View previous topic :: View next topic |
Author |
Message |
arokh
Joined: 06 Mar 2011 Posts: 5
|
Posted: Sun Jun 22, 2014 10:29 am Post subject: iptables rules are created without interface (SOLVED) |
|
|
So I just fired up Call of Duty Ghosts on my PS4 after a long break and noticed I couldn't play online anymore, it would just hang at "Connecting to Online Services".
Ghosts uses UPnP to forward UDP port 3074, so I fire up tcpdump on my router and see this:
Code: |
11:18:10.093380 IP 10.1.1.5.3074 > 209.170.124.117.3074: UDP, length 3
11:18:10.093464 IP 10.1.1.5.3074 > 10.1.1.5.3074: UDP, length 3
|
My PS4 is 10.1.1.5, as you can see it tries connecting to 209.170.124.117:3074 but the router is redirecting the traffic right back!
So I look at the MINIUPNPD chain to see what it's actually done:
Code: |
Chain MINIUPNPD (1 references)
pkts bytes target prot opt in out source destination
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:3704 to:10.1.1.5:3704
|
As you can see there is no input interface specified. There's just "*" under "in". This makes the router use DNAT on ANY connection to port 3704, even if it comes from the PS4 itself. It should be done only if the input interface is eth1/wan.
So, what's going on here? I'm pretty sure this worked correctly before. I noticed there was a miniupnpd version bump in OpenWRT just under a month ago, did something change upstream?
I'll be digging to find the cause, in the meantime doing a manual port forward for port 3704 and denying that port in miniupnpd works great. Connects to multiplayer with "NAT Type: Open" just like it should.
This would be a problem not only for Call of Duty, but any application that tries connecting to the same port that it's forwarding through UPnP.
My /var/etc/miniupnpd.conf for reference:
Code: |
ext_ifname=eth1
listening_ip=br-lan
port=5000
enable_natpmp=yes
enable_upnp=yes
secure_mode=yes
pcp_allow_thirdparty=no
system_uptime=yes
lease_file=/var/upnp.leases
bitrate_down=409600000
bitrate_up=409600000
uuid=8ff476e1-b95e-4761-ba4d-d433486998bf
deny 3074 0.0.0.0/0 0-65535
allow 1024-65535 0.0.0.0/0 1024-65535
deny 0-65535 0.0.0.0/0 0-65535
|
|
|
Back to top |
|
|
arokh
Joined: 06 Mar 2011 Posts: 5
|
Posted: Sun Jun 22, 2014 5:49 pm Post subject: |
|
|
Ok, solved it. The rules themselves are not supposed to use interface, but the pointer to MINIUPNPD should. I'm using OpenWRT and there it's created by /usr/share/miniupnpd/firewall.include, looks like they rewrote it in the latest version and forgot about it. Here's my quickfix:
Code: | --- firewall.include.orig 2014-06-22 19:18:02.000000000 +0200
+++ firewall.include 2014-06-22 20:07:11.000000000 +0200
@@ -16,11 +16,13 @@
[ -x $IP6TABLES ] && $IP6TABLES -t filter -N MINIUPNPD 2>/dev/null
+ext_iface=$(uci -q get upnpd.config.external_iface)
+
# IPv4 - due to NAT, need to add both to nat and filter table
-iptables -t filter -I delegate_forward 2 -j MINIUPNPD
-iptables -t nat -I delegate_prerouting 2 -j MINIUPNPD
+iptables -t filter -I zone_"$ext_iface"_forward -j MINIUPNPD
+iptables -t nat -I zone_"$ext_iface"_prerouting -j MINIUPNPD
# IPv6 if available - filter only
[ -x $IP6TABLES ] && {
- $IP6TABLES -t filter -I delegate_forward 2 -j MINIUPNPD
+ $IP6TABLES -t filter -I zone_"$ext_iface"_forward -j MINIUPNPD
} |
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
Powered by phpBB © 2001, 2005 phpBB Group
© 2007 Thomas Bernard, author of MiniUPNP.
|