post-firewall port triggering

[tomilius]

Question: How do you use port triggering in post-firewall?

I know I'm answering my own question but I thought some people may be curious. I got the information by experimenting with iptables. After enabling port triggering, I noticed the following entry when I typed iptables -L -v -t nat:

Code:

    0     0 autofw     tcp  --  br0    any     anywhere             anywhere           tcp dpt:6881 autofw tcp dpt:6881-6999 to:6881-6999

Answer:

iptables -t nat -A PREROUTING -i br0 -p INCOMING_PROTOCOL --dport TRIGGER_PORT_FROM(-TRIGGER_PORT_TO) -j autofw --related-proto TRIGGER_PROTOCOL --related-dport INCOMING_PORT_FROM(-INCOMING_PORT_TO) --related-to INCOMING_PORT_FROM(-INCOMING_PORT_TO)

For example, to set up a trigger for BitTorrent, you'd use this:

iptables -t nat -A PREROUTING -i br0 -p tcp --dport 6881 -j autofw --related-proto tcp --related-dport 6881-6999 --related-to 6881-6999

[Styno]

Shouldn't you use port forwarding for BitTorrent instead?

[tomilius]

Eh. Probably. Random example--some site said it was better to use port triggering for multiple computer support, plus it was more secure or something.

Port Triggering

Excellent guide, this is something that more people need to be aware of. However I do have one suggestion.

This only works if you only have one computer behind your router downloading BitTorrents. A better way would be to turn on Port Triggering (in Advanced?) telling it to forward the ports you list above with the trigger port set to 6881 and the protocol to TCP.

When this is set up you don't need to know the internal IP of your computer, because the router will forward BitTorrent traffic to whatever system is running BitTorrent at the time. It knows which computer to use because BitTorrent will send traffic out on port 6881, the router sees this and starts forwarding traffic to your computer.

[Styno]

Eh. Probably. Random example--some site said it was better to use port triggering for multiple computer support, plus it was more secure or something.

In case of multiple computers that is true...

[shinji257]

Question: How do you use port triggering in post-firewall?

I know I'm answering my own question but I thought some people may be curious. I got the information by experimenting with iptables. After enabling port triggering, I noticed the following entry when I typed iptables -L -v -t nat:

Code:

    0     0 autofw     tcp  --  br0    any     anywhere             anywhere           tcp dpt:6881 autofw tcp dpt:6881-6999 to:6881-6999

Answer:

iptables -t nat -A PREROUTING -i br0 -p INCOMING_PROTOCOL --dport TRIGGER_PORT_FROM(-TRIGGER_PORT_TO) -j autofw --related-proto TRIGGER_PROTOCOL --related-dport INCOMING_PORT_FROM(-INCOMING_PORT_TO) --related-to INCOMING_PORT_FROM(-INCOMING_PORT_TO)

For example, to set up a trigger for BitTorrent, you'd use this:

iptables -t nat -A PREROUTING -i br0 -p tcp --dport 6881 -j autofw --related-proto tcp --related-dport 6881-6999 --related-to 6881-6999

I do realize this thread is a few years ago but I wanted to update it since it was the most helpful information that I got. It relates to port triggering and I wanted to do it via the post-firewall script while doing ranges. Here is a new updated commandline format.

iptables -t nat -A PREROUTING -i br0 -p INCOMING_PROTOCOL --dport TRIGGER_PORT_FROM(:TRIGGER_PORT_TO) -j autofw --related-proto TRIGGER_PROTOCOL --related-dport INCOMING_PORT_FROM(:INCOMING_PORT_TO) --related-to INCOMING_PORT_FROM(:INCOMING_PORT_TO)

The only real change is replacing the hyphen ( - ) with a colon ( : ) to indicate a range. Here is an example which is the actual line I inserted into my post-firewall file. It is for forwarding ident port 113 as needed when connecting to irc rooms.

iptables -t nat -A PREROUTING -i br0 -p tcp --dport 6660:6669 -j autofw --related-proto tcp --related-dport 113 --related-to 113

I did not figure out how to get multiple ports in there without doing ranges. Online documentation indicates to use -m multiport right before the first --dport however I got a file not found error from iptables when I tried to do that. Oh well. I'll research it some more when I get a chance. In the meantime it works good. I added port 7000 as a seperate entry.