UPnP on your Linux 2.4 firewall how-to

领测软件测试网

author: bijl, published: 2002-10-18, last update: 2004-02-25, popularity:

Note: we still haven't audio/video in MSN Messenger working, but we are very close. Input is welcome! Use the E-mail link (remove the spam words) or the webmaster form!

To use the audio/video functionality of MSN Messenger (or Windows Messenger, but I will use the former term in the rest of this article) through a firewall, you need UPnP on your firewall. This article explains how to add UPnP to your Linux kernel 2.4 based firewall (for example SmoothWall 2). It took us some beers and a substantial amount of frustrating hours to collect the proper information and set it up. This article will turn frustrating hours into a handfull of happy minutes... Well, if you like beer. Some knowlegde about networking and Linux is required. We used WindowsXP and MSN Messenger beta-5, build 527, but it should also work with other Messenger versions. We're not sure if UPnP will work with other Windows versions (probably not, maybe there is an UPnP update available).

What is UPnP?
UPnP stands for Universal Plug 'n Play. It allows some clients within the internal network to open up your firewall, when needed. Note that this is a security issue. Refer to http://www.microsoft.com/windowsxp/pro/techinfo/planning/upnp/default.asp for info about UPnP under WindowsXP.

Collecting the correct software
To install UPnP on your firewall, you need . As the site explains: This project is a deamon that emulates Microsoft's Internet Connection Service (ICS). It implements the UPnP Internet Gateway Device specification (IGD) and allows UPnP aware clients, such as MSN Messenger to work properly from behind a NAT firewall.

Download javascript:downloadFile('/mnt/removable/www/html/articles/77/','/articles/77/','gateway-0.75.tgz','gateway-0.75.tgz')">gateway-0.75.tgz or a newer version. LinuxIGD only works with kernel 2.4 (iptables). If you are looking for something for kernel 2.2 (ipchains), check out http://pseudoicsd.sourceforge.net/.

LinuxIGD needs the http://upnp.sourceforge.net. Download upnpsdk-1.0.4.tar.gz or a newer version. Do not download the rpm, because you need to make some changes in the code.

Follow the instruction in the INSTALL document of LinuxIGD. You have to change something in the code of the UPnP SDK, you have to compile it and you have to compile the LinuxIGD UPnP Daemon.... or....

... or forget the above and download our lready by RuweBit compiled files')">already by RuweBit compiled files !! Is compiled for kernel 2.4.17.

Move the files to the correct places
If you downloaded the RuweBit package above, or compiled it on another machine, follow the next steps to move the files to the correct places

Copy the *.xml and *.skl files to /etc/linuxigd

mkdir /etc/linuxigd cp gateconnSCPD.xml /etc/linuxigd cp gatedesc.skl /etc/linuxigd cp gatedesc.xml /etc/linuxigd cp gateicfgSCPD.xml /etc/linuxigd cp gateinfoSCPD.xml /etc/linuxigd

Copy the upnpd file to /usr/bin

cp upnpd /usr/bin

Copy the *.o* files to /usr/lib

cp libupnp.so /usr/lib cp libstdc++-libc6.2-2.so.3 /usr/lib

Preparing for the UPnP daemon
To start the UPnP daemon, first some preparations must be made:

Create a symbolic link from /usr/sbin/iptables to the iptables program, for example:

ln -s /sbin/iptables iptables

This is a very important step, because upnpd expects the iptables program in /usr/sbin

Add a route, as explained in the INSTALL of LinuxIGD. For example:

route add -net 239.0.0.0 netmask 255.0.0.0 int_if

Where int_if is the internal interface of your firewall, for example eth0 or eth1.

Starting UPnP
To start upnp, do:

upnpd ext_if int_if

For example: upnpd eth0 eth1

To stop upnp, do:

killall upnpd

To check if upnp is running, do:

ps -x | grep upnpd

It's normal to see multiple processes

Diagnostics
To see log messages:

cat /var/log/messages | grep upnp

Configuring Windows XP for UpNp
At this point an icon should be visible in the Network Connections dialog (My Network Places->Right-click->Properties).



To use the UPnP features of WindowsXP, it has to be enabled first:

In the same Network Connections dialog, go to the 'Advanced' menu and select 'Optional Networking Components'.



Select 'Networking Services' and press the 'Details' button.



Enable 'Universal Plug ' and press the 'Ok' button.



The previous dialog appera again, press the 'Next' button.

And now you have your personal Shu-shit-sju router. Or something.



Open issues
At this point we still haven't audio/video in MSN Messenger working. Input is very welcome! Use the E-mail link (remove the spam words) or the webmaster form!

Is the route add necessary on each reboot?
What is a nice location to start upnp after a reboot?

Links
http://linux-igd.sourceforge.net
http://upnp.sourceforge.net
http://www.microsoft.com/windowsxp/pro/techinfo/planning/upnp/default.asp
http://www6.tomshardware.com/network/02q3/020828/upnp-06.html

Thanks to Bart for his help and compilation of upnpd.

Dutch E-mail from Maxim Baars De opzet die in je HOWTO staat is goed. Ik betwijfel of die Optional Network Components aangepast moet worden in XP. Volgens mij is de default instelling waarbij Internet Gateway Device Discovery and Control Client aan staat voldoende. Maar ik heb dit verder niet getest. Mijn omgeving is RH7.1 en ik heb zowel met Windows Messenger 4.7 als MSN Messenger 6.1 getest. Wat je nog mist zijn de rules voor het packet filter. Het volgende scriptje zou je als test kunnen gebruiken. Je kunt nog wat meldingen krijgen (als je logt), waarschijnlijk voor packets die geen RELATED of ESTABLISHED state hebben. (Dit veronderstelt de aanwezigheid van een rules als "... INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT" en "... FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT".) ## Test script # Check if UPnP daemon is already running # Note: daemon only inserts DNAT rules to client # Note: "/usr/bin/upnpd extif intif" can be added to /etc/rc.d/rc.local #if !(pidof upnpd); then if !( ps -ef | grep upnpd | grep -v grep >/dev/null ) ; then upnpd extif intif fi # Allow forwarding of UPnP packets (if policy is DROP) iptables -A FORWARD -p udp -i extif -o intif -j ACCEPT iptables -A FORWARD -p tcp -i extif -o intif -j ACCEPT # Allow multicast for UPnP # Note: "intif net 239.0.0.0 netmask 255.0.0.0" can be added to # /etc/sysconfig/static-routes route add -net 239.0.0.0 netmask 255.0.0.0 intif 2> /dev/null iptables -A INPUT -i intif -s intnet -d 239.255.255.250 -j ACCEPT # SSDP Discovery Service (SSDP protocol) iptables -A INPUT -i intif -p udp --dport 1900 -j ACCEPT # SSDP Discovery Service (SSDP event notification protocol) # Universal Plug and Play Device Host (UPNP protocol) iptables -A INPUT -i intif -p tcp --dport 2869 -j ACCEPT ## EOF Ik ben nog aan het overwegen of ik de upnpd-code zal aanpassen, want ik vind met name de forward rules te "open". Met vriendelijke groet, Maxim

Last update notes
Update: Added a Dutch E-mail of Maxim Baars.

Copyright © 1999-2005 RUWEBIT.net
This article was first published on 2002-10-18
The last update was done on 2004-02-25

延伸阅读

文章来源于领测软件测试网 https://www.ltesting.net/