|
|
楼主 |
发表于 2006-4-7 08:42:21
|
显示全部楼层
有一篇用法语写的wiki描述这个问题,经过google translate如下,可作参考:
The theory: which is the problem?
[ to modify ]
Setting in situation
Let us take following topology: you use at the house your PC under Windows, with MSN Messenger to discuss with your friends, and more particularly for the transfer transfer functions of files, vocal and video cat. We will call this PC: XP1 .
Another PC in the house is used same manner, under Windows, and is used occasionally for messenger: we will call it XP2 .
Lastly, all this beautiful world is connected to Internet via a fire wall/Linux router which shares its connection ADSL: we will call it Nunux.
[ to modify ]
Simple case
When you chattez on XP1 (cat msn text), msn will be connected on port 1863/TCP to a waiter from microsoft. Nunux thus knows that it is XP1 which initiated connection towards the waiter at ms, and will thus know router the packages that the latter will return in answer.
Idem, if XP2 is useful comes to connect same manner, Nunux will be able to track (English tracker) connection, not to mix flows all this functions extremely well, it acts of traditional NAT (Network Address Translation).
[ to modify ]
Encountered problems
The problems arrive when you ask for a vocal/video connection. In this case, msn will require of the waiter to choose another port to make pass video flow. And the problem it is that this port is selected randomly between port TCP/9000 and TCP/65535!
Then, comes the moment from connection itself, and it is there that the firewall loses the pedals, not knowing more where router the requests which arrive to him, on ports which leave nowhere, etc...
[ to modify ]
Presentation of the solution
The solution adopted by industry is upnp: it is the application itself which requires, dynamically, to the firewall to open the selected port (randomly I point out it to you), and to return towards machine MSN (XP1 in this example) video/audio flow. Then connection goes. However, iptables cannot manage that out of standard.
One of the solutions consists with all to return directly towards PC MSN. In this case, Ca goes, not need for upnp... in condition however which you have one customer MSN behind! If not the firewall will not know towards which to return flow.
The only clean and elegant solution: to install upnp. Many are those which regard upnp as an aberration level safety. For my part I find the system rather elegant: the requests for opening of port can come only from the interior of the local area network. Thus to open a breach to allow an attack would require to have an in-house accomplice, to agree in advance on the port on which one will attack, which in my case, is incredible, and the comfort brought by the use of upnp largely exceeds this risk which I consider tiny.
On this, follow the guide!
[ to modify ]
My configuration network
My Gentoo is on my footbridge/fire wall. It is configured with a modem speedtouch usb. My IP public thus corresponds to the interface ppp0. My network internal, him, is configured on eth0.
My PC of test is under Windows, classically.
Firewall question, I have few things: I activated the NAT in the file /etc/conf.d/iptables by validating the following line:
File:
ENABLE_FORWARDING_IPv4="yes "
And here the code of my firewall, which filters only NETBIOS in fact:
Code: rudimentary filtering
# flush of the firewall:
iptables - F iptables - F - T nat
# activation of the NAT:
iptables - T nat - A POSTROUTING - J MASQUERADE - O ppp0
# DROP of packages NETBIOS
iptables - A INPUT - I ppp0 - p UDP -- dport 137:139 - J DROP iptables - A INPUT - I ppp0 - p TCP -- dport 137:139 - J DROP
As I said it to you: a rudimentary filtering, I want a minimum of obstacles when I work.
[ to modify ]
The installation of the tools upnp for GNU/Linux.
The demon upnp for linux names... upnpd. Enough discussed, it has nevertheless the merit to exist, and I will thus quote what the developers say on this page :
The developers of upnpd wrote:
There are many opponents against UPnP. However, we feel that Open Source is all butt giving people choices, and letting intelligent people make intelligent decisions butt its uses. With batch of custom really NEED this daemon, and edge live with the consequences because we are simply connecting has home network to the Internet through one IP, and we would cuts had the Windows machines (gold whatever Internet device) connected directly in the first place.
To date (July 18, 2005), the development of linux-igd ( Internet Gateway Device , the package which contains upnpd) is almost stopped. According to its author, one should not moreover not use the last version of the package upnp (the 1.2.1a) but a older version (1.0.4). It is necessary thus to mask the new version (only if you are in ~x86; if you are in x86 it is not worth while bus upnp-1.2.1a is marked unstable ).
Code: Masking of the new version of upnp
echo = Net-misc/upnp-1.2.1a > >/etc/portage/package.mask
On the other hand it is to better use the very last version of linux-igd:
Code: Use of the unstable version of linux-igd
echo Net-misc/linux-igd ~x86 > >/etc/portage/package.keywords
Then launch the installation
Code: Installation of linux-igd
emerge linux-igd
Then, do not forget to configure your interfaces in the file /etc/linuxigd/upnpd.conf . For my configuration, that gives:
File:
# configuration spins for upnpd INTERFACE="eth0 "OUTERFACE="ppp0"
Lastly, before launching the demon, a last stage: add the following line in your file /etc/conf.d/local.start , then launch it directly in the line of order. Do not forget to adapt to your config (eth0 is not inevitably your internal interface)!
File:
road add - Net 239.0.0.0 netmask 255.0.0.0 eth0
If you configured iptables as a firewall, it is necessary to activate the access to the demon upnp, without what it will not be used for nothing since nobody will be able nothing to ask him: -)
This access is done by protocol HTTP on port TCP/2869 (posted in/etc/linux-igd/gatedesc.xml in the URLBase beacon). It is thus necessary to open this port for the access by the local interface (here eth0):
Code: Configuration of the fire wall
iptables - A INPUT - I eth0 - p TCP -- dport 2869 - J ACCEPT
Here, it is finished: you can now start the demon:
Code: Starting of the demon
/etc/init.d/upnpd start
And even to program it for each starting (useful if you hope to use it regularly, not to have to launch it to each conversation msn):
Code: Automation of the launching of the demon
rc-update add upnpd default
[ to modify ]
Test!
Here, in theory at this stage you can use the function webcam, and the file transfer from a station behind your router/fire wall linux.
If you use a software of peer 2 peer compatible UPnP (like Azureus or follower Morph XT), think of activating this functionality: it will render much service to you (for example to have HighID with follower).
In a friendly way. |
|
IP卡
狗仔卡
发表于 2006-4-5 18:18:05
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡
发表于 2006-4-6 11:09:04
OSTROUTING----->