UPnP on your Linux 2.4 firewall how-to

領測軟件測試網

author: bijl, published: 2002-10-18, last update: 2004-02-25, popularity: javascript:window.open(this.src);" style="CURSOR: pointer" onload="return imgzoom(this,550)">

Note:we still haven't audio/video in MSN Messenger working, but we are veryclose. Input is welcome! Use the E-mail link (remove the spam words) orthe webmaster form!

Touse the audio/video functionality of MSN Messenger (or WindowsMessenger, but I will use the former term in the rest of this article)through a firewall, you need UPnP on your firewall. This articleexplains how to add UPnP to your Linux kernel 2.4 based firewall (forexample SmoothWall 2). It took us some beers and a substantial amount of frustrating hours tocollect the proper information and set it up. This article will turnfrustrating hours into a handfull of happy minutes... Well, if you likebeer. Some knowlegde about networking and Linux is required. We usedWindowsXP and MSN Messenger beta-5, build 527, but it should also workwith other Messenger versions. We're not sure if UPnP will work withother Windows versions (probably not, maybe there is an UPnP updateavailable).

What is UPnP?
UPnP stands for Universal Plug 'n Play. It allows some clients withinthe internal network to open up your firewall, when needed. Note thatthis is a security issue. Refer to http://www.microsoft.com/windowsxp/pro/techinfo/planning/upnp/default.asp for info about UPnP under WindowsXP.

Collecting the correct software
To install UPnP on your firewall, you need . As the site explains: Thisproject is a deamon that emulates Microsoft's Internet ConnectionService (ICS). It implements the UPnP Internet Gateway Devicespecification (IGD) and allows UPnP aware clients, such as MSNMessenger to work properly from behind a NAT firewall.

Download gateway-0.75.tgzor a newer version. LinuxIGD only works with kernel 2.4 (iptables). Ifyou are looking for something for kernel 2.2 (ipchains), check out http://pseudoicsd.sourceforge.net/.

LinuxIGD needs the http://upnp.sourceforge.net. Download upnpsdk-1.0.4.tar.gz or a newer version. Do not download the rpm, because you need to make some changes in the code.

Follow the instruction in the INSTALL document of LinuxIGD. You have tochange something in the code of the UPnP SDK, you have to compile itand you have to compile the LinuxIGD UPnP Daemon.... or....

... or forget the above and download our already by RuweBit compiled files !! Is compiled for kernel 2.4.17.

Move the files to the correct places
If you downloaded the RuweBit package above, or compiled it on anothermachine, follow the next steps to move the files to the correct places

Copy the *.xml and *.skl files to /etc/linuxigd

mkdir /etc/linuxigd cp gateconnSCPD.xml /etc/linuxigd cp gatedesc.skl /etc/linuxigd cp gatedesc.xml /etc/linuxigd cp gateicfgSCPD.xml /etc/linuxigd cp gateinfoSCPD.xml /etc/linuxigd

Copy the upnpd file to /usr/bin

cp upnpd /usr/bin

Copy the *.o* files to /usr/lib

cp libupnp.so /usr/lib cp libstdc++-libc6.2-2.so.3 /usr/lib

Preparing for the UPnP daemon
To start the UPnP daemon, first some preparations must be made:

Create a symbolic link from /usr/sbin/iptables to the iptables program, for example:

ln -s /sbin/iptables iptables

This is a very important step, because upnpd expects the iptables program in /usr/sbin

Add a route, as explained in the INSTALL of LinuxIGD. For example:

route add -net 239.0.0.0 netmask 255.0.0.0 int_if

Where int_if is the internal interface of your firewall, for example eth0 or eth1.

Starting UPnP
To start upnp, do:

upnpd ext_if int_if

For example: upnpd eth0 eth1

To stop upnp, do:

killall upnpd

To check if upnp is running, do:

ps -x | grep upnpd

It's normal to see multiple processes

Diagnostics
To see log messages:

cat /var/log/messages | grep upnp

Configuring Windows XP for UpNp
At this point an icon should be visible in the Network Connections dialog (My Network Places->Right-click->Properties).



