Iptables – Allow UPnP and NAT-PMP request in iptables


I have an OpenVPN gateway setup with forwarding which works great. My other machine connects through it and reaches the internet. Done an external port scan and no ports are visible on the external VPN address. Installed linux-igd (upnpd) on the gateway machine. If I set iptables -P INPUT ACCEPT it works like charm the port is opened and forwarded into the client. But I want to create actual rules for the UPnP request instead.

This is what my iptables look like:

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

So I add a log rule to se what gets dropped from the client (

sudo iptables -A INPUT -i eth0 -s -j LOG --log-prefix "DROPPED: "

Restart the openvpn service and client, then the log outputs this:

Mar 19 07:32:55 raspberrypi kernel: [ 6954.935598] DROPPED: IN=eth0 OUT= MAC=b8:27:eb:b0:98:45:b8:27:eb:6b:f9:a6:08:00:45:00:00:1e:b0:b0:40:00:40:11:08:1c SRC= DST= LEN=30 TOS=0x00 PREC=0x00 TTL=64 ID=45232 DF PROTO=UDP SPT=51251 DPT=5351 LEN=10
Mar 19 07:32:55 raspberrypi kernel: [ 6954.939366] DROPPED: IN=eth0 OUT= MAC=01:00:5e:7f:ff:fa:b8:27:eb:6b:f9:a6:08:00:45:00:00:a5:b9:6a:40:00:01:11:0f:35 SRC= DST= LEN=165 TOS=0x00 PREC=0x00 TTL=1 ID=47466 DF PROTO=UDP SPT=54192 DPT=1900 LEN=145
Mar 19 07:33:03 raspberrypi kernel: [ 6962.293068] DROPPED: IN=eth0 OUT= MAC=b8:27:eb:b0:98:45:b8:27:eb:6b:f9:a6:08:00:45:00:00:1e:b2:a0:40:00:40:11:06:2c SRC= DST= LEN=30 TOS=0x00 PREC=0x00 TTL=64 ID=45728 DF PROTO=UDP SPT=51251 DPT=5351 LEN=10
Mar 19 07:33:03 raspberrypi kernel: [ 6962.626402] DROPPED: IN=eth0 OUT= MAC=b8:27:eb:b0:98:45:b8:27:eb:6b:f9:a6:08:00:45:00:00:1e:b2:b6:40:00:40:11:06:16 SRC= DST= LEN=30 TOS=0x00 PREC=0x00 TTL=64 ID=45750 DF PROTO=UDP SPT=51251 DPT=5351 LEN=10
Mar 19 07:33:03 raspberrypi kernel: [ 6962.959560] DROPPED: IN=eth0 OUT= MAC=b8:27:eb:b0:98:45:b8:27:eb:6b:f9:a6:08:00:45:00:00:1e:b2:be:40:00:40:11:06:0e SRC= DST= LEN=30 TOS=0x00 PREC=0x00 TTL=64 ID=45758 DF PROTO=UDP SPT=51251 DPT=5351 LEN=10
Mar 19 07:33:04 raspberrypi kernel: [ 6963.293411] DROPPED: IN=eth0 OUT= MAC=b8:27:eb:b0:98:45:b8:27:eb:6b:f9:a6:08:00:45:00:00:1e:b2:d5:40:00:40:11:05:f7 SRC= DST= LEN=30 TOS=0x00 PREC=0x00 TTL=64 ID=45781 DF PROTO=UDP SPT=51251 DPT=5351 LEN=10
Mar 19 07:33:04 raspberrypi kernel: [ 6963.627138] DROPPED: IN=eth0 OUT= MAC=b8:27:eb:b0:98:45:b8:27:eb:6b:f9:a6:08:00:45:00:00:1e:b2:d6:40:00:40:11:05:f6 SRC= DST= LEN=30 TOS=0x00 PREC=0x00 TTL=64 ID=45782 DF PROTO=UDP SPT=51251 DPT=5351 LEN=10
Mar 19 07:33:11 raspberrypi kernel: [ 6970.968277] DROPPED: IN=eth0 OUT= MAC=b8:27:eb:b0:98:45:b8:27:eb:6b:f9:a6:08:00:45:00:00:1e:b3:5f:40:00:40:11:05:6d SRC= DST= LEN=30 TOS=0x00 PREC=0x00 TTL=64 ID=45919 DF PROTO=UDP SPT=51251 DPT=5351 LEN=10

So I see that it does a broadcast on UDP 1900 and then tries to connect to UDP 5351. So I insert these two rules before the log rule:

sudo iptables -I INPUT 4 -i eth0 -p udp --dport 1900 -j ACCEPT
sudo iptables -I INPUT 4 -i eth0 -p udp --dport 5351 -j ACCEPT

Nothing fals through down to the log rule so as far as I can see nothing is blocked but the UPnP isn't working. If i just do:

sudo iptables -P INPUT ACCEPT

It all works great! I have also tried this, more or less all port numbers related to this I could find in any and all documentation…

sudo route add -net netmask eth0

sudo iptables -A INPUT -i eth0 -p tcp --dport 2869 -j ACCEPT
sudo iptables -A INPUT -i eth0 -p tcp --dport 5000 -j ACCEPT
sudo iptables -A INPUT -i eth0 -p tcp --dport 49152:49154 -j ACCEPT

sudo iptables -A INPUT -i eth0 -p udp --dport 1900 -j ACCEPT
sudo iptables -A INPUT -i eth0 -p udp --dport 5351 -j ACCEPT
sudo iptables -A INPUT -i eth0 -p udp --dport 5353 -j ACCEPT
sudo iptables -A INPUT -i eth0 -p tcp --dport 2869 -j ACCEPT

Any ideas or suggestions?

Best Answer

So I finally figured out what was wrong! I set the default policy of the input chain to accept.

sudo iptables -P INPUT ACCEPT

Then added these two lines at the bottom of my INPUT chain:

iptables -A INPUT -j LOG --log-prefix "INPUT:DROP:" --log-level 6
iptables -A INPUT -j DROP

Then I opened a second SSH window and did a tail on the log:

tail -f /var/log/messages

First thing I noticed was that traffic from originating on the lo interface was blocked, totally missed to add that. So I added this:

iptables -I INPUT 1 -i lo -j ACCEPT

Then I just ran the UPnP request over and over again from the inside to see what was being blocked. Ended up with these two rules:

sudo iptables -A INPUT -i eth0 -p udp -m multiport --dports 1900,5351,5353 -j ACCEPT
sudo iptables -A INPUT -i eth0 -p tcp -m multiport --dports 49152 -j ACCEPT

Hope it helps someone!

Related Topic