | ||
+ | Stop amule and restart aMule so that configuration will be validated. | ||
+ | |||
+ | Make some tests to find your best config. It should give more stability to your router and avoid your router to crash ( ie you would have to reset and/or turn it on and off). This might be true for other routers as well(?). | ||
+ | |||
+ | ''(TRENDnet Firewall from RFV - --[[User:Robert364|Robert364]] 17:05, 5 Nov 2006 (CET)) | ||
+ | '' | ||
+ | |||
+ | === OpenBSD === | ||
+ | The firewall that comes with OpenBSD is called packetfilter (pf). To get aMule running, you must add the following rules to your pf.conf (/etc/pf.conf): | ||
+ | |||
+ | # aMule TCP and UDP | ||
+ | rdr pass on egress proto tcp to port 4662 -> IPADDR | ||
+ | rdr pass on egress proto udp to port 4672 -> IPADDR | ||
+ | rdr pass on egress proto udp to port 4665 -> IPADDR | ||
+ | |||
+ | IPADDR is the internal ip-address of the computer in your network that runs aMule. | ||
+ | Pf guesses automatically the name of the outter interface (connected with the internet), thanks to the keyword "egress" (this means: "the interface where goes the default route", and it's updated dynamicaly in case of change).<br> | ||
+ | |||
+ | Example (IP of computer running aMule is '''192.168.1.10'''): | ||
+ | |||
+ | # aMule TCP and UDP | ||
+ | rdr pass on egress proto tcp to port 4662 -> '''192.168.1.10''' | ||
+ | rdr pass on egress proto udp to port 4672 -> '''192.168.1.10''' | ||
+ | rdr pass on egress proto udp to port 4665 -> '''192.168.1.10''' | ||
+ | |||
+ | Of course, the computer running aMule must also have access to the internet so add the following rules too: | ||
+ | |||
+ | nat on egress from IPADDR to any -> (egress) | ||
+ | |||
+ | IPADDR is the internal ip-address of the computer in your network that runs aMule. | ||
+ | |||
+ | Example (like above): | ||
+ | |||
+ | nat on egress from '''192.168.1.10''' to any -> (egress) | ||
+ | |||
+ | To activate the changed configuration, reboot or execute the following command:<br> | ||
+ | |||
+ | pfctl -f /etc/pf.conf | ||
+ | |||
+ | In order to have the firewall automatically loaded at boot : | ||
+ | |||
+ | echo PF=yes >> /etc/rc.conf.local | ||
+ | |||
+ | To give KAD a better connection than "firewalled" put the following at the beginning of the NAT section of pf.conf (because NAT rules work on the first matching rule in the list, unlike the rest of pf.conf): | ||
+ | |||
+ | no nat on egress proto udp from '''192.168.1.10''' port 4672 to any | ||
+ | |||
+ | See [[FAQ eD2k-Kademlia#Why does Kademlia still say it is firewalled?|the FAQ]] on "Why does Kademlia still say it is firewalled?" | ||
+ | |||
+ | |||
+ | |||
+ | === iptables === | ||
+ | This is the default firewall for many linux distributions. | ||
+ | |||
+ | /sbin/iptables -t filter -A INPUT -m state --state NEW -m tcp -p tcp --dport 4662 -j ACCEPT | ||
+ | /sbin/iptables -t filter -A INPUT -m state --state NEW -m udp -p udp --dport 4665 -j ACCEPT | ||
+ | /sbin/iptables -t filter -A INPUT -m state --state NEW -m udp -p udp --dport 4672 -j ACCEPT | ||
+ | |||
+ | == My router is not here? == | ||
+ | |||
+ | |||
+ | If You have another type of router, check the correct A-Mule (or E-Mule) NAT-settings for Your modell on this site: http://www.portforward.com/ | ||
+ | |||
+ | |||
+ | |||
+ | == Enable UPnP through the firewall == | ||
+ | |||
+ | |||
+ | If you use UPnP on aMule and your PC uses a personal firewall, then you should allow incoming connections on UPnP port (default TCP 50000, but configurable on aMule) and incoming UDP connections on any port, but coming from your default gateway's port 1900 (that is, connections have source port 1900 but can be directed to any port on your PC). Here's the line I used to do this on iptables (192.168.0.1 is my UPnP-enabled router): | ||
+ | |||
+ | /sbin/iptables -t filter -A INPUT -m state --state NEW -m tcp -p tcp --dport 50000 -j ACCEPT | ||
+ | /sbin/iptables -t filter -A INPUT -p udp -s 192.168.0.1 --sport 1900 -j ACCEPT |
Latest revision as of 15:17, 26 December 2013
Firewalls
By default, firewalls and routers block incoming ports. To achieve the best results with aMule, you need to configure your firewall or router to open certain ports which aMule uses. (The port numbers are configurable in preferences). See the FAQ.