To use the UPnP features of WindowsXP, it has to be enabled first:

In the same Network Connections dialog, go to the 'Advanced' menu and select 'Optional Networking Components'.

Optional Networking Components" src="http://www.itjc.cn/A-A-B/Image/2005/09/13/200509132228054_20.gif" />

Select 'Networking Services' and press the 'Details' button.



Enable 'Universal Plug ' and press the 'Ok' button.



The previous dialog appera again, press the 'Next' button.

And now you have your personal Shu-shit-sju router. Or something.



Open issues
At this point we still haven't audio/video in MSNMessenger working. Input is very welcome! Use the E-mail link (removethe spam words) or the webmaster form!

Is the route add necessary on each reboot?
What is a nice location to start upnp after a reboot?

Links
http://linux-igd.sourceforge.net
http://upnp.sourceforge.net
http://www.microsoft.com/windowsxp/pro/techinfo/planning/upnp/default.asp
http://www6.tomshardware.com/network/02q3/020828/upnp-06.html

Thanks to Bart for his help and compilation of upnpd.

Dutch E-mail from Maxim Baars De opzet die in je HOWTO staat is goed. Ik betwijfel of die OptionalNetwork Components aangepast moet worden in XP. Volgens mij is dedefault instelling waarbij Internet Gateway Device Discovery andControl Client aan staat voldoende. Maar ik heb dit verder niet getest. Mijn omgeving is RH7.1 en ik heb zowel met Windows Messenger 4.7 alsMSN Messenger 6.1 getest. Wat je nog mist zijn de rules voor het packetfilter. Het volgende scriptje zou je als test kunnen gebruiken. Je kuntnog wat meldingen krijgen (als je logt), waarschijnlijk voor packetsdie geen RELATED of ESTABLISHED state hebben. (Dit veronderstelt deaanwezigheid van een rules als "... INPUT -m state --stateRELATED,ESTABLISHED -j ACCEPT" en "... FORWARD -m state --stateRELATED,ESTABLISHED -j ACCEPT".) ## Test script # Check if UPnP daemon is already running # Note: daemon only inserts DNAT rules to client # Note: "/usr/bin/upnpd extif intif" can be added to /etc/rc.d/rc.local#if !(pidof upnpd); then if !( ps -ef | grep upnpd | grep -v grep>/dev/null ) ; then upnpd extif intif fi # Allow forwarding of UPnP packets (if policy is DROP) iptables -A FORWARD -p udp -i extif -o intif -j ACCEPT iptables -A FORWARD -p tcp -i extif -o intif -j ACCEPT # Allow multicast for UPnP # Note: "intif net 239.0.0.0 netmask 255.0.0.0" can be added to # /etc/sysconfig/static-routes route add -net 239.0.0.0 netmask 255.0.0.0 intif 2> /dev/null iptables -A INPUT -i intif -s intnet -d 239.255.255.250 -j ACCEPT # SSDP Discovery Service (SSDP protocol) iptables -A INPUT -i intif -p udp --dport 1900 -j ACCEPT # SSDP Discovery Service (SSDP event notification protocol) # Universal Plug and Play Device Host (UPNP protocol) iptables -A INPUT -i intif -p tcp --dport 2869 -j ACCEPT ## EOF Ik ben nog aan het overwegen of ik de upnpd-code zal aanpassen, want ik vind met name de forward rules te "open". Met vriendelijke groet, Maxim

Last update notes
Update: Added a Dutch E-mail of Maxim Baars.

Copyright © 1999-2005 RUWEBIT.net
This article was first published on 2002-10-18
The last update was done on 2004-02-25

文章來源于領測軟件測試網 http://www.kjueaiud.com/