miniupnp.tuxfamily.org Forum Index miniupnp.tuxfamily.org
The forum about miniupnp and libnatpmp
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

iptables rules are created without interface (SOLVED)

 
Post new topic   Reply to topic    miniupnp.tuxfamily.org Forum Index -> miniupnpd Bugs
View previous topic :: View next topic  
Author Message
arokh



Joined: 06 Mar 2011
Posts: 5

PostPosted: Sun Jun 22, 2014 10:29 am    Post subject: iptables rules are created without interface (SOLVED) Reply with quote

So I just fired up Call of Duty Ghosts on my PS4 after a long break and noticed I couldn't play online anymore, it would just hang at "Connecting to Online Services".

Ghosts uses UPnP to forward UDP port 3074, so I fire up tcpdump on my router and see this:

Code:

11:18:10.093380 IP 10.1.1.5.3074 > 209.170.124.117.3074: UDP, length 3
11:18:10.093464 IP 10.1.1.5.3074 > 10.1.1.5.3074: UDP, length 3


My PS4 is 10.1.1.5, as you can see it tries connecting to 209.170.124.117:3074 but the router is redirecting the traffic right back!

So I look at the MINIUPNPD chain to see what it's actually done:

Code:

Chain MINIUPNPD (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:3704 to:10.1.1.5:3704


As you can see there is no input interface specified. There's just "*" under "in". This makes the router use DNAT on ANY connection to port 3704, even if it comes from the PS4 itself. It should be done only if the input interface is eth1/wan.

So, what's going on here? I'm pretty sure this worked correctly before. I noticed there was a miniupnpd version bump in OpenWRT just under a month ago, did something change upstream?

I'll be digging to find the cause, in the meantime doing a manual port forward for port 3704 and denying that port in miniupnpd works great. Connects to multiplayer with "NAT Type: Open" just like it should.

This would be a problem not only for Call of Duty, but any application that tries connecting to the same port that it's forwarding through UPnP.

My /var/etc/miniupnpd.conf for reference:
Code:

ext_ifname=eth1
listening_ip=br-lan
port=5000
enable_natpmp=yes
enable_upnp=yes
secure_mode=yes
pcp_allow_thirdparty=no
system_uptime=yes
lease_file=/var/upnp.leases
bitrate_down=409600000
bitrate_up=409600000
uuid=8ff476e1-b95e-4761-ba4d-d433486998bf
deny 3074 0.0.0.0/0 0-65535
allow 1024-65535 0.0.0.0/0 1024-65535
deny 0-65535 0.0.0.0/0 0-65535
Back to top
View user's profile Send private message
arokh



Joined: 06 Mar 2011
Posts: 5

PostPosted: Sun Jun 22, 2014 5:49 pm    Post subject: Reply with quote

Ok, solved it. The rules themselves are not supposed to use interface, but the pointer to MINIUPNPD should. I'm using OpenWRT and there it's created by /usr/share/miniupnpd/firewall.include, looks like they rewrote it in the latest version and forgot about it. Here's my quickfix:

Code:
--- firewall.include.orig       2014-06-22 19:18:02.000000000 +0200
+++ firewall.include    2014-06-22 20:07:11.000000000 +0200
@@ -16,11 +16,13 @@

 [ -x $IP6TABLES ] && $IP6TABLES -t filter -N MINIUPNPD 2>/dev/null

+ext_iface=$(uci -q get upnpd.config.external_iface)
+
 # IPv4 - due to NAT, need to add both to nat and filter table
-iptables -t filter -I delegate_forward 2 -j MINIUPNPD
-iptables -t nat -I delegate_prerouting 2 -j MINIUPNPD
+iptables -t filter -I zone_"$ext_iface"_forward -j MINIUPNPD
+iptables -t nat -I zone_"$ext_iface"_prerouting -j MINIUPNPD

 # IPv6 if available - filter only
 [ -x $IP6TABLES ] && {
-    $IP6TABLES -t filter -I delegate_forward 2 -j MINIUPNPD
+    $IP6TABLES -t filter -I zone_"$ext_iface"_forward -j MINIUPNPD
 }
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    miniupnp.tuxfamily.org Forum Index -> miniupnpd Bugs All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group
Protected by Anti-Spam ACP
© 2007 Thomas Bernard, author of MiniUPNP.