Search:  
Gentoo Wiki

HOWTO_Setup_UPnP_with_IPTables

This article is part of the HOWTO series.
Installation Kernel & Hardware Networks Portage Software System X Server Gaming Non-x86 Emulators Misc

Requirements

Kernel 2.4 or higher

iptables

route add -net 239.0.0.0 netmask 255.0.0.0 <int_if>
or
ip route add 239.0.0.0/8 dev <int_if>

Instruction

UPnP (Universal Plug n Play) is useful for applications such as Azureus and MSN messenger.

At the present time, all packages required are in portage, and are up-to-date there. This may or may not change in the future. First, pretend to emerge linux-igd to make sure everything is acceptable to you. Then, emerge linux-igd. Libupnp will be pulled in as a dependency.

 emerge -av linux-igd

After that, modify /etc/conf.d/upnpd with your internal and external interfaces. Also note that you will need to edit the linux-igd upnpd config file. YOU MUST remove the spaces around the equals signs, as those cause the config file to be read improperly, and may cause headaches if not fixed. If you don't remove the spaces around the equals signs in /etc/linuxigd/upnpd.conf, we will taunt you again.

 nano /etc/conf.d/upnpd
 nano /etc/linuxigd/upnpd.conf

You may now start the service:

su
/etc/init.d/upnpd start

If you find that it is not functional, check to see if the daemon is still running. If not, then check your log files for any errors it sent out. Also remember to check all your config files. Again, it has been proven necessary to taunt. Check your configuration files. If there are spaces around the equals signs in the linux-igd config file, you WILL look stupid at parties. If you get error -204, you have a problem with your firewall script. Try Arno's Iptables script, which worked for the original author of this how-to. Remember that iptables is a very case-by-case basis.

Finally, if you are noticing that linux-igd is placing the forwarding rules below a DROP or REJECT rule in your FORWARD chain, you may wish to consider removing the DROP or REJECT rule and instead have the default policy of the FORWARD chain be DROP or REJECT.

Another option to avoid rules getting placed after DROP/REJECT, is to create a separate table for UPnP rules

 iptables -N UPNP

and then at the beginning of the FORWARD chain (or somewhere else suitable) just jump to it

 iptables -A FORWARD -j UPNP

Then add this table name in /etc/linuxigd/upnpd.conf under forward_chain_name. If the UPNP table is empty, or no rules are matching iptables will just fall back into the parent chain (FORWARD in this case) again.

Iptables config example

This is how i got upnp working.

In /etc/linuxigd/upnpd.conf set:

 forward_chain_name=UPNP_FORWARD
 prerouting_chain_name=UPNP_PREROUTING


And configure iptables like this:

 # Good firewalls drop everything that has not been explicitly allowed,
 # so first create rules to allow other computers to connect to the upnp daemon.
 iptables -t filter -A INPUT -i eth0 -d 239.0.0.0/8 -j ACCEPT
 iptables -t filter -A INPUT -i eth0 -p tcp --dport 49152 -j ACCEPT
 iptables -t filter -A INPUT -i eth0 -p udp --dport 1900 -j ACCEPT
 
 # Create chains for the rules to be created by the upnp daemon.
 iptables -t filter -N UPNP_FORWARD
 iptables -t filter -A FORWARD -j UPNP_FORWARD
 iptables -t nat -N UPNP_PREROUTING
 iptables -t nat -A PREROUTING -j UPNP_PREROUTING
Retrieved from "http://www.gentoo-wiki.info/HOWTO_Setup_UPnP_with_IPTables"

Last modified: Sat, 16 Feb 2008 13:13:00 +0000 Hits: 16,515