In particular, to be given an eD2k HighID, port 4662 TCP must be listening (i.e. opened in your firewall and forwarded in your router). To have an optimal ED2K experience, two more port should be enabled for listening as well: UDP ports 4672 and 4665. If you are using Kad and your router is doing NAT (Network Address Translation), you should prevent your router from remapping the port of outgoing UDP port 4672 packets. This might help if you have a high ID but Kad status is 'firewalled'.
- Note As of mid-December 2006, aMule (CVS) has Universal Plug and Play (uPnP) capabilities which you can use to automatically configure the ports on your router, provided your router supports uPnP. This functionality is still being tested and should appear soon in an official release.
SuSE
SuSE Linux users try this HowTo.
RedHat / Fedora Core
RedHat / Fedora Core users try this HowTo.
IPTables Configuration
If you set TCP port in aMule to XX and UDP port to YY then you have to set your firewall like this:
iptables -A INPUT -p tcp --dport XX -j ACCEPT
iptables -A INPUT -p udp --dport XX+3 -j ACCEPT
iptables -A INPUT -p udp --dport YY -j ACCEPT
If you are building your iptables-rules from scratch, you also need to allow ESTABLISHED and RELATED traffic to come through your firewall:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
And you must enable traffic to leave your machine aswell, by either allowing all outgoing traffic:
iptables -P OUTPUT ACCEPT
or specifying special rules:
If your OUTPUT rules is DROP(iptables -P OUTPUT DROP) you have to allow the 2 UDP port.
iptables -A OUTPUT -p udp --sport XX+3 -j ACCEPT
iptables -A OUTPUT -p udp --sport YY -j ACCEPT
There is also some random source port ephemeral_ports that you have to allow in your output rules.
NOTE: for Mandrake 10.0 Official and iptables you may have to change the multi-port entry to iptables -A INPUT -p udp --dport XX:ZZ -j ACCEPT where XX is the same TCP port number used in first line and ZZ is that number plus 3 (eg: 4662:4665)
If you want to setup aMule behind a NAT gateway, you should add these lines to your iptables configuration script, on the gateway :
EXTIF is your external interface
EMULEPORT=4662
EMULEUDP=4672
EMULEUDP2=`expr $EMULEPORT + 3`
EMULEHOST=10.0.0.2
iptables -t nat -A PREROUTING -i $EXTIF -p tcp --destination-port $EMULEPORT -j DNAT --to-destination $EMULEHOST:$EMULEPORT
iptables -t nat -A PREROUTING -i $EXTIF -p udp --destination-port $EMULEUDP -j DNAT --to-destination $EMULEHOST:$EMULEUDP
iptables -t nat -A PREROUTING -i $EXTIF -p udp --destination-port $EMULEUDP2 -j DNAT --to-destination $EMULEHOST:$EMULEUDP2
You also should make sure that your FORWARD-string is set up correctly. Usually, you will have an entry like this:
iptables -A FORWARD -i $EXTIF -o $INTIF -d $EMULEHOST -m state --state ESTABLISHED,RELATED -j ACCEPT
where INTIF is your internal interface and EMULEHOST is the host running the eD2k server on your internal network.
This will prevent new connections. So, you should allow all forwarding for aMule-related ports:
iptables -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport $EMULEPORT -d $EMULEHOST -j ACCEPT
iptables -A FORWARD -i $EXTIF -o $INTIF -p udp --dport $EMULEUDP -d $EMULEHOST -j ACCEPT
iptables -A FORWARD -i $EXTIF -o $INTIF -p udp --dport $EMULEUDP2 -d $EMULEHOST -j ACCEPT
Once everything is set, you can check here if your ports are now open.
See also the FAQ on "Why does Kademlia still say it is firewalled?"
Routers
Here is a list of routers and how to set them up to forward their ports to aMule.
In the descriptions below, examples are using the default ports (that is, 4662 for the Standard client TCP port, 4672 for the Extended client UDP port and 4665 for the Extended server requests UDP port.
