UPnP

From Gentoo Linux Wiki
Jump to: navigation, search

This article explains how to set up linux-igd on Gentoo, to allow UPnP aware devices to configure your firewall, to gain access to the internet and to set up port forwardings.

Contents

[edit] What is UPnP?

The Universal Plug and Play (UPnP) protocol is a standard developed by the UPnP Forum. It defines several protocols to access devices to seamlessly and to easily integrate them with networks. The most prominent of those protocols is the IGD (Internet Gateway device), which allows devices to configure an existing router or firewall to gain access to the internet.

[edit] linux-igd

linux-igd is a implementation of the IGD under linux. It allows UPnP aware devices to configure an iptable firewall to their needs. There are several applications out there making use of IGD, like Azureus or the instant messenger Miranda (which uses UPnP to make direct file transfers possible, even from behind a firewall).

[edit] A note on security

The UPnP standard defines no access control whatsoever for UPnP aware devices. As of this fact, several security concerns may arise. Malicious software could, with the help of UPnP, open up your network to attacks from the Internet.

[edit] Setting up linux-igd

First you need to merge linux-igd. It has no USE flags, so it is just a simple

emerge -av linux-igd

There are two configuration files, you need to edit. They are both very well commented, and editing them is no big deal.

File: /etc/upnpd.conf
# To change the interfaces used edit:
#   /etc/sysconfig/upnpd

#
# The full path and name of the iptables executable,
# (enclosed in quotes).
#
iptables_location = "/sbin/iptables"

#
# Daemon debug level. Messages are logged via syslog to debug.
# 0 - no debug messages
# 1 - log errors
# 2 - log errors and basic info
# 3 - log errors and verbose info
# default = 0
debug_mode = 2

#
# Should the daemon insert rules in the forward chain
# This is necessary if your firewall has a drop or reject
# policy in your forward chain.
# allowed values: yes,no
# default = no
insert_forward_rules = yes

#
# The name of the chain to put the forward rules in.
# This directive is only activ if "insert_forward_rules = yes"
# above.
# allowed values: a-z, A-Z, _, -
# default = FORWARD
#
forward_chain_name = FORWARD

#
# The name of the chain to put prerouting rules in.
# allowed values: a-z, A-Z, _, -
# default = PREROUTING
prerouting_chain_name = PREROUTING

#
# The internet line upstream bit rate reported from
# the daemon. Value in bits per second
# default = 0
upstream_bitrate = 512000

#
# The internet line downstream bit rate reported from
# the daemon. Value in bits per second
# default = 0
downstream_bitrate = 512000

#
# The default duration of port mappings, used when the client
# doesn't specify a duration.
# Can have the following values:
# 0 - no default duration specified
# seconds | HH:MM - duration from the time of addition
# @seconds | @HH:MM - expire mapping at the specified time of day
# default = 0
duration = 86400 # One day

# The name of the igd device xml description document
# default = gatedesc.xml
description_document_name = gatedesc.xml

# The path to the xml documents
# Do not include the trailing "/"
# default = /etc/linuxigd
# WARNING! The make install does put the xml files
# in /etc/linuxigd, if you change this variable
# you have to make sure the xml docs are in the
# right place
xml_document_path = /etc/linuxigd

You should also edit

File: /etc/conf.d/upnpd
# /etc/conf.d/upnpd: config file for /etc/init.d/upnpd

# Internal (local network) interface
INTERNAL_INTERFACE=""

# External (outward facing) interface
EXTERNAL_INTERFACE=""

# If set to "no" the multicast route will not be created
ALLOW_MULTICAST="yes"

UPnP uses multicast to make network wide announcements, so other UPnP aware devices become aware of it's existence. For this to work you have to make sure your firewall allows multicast packages to be sent and received by the machine where linux-igd is running on. There is also the need to add a route to your routing table, luckily the init script of linux-igd takes care of that.

After you finished editing all the config files, you can start linux-igd by typing

/etc/init.d/upnpd start

To load linux-igd on system start, you should also run

rc-update add upnpd default

[edit] Embedding linux-igd into iptables

linux-igd has the option to automatically add and remove forward rules to iptables. For this to be done you have to provide the table name of your PREROUTING table. This is where linux-igd inserts port forwarding rules for the device setting up the Internet access. Another option let's you specify the FORWARD table to use. Here linux-igd will insert the rules associated with the port forwarding rules mentioned before. With these rule linux-igd opens up a hole in your firewall for the port(s) specified by the device using the IGD service. Most firewalls have a default policy, that either drops or rejects packages not covered by any firewall rule. As linux-igd just appends the rules at the end of a given chain, chances are that a new rule gets added behind a DROP or REJECT target, and thus is never reached. To prevent this, you can create a chain, that is only used for UPNP and add a jump from your FORWARD chain to it, like so:

iptables -N UPNP iptables -A FORWARD -j UPNP

In the linux-igd file you change the name of the forward chain to UPNP and set insert_forward_rules = yes. With these changes all rules added by linuxigd will go into the newly created chain, and will therefore always be evaluated.

Originally written by: Urd - 2008-12-08

Retrieved from "http://en.gentoo-wiki.com/wiki/UPnP"
Personal tools