Topic: port triggering?

I've got the openwrt experimental build running on my wrt54gs v1.1.  I've tweaked the firewall and QoS settings and it's now supporting all of my "must have" requirements.  Now I'm wondering how to do port triggering.  A lot of the home-market routers support this via their web interfaces.  Basically, when an application makes an outbound connection using a certain port, that triggers the router to enable an inbound port forward to the internal IP that made the outbound connection.  This is useful for online gaming, bittorrent, you name it.  Obviously, only 1 internal host can be grabbing the triggered inbound ports at a time.  But that's the nice thing about it, no firewall config is needed when the game is started on a different box the next day.

Any help is appreciated.  Thanks.

Re: port triggering?

Is not iptables capable to do this kind of job ? You can also use a port knocker demon for instance ?

http://openwrt.alphacore.net/knockd_0.4_mipsel.ipk

Re: port triggering?

I have been thinking it's possible a port knocker may have that function included, but I don't know.  My understanding of port knocking is that it is not the same as port triggering.

The closest thing I've found with "raw" iptables is using the "recent" module to store an IP address and somehow fire a rule.  However, I'm not sure that the functionality I want is easily done with straight IP tables rules.  Maybe there is a way to have iptables send the outbound "trigger" packet to userspace, and a daemon there inspects it and adds the appropriate rules for the inbound port forward.  With enough goofing around I could probably write that code myself. 

I'm just surprised I haven't found a simple way to do it with iptables, when all the routers do it out of the box.

Re: port triggering?

Another thing you can try is to copy the TRIGGER target code from the stock Linksys source tree and build them.  I haven't tried that myself, so I can't tell if it'll compile clean with the kernel the experimental build uses.

WRT54GS/release/src/linux/linux/net/ipv4/netfilter/ipt_TRIGGER.c
WRT54GS/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_TRIGGER.h
WRT54GS/release/src/router/iptables/extensions/libipt_TRIGGER.c

5 (edited by RItalMan 2005-05-10 14:54:06)

Re: port triggering?

You can find the iptables patch here : http://openwrt.alphacore.net/patches/iptables/iptables-1.3.1-trigger.patch

And the kernel one here : http://openwrt.alphacore.net/patches/kernel/linux-2.4.30-netfilter-trigger.patch

Ensure you have set :

CONFIG_IP_NF_TARGET_TRIGGER=m in your linux.config file

It would be available in the kmod-iptables-extra package. Enjoy smile

Re: port triggering?

Thanks, I'll check that out, it sounds like what I want.  I'm trying to avoid compiling it all myself for now, but I may have to break down and go for it.  smile

Re: port triggering?

I'm struggling with port triggering..  I have whiterussian RC2 installed on a WRT54GS.  rbrewer, did you ever get it to work?  RItalMan, I've ipkg install'ed kmod-iptables-extra 2.4.30-brcm-2 and iptables-extra 1.3.1-1.  I still can't create any iptables rules with a TRIGGER target (maybe my rule is wrong though, read further).  Do I really have to recompile the kernel with the patches you created?  Like rbrewer, I'd rather keep this as last resort. smile

I'm a little confused about the actual port triggering rule I should be using.  I used to have this in HyperWRT when I did iptables --list:
TRIGGER    tcp  --  anywhere             anywhere           tcp dpt:6881 TRIGGER type:out match:6881 relate:6881
TRIGGER    udp  --  anywhere             anywhere           udp dpt:6881 TRIGGER type:out match:6881 relate:6881

Not sure what the iptables equivalent rule would be (I'm a newbie with iptables smile)  From searching the net I found something along the lines of:
iptables -t nat -A prerouting_rule -i ppp0 -p tcp --dport 6881 -j TRIGGER

I always get an error like:
iptables v1.3.1: Couldn't load target `TRIGGER':File not found

Thanks in advance for any input!

Re: port triggering?

Sorry, in the end I didn't bother with port triggering.  I'm just
making due without it.

I haven't even upgraded to whiterussion rc2 yet... my setup is
working well enough now that I think I'll hold off for a stable
release.

Re: port triggering?

I'm searching for port triggering too...

I tried to work around the ipt_trigger module missing using ipt_recent and some snat tricks, but I failed.
Did anybody compiled successfully ipt_trigger.o suitable to RC3?

ciao

Wallace

N.b.: I'm trieing to setup iChat (A/V and files transfer), that means:
- on trigger udp 5678 ---> forward ports 5060, 5190, 5678, 16384-16403

Re: port triggering?

lol i would like to have port triggering, too, for bit torrent and battlenet

Re: port triggering?

does anybody know if there is a good tutorial about using module ipt_TRIGGER with iptables ?