Linksys WRT54GSV4
- Open your web browser, http://192.168.1.1 and log into it
- Go under Gaming applications
- Now forward the ports to your computer:
- Standard client TCP port
- Change both Ports start and End to 4662
- In the next field set TCP
- In the field, the last 3 digits of your LAN IP
- Extended client UDP port
- Change both Ports start and End to 4672
- In the next field set UDP
- In the field, the last 3 digits of your LAN IP
- Extended server requests UDP port
- Change both Ports start and End to 4665
- In the next field set UDP
- In the field, the last 3 digits of your LAN IP
- Standard client TCP port
- Now check Enable
- And click Save settings
- Then restart aMule :)
Linksys Router configuration
This portion of the wiki applies only to stock versions of the Linksys firmware. If you are using a Linksys router running a variant of the GPL code, please follow the guides directly above as you are most likely using iptables.
Log into your Linksys router. After successfully logging in, click on the main menu link labeled Applications & Gaming after which you should see an additional submenu list for this section. Make sure you are under the correct submenu by clicking Port Range Forwarding.
At this point, you should see a table with 6 columns. The columns are: Application, Start to, End, Protocol, IP Address, Enable.
The Application column
Friendly name for the service. Put anything you want here, aMule being suggested.
The Start to -> End column
Start and end ports. Start to should be 4662 but, in the end, this should reflect whatever port you have defined in aMule Preferences -> Connection -> Client TCP Port. End should be 4672 but, in the end, this should reflect whatever port you have defined in aMule Preferences -> Connection -> eMule extended UDP Port.
I suggest using 2 separate entries for each port unless this is not possible.
The Protocol column
Protocol to listen for. If you use one line to open your aMule ports, set this option to Both. If you use a separate entry line for each, select option TCP for Client TCP Port and option UDP for eMule extended UDP Port.
The IP Address column
Internal IP address to forward requests to. This is typically the internal (private) IP address of the computer that will use aMule.
The Enable column
Enable rule. You'll need to check this in order to enable your aMule rules.
After adding your rule, make sure you save your settings. You can verify whether your rules work by testing your ports.
DLink Router configuration
Log in to your DLink router. There are three steps to take to enable your aMule ports.
IP Address setup
In the Home tab, click the DHCP button. This page displays the current IP addresses assigned by the router, both static and dynamic. Look for the name or MAC address of the computer you'll be running aMule on. If your computer is receiving dynamically assigned IP addresses, you will have to change your settings every so often if your IP address changes. To avoid this, use the Static DHCP section, and perform the following steps:
- Name: Type in the name of your computer here, could be anything
- IP: The IP address you want the router to always assign to your computer
- MAC Address: The MAC address of your computer. You should be already connected to the router, so you can find your computer in the DHCP Client drop-down menu, and click clone, to populate this number
- Click Apply
Now your computer will always receive the same IP address.
Now click on the Advanced tab, and there are two areas that need to be updated:
Virtual Server
- Click the Virtual Server button. This page forwards external requests to a specific internal IP address in your network
- Click Enabled
- Enter a name in the Name entry box, eg aMule TCP
- Enter your static IP address in the Private IP box
- Select TCP in Protocol type
- Private port is the port that the router will forward the requests to on your computer. This can be anything, a good value is the default aMule TCP port, 4662
- Public port is the port that the router will receive requests on. Again, a good value is the aMule TCP port of 4662
- Schedule is the times at which the port is open. Select Always, or whatever times you wish
- Click Apply
Applications
- Click the Applications button. This page allows you to enter a range of ports to open for application usage
- Click Enabled
- Enter the TCP port in the first Trigger Port box, a good value being 4662
- Select Trigger Type as TCP
- In Public Port, enter the range from your aMule TCP port to your aMule UDP port, usually 4662-4672
- Select UDP as the Public Type
- Click Apply
You should now be all set, assuming that your computer firewall is setup to allow access on the selected ports.
Alternate Configuration (ie instead of Applications) for D-Link
- Go back to virtual server and set 2 other virtual servers for the UDP ports
(It works only that way on my D-Link DI-804HV)
- Virtual server aMuleUDP4665 - select your IP address and UDP and 4665 (port)
- Virtual Server aMuleUDP4672 - select your ip address and UDP and 4672 (port)
(disable the above amule applications if you did try and it do not work). Then you shoudl have all arrows green ( and 3 virtual servers running for amule, 1 for TCP and 2 for UDP).
Another Alternate Configuration (using Firewall rules) for D-Link (tested on D-Link DI-624)
- Click on Advanced tab then click on Firewall. This page can be used to setup firewall rules directly Without ANY further settings in Virtual server or Applications tabs
- Click Enabled
- Enter your preferred name for the rule (must be unique)
- Select WAN as source interface and * for source IP Range Start (IP Range End can be left blank)
- Select LAN as destination interface and enter the static IP of your PC running aMule for destination IP Range Start (IP Range End can be left blank)
- Select * as destination protocol
- Enter 4662-4672 as destination port range
- Select your preferred scheduling
- Click apply
IMPORTANT NOTE: disable all existing entries for aMule you may have specified in Virtual server or Applications tabs.
