Opening ports with iptables

I would like to use iptables to set up my firewall to only open certain
ports if an outgoing connection on another port already exists. The
RELATED class does this if you just want the connection to be allowed
back from the same host that the outgoing connection is to, but I want
the ports to be opened for everyone while that outgoing connection
exists. For example, if I run bittorrent, and connect to a tracker at
port 6969 on some machine, I want ports 6881 to 6889 opened back to my
machine so that other clients can connect to me, and then close those
ports again when I disconnect. Is this even possible? Thanks for any
help.

(E-Mail Removed) wrote in
news:(E-Mail Removed) ups.com:

> I would like to use iptables to set up my firewall to only open certain
> ports if an outgoing connection on another port already exists. The
> RELATED class does this if you just want the connection to be allowed
> back from the same host that the outgoing connection is to, but I want
> the ports to be opened for everyone while that outgoing connection
> exists. For example, if I run bittorrent, and connect to a tracker at
> port 6969 on some machine, I want ports 6881 to 6889 opened back to my
> machine so that other clients can connect to me, and then close those
> ports again when I disconnect. Is this even possible? Thanks for any
> help.
>
>

Of course it is possible with just a Small Matter Of Programming (SMOP).
Write a wrapper script which opens up the desired ports when "bittorrent"
is invoked and reverse the operation upon exit.

> Of course it is possible with just a Small Matter Of Programming
(SMOP).
> Write a wrapper script which opens up the desired ports when
"bittorrent"
> is invoked and reverse the operation upon exit.


That would work great if the firewall was running on the same machine
as the bittorrent client, but its on my router (a Linksys running
OpenWRT). Plus, I'd like to be able to run bittorrent on more than one
machine and have the ports automagically be forwarded to the right one.

(E-Mail Removed) said:
>I would like to use iptables to set up my firewall to only open certain
>ports if an outgoing connection on another port already exists.
....
>For example, if I run bittorrent, and connect to a tracker at port 6969
>on some machine, I want ports 6881 to 6889 opened back to my machine so
>that other clients can connect to me, and then close those ports again
>when I disconnect.

Sounds like work for a specific iptables helper module. The ip_conntrack_ftp
module (used to allow active ftp backchannel requests) might be good source
for information. Of course, ip_conntrack_ftp only allows the backchannel
requests from the single IP address that was used for the outbound command
channel, but still I trust it contains a good amount of relevant code.
If you choose to write such a module, be careful with your coding; the
module will be loaded as part of your operating system, so it has full
power to hose the system.
--
Wolf a.k.a. Juha Laiho Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)