Re: port triggering?

has anyone found out anything further about enabling port triggering in rc4?

Re: port triggering?

I know some of you are probably really wanting port triggering but it appears to me that at least one or two are just looking for port knocking (knock on a port and have commands of your choice executed to open up/forward other ports). For instance, I have knock sequences that will open up ssh forwarding to certain hosts, open up http mail ports, etc. knockd is extremely easy to install and configure. I have the latest (0.50) built in my repo:

http://voidmain.is-a-geek.net/files/ipkg/

knock (client):
http://voidmain.is-a-geek.net/files/ipkg/knock_0.5-1_mipsel.ipk

knockd (server):
http://voidmain.is-a-geek.net/files/ipkg/knockd_0.5-1_mipsel.ipk

This is built in the RC3 tree but it should also work for RC4.

Re: port triggering?

Void Main wrote:

I know some of you are probably really wanting port triggering but it appears to me that at least one or two are just looking for port knocking (knock on a port and have commands of your choice executed to open up/forward other ports). For instance, I have knock sequences that will open up ssh forwarding to certain hosts, open up http mail ports, etc. knockd is extremely easy to install and configure.

Can you, please, explain the differences a bit?
Maybe I am also searching for a port knocking solution, but I am a bit lost in this one.
Thanks.

Re: port triggering?

I am trying to increase the speed of bittorrent transfers.... should i be seeking a port knocking or triggering solution?  Thanks for the advice!

-Alex

Re: port triggering?

sancho wrote:
Void Main wrote:

I know some of you are probably really wanting port triggering but it appears to me that at least one or two are just looking for port knocking (knock on a port and have commands of your choice executed to open up/forward other ports). For instance, I have knock sequences that will open up ssh forwarding to certain hosts, open up http mail ports, etc. knockd is extremely easy to install and configure.

Can you, please, explain the differences a bit?
Maybe I am also searching for a port knocking solution, but I am a bit lost in this one.
Thanks.

Port knocking is explained here:
http://www.linuxjournal.com/article/6811
http://wrt-wiki.bsr-clan.de/index.php?title=Knockd

Port triggering:
http://www.portforward.com/help/porttriggering.htm

Re: port triggering?

Thanks for help, already reading the docs and it looks realy interesting...

18 (edited by aslporttrig 2006-07-19 15:21:34)

Re: port triggering?

Hi Everybody,
   I am trying to implement Port Triggering in iptable/netfilter on Linux-2.4.x. While surfing for some information I came across to this page. After going through florian's message posted on 2005-05-10, I tried to download the patches from:
http://openwrt.alphacore.net/patches/iptables/iptables-1.3.1-trigger.patch

http://openwrt.alphacore.net/patches/kernel/linux-2.4.30-netfilter-trigger.patch 
but without success.

Also I do not know how to get the files :
WRT54GS/release/src/linux/linux/net/ipv4/netfilter/ipt_TRIGGER.c
WRT54GS/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_TRIGGER.h
WRT54GS/release/src/router/iptables/extensions/libipt_TRIGGER.c

   Could anybody please give me some light regarding this?

Thanks in advance.

Best regards,

Re: port triggering?

mtakahar wrote:

Another thing you can try is to copy the TRIGGER target code from the stock Linksys source tree and build them.  I haven't tried that myself, so I can't tell if it'll compile clean with the kernel the experimental build uses.

WRT54GS/release/src/linux/linux/net/ipv4/netfilter/ipt_TRIGGER.c
WRT54GS/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_TRIGGER.h
WRT54GS/release/src/router/iptables/extensions/libipt_TRIGGER.c

Could you please tell me how to get these files???

Thanks & regards,

Re: port triggering?

florian_ wrote:

You can find the iptables patch here : http://openwrt.alphacore.net/patches/iptables/iptables-1.3.1-trigger.patch

And the kernel one here : http://openwrt.alphacore.net/patches/kernel/linux-2.4.30-netfilter-trigger.patch

Ensure you have set :

CONFIG_IP_NF_TARGET_TRIGGER=m in your linux.config file

It would be available in the kmod-iptables-extra package. Enjoy smile

I think these links (URL) are dead. I am not being able to download the patch files. Is it possible to get those patch files from net???

Warm regards,