- Reboot your router to be sure new configuration is applied (Tools -> Misc).
Belkin Router configuration
Log in to your Belkin router: 192.168.2.1. You will be following these steps twice: once to create a TCP record, and again to create a UDP record.
- Click the Virtual Servers link in the Firewall section on the left. This page forwards external requests to a specific internal IP address in your network
- Pick the first empty row
- Check Enabled
- Enter any name you like in the Description entry box, eg: aMule TCP/UDP
- For the Inbound port entry boxes, enter 4660 and 4712.
- Select TCP or UDP out of the Type dropdown. If you already have one set up, pick the other.
- For Private IP address enter the IP address the router assigned your machine. There are many ways to find this. Ubuntu users might want to use gnome-nettool (Network Tools) and look at the IPv4 entry under the appropriate network interface. If you like the terminal, type ifconfig and look for the inet addr entry. If you're in Windows, you can type ipconfig from the command line. No matter how you do it, the number should look like 192.168.2.x where x is the number you will be entering.
- Private port is the port that the router will forward the requests to on your computer. Though this can be anything, the default aMule port is 4662 for TCP and 4672 for UDP. Entering 4660 and 4712, same as the inbound port range above, will cover other possible ports.
- Repeat the steps above to make sure you have an entry for both TCP and another entry for UDP.
- Click Apply
- If you have aMule open, go to it click Disconnect. When the button changes, click Connect. Kad should no longer be firewalled and you should not get another Low ID error. If you do still have issues, make sure you completed all the steps correctly by testing your ports: http://www.amule.org/testport.php
Keep in mind that the Private IP address number could change if you're ever disconnected from the router, because it is dynamically assigned by default.
Netgear router
First, go to your router control page, locate at http://routerlogin.net/start.htm. Then, on the left side of the screen, under the Advanced group of options, click "Port Forwarding/Port Triggering." Click the "Add Custom Service" button, name it aMule1 (or whatever), set it as a TCP-only forwarding, with the starting and ending port being 4662 and the server IP address being whatever local address you're using (probably 192.168.1.2, if you're the only one connected to the router, but check), and click Apply. Repeat the process with aMule2 and aMule 3, using UDP-only ports for both and starting and ending ports of 4665 and 4672, respectively. (That is, the same starting and ending port within aMule2 and aMule3, but aMule2=4665 and aMule3=4672.) Make sure that iptables is properly set up on the machine which will run aMule (as above), and you're done.
Not all Netgear routers are the same, evidently, because on the DG834G it's more complicated. Go to the router's configuration page:
- Select Services from the Content Filtering menu
- Add your three rules (1 x TCP, 2 x UDP) based on your aMule Connection preferences
- Select Firewall Rules from the same menu
- Add all three rules as Inbound Services
- Add both UDP rules as Outbound Services (only one of these is crucial but I add the other just in case)
TRENDnet router TW100
First connect to your router: usually open a browser and type directly the router IP address: such as 192.168.0.1 (or 192.168.1.1), then the login box should appear ( depending on your router config) - if so answer the message log message with ‘admin’ as username and nothing as password (or you password if you did set one).
Then On the left side Menu, Select Internet and thenselect Advanced Setup (Advanced Internet). Then click/select, [Special Applications]:
Add or replace 2 lines in the Special Applications list: (Try not to remove something which you are using and which is already enabled) (just add the new application for amule at the end in position Nr. 5 or Nr.6 in the list for example):
Create the entries as follows:
amuleU4665 TCP-4665-4665 UDP-4665-4665
amuleU4672 TCP-4672-4672 UDP-4672-4672 )
(In my Application List the “amuleU4665” and “amule4672” are in Nr1 and Nr2 but it can be in any position in your list).
->Click on the small box [ ] on the left for both lines of your amuleUxxxx applications to enable the special applications to work!
Then click on [Save], then click on [Close]
Then click on [Save] again on the page – Advanced Internet .
The next and last step is to click on the “Virtual Servers” menu on the left side, then the “Virtual Server page will appear”:
Add a new virtual server named like: AmuleTCP
Select your computer* IP Address: in the DropDown Menu
Select: TCP
Write the 4662 Port and 4662 port (both fields the same port)
Then [Add as new server]
Then you are set to have High ID and Kad ON. Finished with the Low-ID, yellow arrows and Kad Firewalled. Now all you arrows should be green and you should have access to Kad and ed2K.
