MiniUpNp & iptables

[nickjf20]

Hi,

So I am trying to get the MiniUpNp project to work with TCL in the hope that it can be used with the fork 'Mine OS+' which I am developing. I was going to post this in the extensions section, but my problem is allowing Miniupnp through the TCL firewall. I had a long talk with the creator of Miniupnp, and it seems that my iptables file isn't to blame, and I compiled the Miniupnp project from source using the recommended flags given in the wiki. I even disabled the firewall tcz from loading on boot to see if that was the problem. TCL is connected to the network through a bridged connection in virtual box.

Here is what we should see when the upnpc client is run; (192.168.10.254 is the upnp router)

  $ sudo tshark -i eth0 port 1900
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
  0.000000 192.168.10.35 -> 239.255.255.250 SSDP M-SEARCH * HTTP/1.1
  0.001934 192.168.10.254 -> 192.168.10.35 SSDP HTTP/1.1 200 OK
  1.620583 192.168.10.254 -> 239.255.255.250 SSDP NOTIFY * HTTP/1.1
  1.621632 192.168.10.254 -> 239.255.255.250 SSDP NOTIFY * HTTP/1.1
  1.623239 192.168.10.254 -> 239.255.255.250 SSDP NOTIFY * HTTP/1.1
  1.625945 192.168.10.254 -> 239.255.255.250 SSDP NOTIFY * HTTP/1.1
  1.626944 192.168.10.254 -> 239.255.255.250 SSDP NOTIFY * HTTP/1.1
  1.627918 192.168.10.254 -> 239.255.255.250 SSDP NOTIFY * HTTP/1.1
  1.628919 192.168.10.254 -> 239.255.255.250 SSDP NOTIFY * HTTP/1.1
  1.630063 192.168.10.254 -> 239.255.255.250 SSDP NOTIFY * HTTP/1.1
  1.631068 192.168.10.254 -> 239.255.255.250 SSDP NOTIFY * HTTP/1.1
  1.632176 192.168.10.254 -> 239.255.255.250 SSDP NOTIFY * HTTP/1.1

Whereas I am receiving this;

Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
  0.000000 192.168.1.109 -> 239.255.255.250 SSDP M-SEARCH * HTTP/1.1
  2.002259 192.168.1.109 -> 239.255.255.250 SSDP M-SEARCH * HTTP/1.1
  4.004569 192.168.1.109 -> 239.255.255.250 SSDP M-SEARCH * HTTP/1.1
  6.006929 192.168.1.109 -> 239.255.255.250 SSDP M-SEARCH * HTTP/1.1

As you can see the SSDP M-SEARCH packets do seem to be getting past the TCL iptables, but no response gets back into TCL which is the strange part.

This is my iptabes config file which I *think* is the culprit.

:POSTROUTING ACCEPT [1:72]
:OUTPUT ACCEPT [1:72]
COMMIT
# Completed on Wed Jan 12 08:47:59 2011
# Generated by iptables-save v1.4.10 on Wed Jan 12 08:47:59 2011
*filter
:INPUT DROP [1:28]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [185:18724]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 113 -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25565 -j ACCEPT
-A INPUT -p udp -m udp --dport 1900 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1900 -j ACCEPT
COMMIT


I did see the extension Gupnp in the repo, however I need a cli client which can portforward any upnp compatible router, and miniupnp it seems is the only way I can do this.

Thanks for a great OS,

Nick

[tinypoodle]

I was going to post this in the extensions section, but my problem is allowing Miniupnp through the TCL firewall.

I can't understand where the "but" would come in...

[nickjf20]

The discovery process of UPnP uses the SSDP protocol, which is UDP on port 1900, multicast group 239.255.255.250.

My problem is that these packets are somewhere getting blocked, and I believe it lies with iptables. Not *primarily* to do with miniupnp.

If someone wants to move this topic though, they're more than welcome !

[curaga]

We have multicast currently disabled. It will be enabled for 4.x.

[nickjf20]

Thanks, I look forward to it.