[Firewall] miniupnpd and arno firewall

Daniel Rune Jensen danielrj at turbopost.dk
Tue Jan 31 00:23:56 CET 2012


I have been using linux-igd 1.0 together with the linux-upnp-igd.plugin 
included in arno iptables. This has been working nicely but linux-igd is 
to be removed from my distribution (gentoo) as it no longer seems to be 
maintained. So i need to migrate to miniupnpd. Miniupnpd has two bash 
scripts for iptables initialization:

  iptables_init.sh
#! /bin/sh
# $Id: iptables_init.sh,v 1.5 2011/05/16 12:11:37 nanard Exp $
IPTABLES=/sbin/iptables

#change this parameters :
EXTIF=eth0
EXTIP="`LC_ALL=C /sbin/ifconfig $EXTIF | grep 'inet ' | awk '{print $2}' 
| sed -e 's/.*://'`"
echo "External IP = $EXTIP"

#adding the MINIUPNPD chain for nat
$IPTABLES -t nat -N MINIUPNPD
#adding the rule to MINIUPNPD
#$IPTABLES -t nat -A PREROUTING -d $EXTIP -i $EXTIF -j MINIUPNPD
$IPTABLES -t nat -A PREROUTING -i $EXTIF -j MINIUPNPD

#adding the MINIUPNPD chain for filter
$IPTABLES -t filter -N MINIUPNPD
#adding the rule to MINIUPNPD
$IPTABLES -t filter -A FORWARD -i $EXTIF ! -o $EXTIF -j MINIUPNPD

and

iptables_removeall.sh
#! /bin/sh
# $Id: iptables_removeall.sh,v 1.5 2011/05/16 12:11:37 nanard Exp $
IPTABLES=/sbin/iptables

#change this parameters :
EXTIF=eth0
EXTIP="`LC_ALL=C /sbin/ifconfig $EXTIF | grep 'inet ' | awk '{print $2}' 
| sed -e 's/.*://'`"

#removing the MINIUPNPD chain for nat
$IPTABLES -t nat -F MINIUPNPD
#rmeoving the rule to MINIUPNPD
#$IPTABLES -t nat -D PREROUTING -d $EXTIP -i $EXTIF -j MINIUPNPD
$IPTABLES -t nat -D PREROUTING -i $EXTIF -j MINIUPNPD
$IPTABLES -t nat -X MINIUPNPD

#removing the MINIUPNPD chain for filter
$IPTABLES -t filter -F MINIUPNPD
#adding the rule to MINIUPNPD
$IPTABLES -t filter -D FORWARD -i $EXTIF ! -o $EXTIF -j MINIUPNPD
$IPTABLES -t filter -X MINIUPNPD

In miniupnpd.conf chain names mentioned is:
# chain names for netfilter (not used for pf or ipf).
# default is MINIUPNPD for both
#upnp_forward_chain=forwardUPnP
#upnp_nat_chain=UPnP

All to me rather confusing. Looking at the linux-idg plugin included in 
arno:

plugin_start()
{
   # Create new UPNP_FORWARD chain to be used by linuxigd (aka upnpd):
   iptables -N UPNP_FORWARD 2>/dev/null
   iptables -F UPNP_FORWARD
   iptables -N UPNP_FORWARD_HOOK 2>/dev/null
   iptables -F UPNP_FORWARD_HOOK

   # Insert rule into the FORWARD chain:
   IFS=' ,'
   for eif in $EXT_IF; do
     iptables -A UPNP_FORWARD_HOOK -i $eif ! -o $eif -j UPNP_FORWARD
   done

   iptables -A FORWARD -j UPNP_FORWARD_HOOK

   return 0
}

i guess that the upnp_forward_chain must be the UPNP_FORWARD. But i 
can't seem to find a match for upnp_nat_chain used in miniupnpd. Has 
anyone successfully modified 50linux-upnp-igd.plugin so it will match 
miniupnpd or can anyone point me in the right direction?

(my very first mailing list post, bear with me if i have made any errors)

Regards
Daniel



More information about the Firewall mailing list