Important Note:
- Be careful in the case that your computer is using the DHCP protocol (ie to obtain IP address from the router).
The router might not give all the time the same IP address to your computer. (normally it does so... but sometimes it can change). You have two solutions if you see that you have a low- ID then: (2 solutions)
1) log back to the router go back to the virtual server, select the amuleTCP virtual server that you created and just reselect you computer in the “PC(server)” entry box. And select [Update this server] and log out. It should do the job.
Or an alternative solution :
2)You can Set-up your computer with a fixed IP address if you want. If this problem of low-ID happens too often because you DHCP router gives different IP address to your computer, then you can put your computer in static mode or DHCP reserved address. But you need to know your DNS server(s) before to do that – so check with your ISP which are your DNS servers. Then configure your computer to run with a fixed DHCP/ Static address / Manual Address (name depends what OS you are running). For that go to your network settings and put the P address you want, and the gateway (you router IP address) and the DNS from your ISP – All this to be done ion the Other / PC Database (Admin) page of the router.
In the case that your TRENDNet router crashes or stop forwarding any traffic from/to your aMule computer . (it happened to me), then :
- reduce the Connection limit (in Preferences->Connection) to 100 (or to 50) - reduce the "Max new connections / 5 secs" (in Preferences->Core Tweaks) to 10 (or to 5) Stop amule and restart aMule so that configuration will be validated.
Make some tests to find your best config. It should give more stability to your router and avoid your router to crash ( ie you would have to reset and/or turn it on and off). This might be true for other routers as well(?).
(TRENDnet Firewall from RFV - --Robert364 17:05, 5 Nov 2006 (CET))
OpenBSD
The firewall that comes with OpenBSD is called packetfilter (pf). To get aMule running, you must add the following rules to your pf.conf (/etc/pf.conf):
# aMule TCP and UDP rdr pass on egress proto tcp to port 4662 -> IPADDR rdr pass on egress proto udp to port 4672 -> IPADDR rdr pass on egress proto udp to port 4665 -> IPADDR
IPADDR is the internal ip-address of the computer in your network that runs aMule.
Pf guesses automatically the name of the outter interface (connected with the internet), thanks to the keyword "egress" (this means: "the interface where goes the default route", and it's updated dynamicaly in case of change).
Example (IP of computer running aMule is 192.168.1.10):
# aMule TCP and UDP rdr pass on egress proto tcp to port 4662 -> 192.168.1.10 rdr pass on egress proto udp to port 4672 -> 192.168.1.10 rdr pass on egress proto udp to port 4665 -> 192.168.1.10
Of course, the computer running aMule must also have access to the internet so add the following rules too:
nat on egress from IPADDR to any -> (egress)
IPADDR is the internal ip-address of the computer in your network that runs aMule.
Example (like above):
nat on egress from 192.168.1.10 to any -> (egress)
To activate the changed configuration, reboot or execute the following command:
pfctl -f /etc/pf.conf
In order to have the firewall automatically loaded at boot :
echo PF=yes >> /etc/rc.conf.local
To give KAD a better connection than "firewalled" put the following at the beginning of the NAT section of pf.conf (because NAT rules work on the first matching rule in the list, unlike the rest of pf.conf):
no nat on egress proto udp from 192.168.1.10 port 4672 to any
See the FAQ on "Why does Kademlia still say it is firewalled?"
iptables
This is the default firewall for many linux distributions.
/sbin/iptables -t filter -A INPUT -m state --state NEW -m tcp -p tcp --dport 4662 -j ACCEPT /sbin/iptables -t filter -A INPUT -m state --state NEW -m udp -p udp --dport 4665 -j ACCEPT /sbin/iptables -t filter -A INPUT -m state --state NEW -m udp -p udp --dport 4672 -j ACCEPT
My router is not here?
If You have another type of router, check the correct A-Mule (or E-Mule) NAT-settings for Your modell on this site: http://www.portforward.com/
Enable UPnP through the firewall
If you use UPnP on aMule and your PC uses a personal firewall, then you should allow incoming connections on UPnP port (default TCP 50000, but configurable on aMule) and incoming UDP connections on any port, but coming from your default gateway's port 1900 (that is, connections have source port 1900 but can be directed to any port on your PC). Here's the line I used to do this on iptables (192.168.0.1 is my UPnP-enabled router):
/sbin/iptables -t filter -A INPUT -m state --state NEW -m tcp -p tcp --dport 50000 -j ACCEPT /sbin/iptables -t filter -A INPUT -p udp -s 192.168.0.1 --sport 1900 -j ACCEPT