Hello,
unfortunately I do not have much time to play with the device :-(. As I am also a self-learner in the area of linux, scripting, routing, etc. I no not have the patterns to do this right - therefore what I did was just applying "brute force" approach to make it do what I want - I am aware of the fact that it is not a "clean" solution and that it has some drawbacks, but...
Findings (learned by experimeting and some reading - so reality may be different)
- Any "apply" to any network configuration (including firewall) forces the box to reset configuration and restart some network services (eg. also gift, http, etc.)
- To set the iptables, the scripts create config files in /tmp/ (filter_rules, nat_tules, nat_forward_rules) and probably use iptables-restore
Current set-up:
following script takes care of iptable check and setup:
/opt/bin/netupdate
Code:
#!/opt/bin/bash
if iptables -L INPUT | grep "ACCEPT tcp -- anywhere anywhere tcp dpt:ssh" &>/dev/null
then
# logger `date` "iptables INPUT rule opening ssh found, assuming no change in network configuration"
# this line should be uncommented if you want to see that nothing is happening in your syslog
else
logger `date` "iptables INPUT does not contain rule for opening ssh, assuming reset of network configuration"
iptables -D INPUT -j DROP # Remove the default last rule to drop everything else
# Close the ftp from outside
iptables -A INPUT -p tcp --dport 22 -j ACCEPT # Open port 22 (ssh)
# Additional rules go here (transmission 9090, enh-ctr 2706)
iptables -A INPUT -j DROP # Close the hole and filter everything not matching rules
killall giftd # Kill the giftd
# Additional daemons (httpd, thttpd) can be killed here
fi
and /etc/crontab
Code:
SHELL=/bin/sh
PATH=/opt/bin:/opt/sbin:/sbin:/bin:/usr/sbin:/apps/bin:/usr/bin
MAILTO=""
HOME=/
# ---------- ---------- Default is Empty ---------- ---------- #
# m h dom mon dow user command
*/10 * * * * root /opt/bin/netupdate
Outstanding issues & possible conflicts:
- if the box firewall is set to off (iptable INPUT clear, default ACCEPT), above configuration effectively blocks everything except ssh by seting the iptable rules
- torrent performance (which is still very slow compared to utorrent) not better after opening ports on which the client listens :-( [thought it would help). transmission still way faster than enhanced-ctorrent, but 1/5 to utorrent (which may benefit from DHT?). Still it (transmissioncli) gets to 1/30 of the line capacity
- GUI for torrent: not yet played with (why?), there is ctcs for enhanced-ctorrent and native client for transmission, both require some attention (eg. perl, which is not available). CTCS available in unstable ipkd resource