Firewall problems

OMxXdJPg3M8m · Post by **OMxXdJPg3M8m** » Fri Aug 02, 2013 7:11 pm

I configured my iptables today, and I can't get Deluge to work with the new rules. I'm using Deluge in daemon mode; the daemon is version 1.3.3 and is running on Debian Wheezy, while the client is version 1.3.6 and is running on Ubuntu 13.04. I've opened TCP and UDP ports 65481-65491 for incoming connections on the server (along with TCP port 58846 to communicate with the daemon), and told Deluge to use those ports. It seems to be doing that, and it gives me a green check mark when I press the 'Test Active Port' button. However, all of my torrents show one of three errors: 'Operation not permitted', 'Network unreachable', or 'Connection refused'. Curiously, I am NOT getting the 'No incomming connections' error. If I disable the firewall they all start working again.

Here's what I've tried so far, without success:

* Opening up TCP and UDP ports 7881-7891 for outgoing connections and telling Deluge to use those (I closed them again when opening them had no effect)
* Deleting my ~/.config/deluge/ folder

Here are my iptables rules:

Code: Select all

Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere             tcp dpts:65481:65491
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:58846
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
ACCEPT     udp  --  anywhere             anywhere             udp dpt:openvpn
ACCEPT     udp  --  anywhere             anywhere             udp dpts:65481:65491
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
LOG        all  --  anywhere             anywhere             LOG level warning

Chain FORWARD (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  10.0.0.0/24          anywhere            
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  10.9.8.0/24          anywhere            

Chain OUTPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             wieck.debian.org     tcp dpt:http
ACCEPT     tcp  --  anywhere             villa.debian.org     tcp dpt:http
ACCEPT     tcp  --  anywhere             lobos.debian.org     tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootpc
LOG        all  --  anywhere             anywhere             LOG level warning
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Edit:
I've determined that it is a problem with the outgoing connections. If I leave the INPUT chain as it is, but set the OUTPUT policy to ACCEPT, it starts working. I prefer the policy to be DROP however, so I still need to figure out which exact connections are being denied but shouldn't be. As previously established, opening up a range of TCP and UDP ports in chain OUTPUT and telling Deluge to use those for outgoing connections does not solve the porblem.

Edit:
The problem seems to be that Deluge tries to use UDP ports outside of the range defined in the 'Outgoing ports' setting. Opening all UDP ports solves the problem, but that's a less than ideal solution. I tried opening up a much larger range of ports (60000:65000), but that didn't help. This behavior is apparently controlled by libtorrent, of which I have version 0.15.10 installed.