If you want to run a server or P2P app from behind a firewall (nat router, etc), you will need to forward the ports used by your application from the router to the computer running the software. To do this, I wrote a script that can be run on a router running the Tomato Firmware, to create and remove the forwarding rule.

If you setup ssh logins using public keys for authentication (thus removing the need to enter a password) you can execute this script from another computer. You can also start the app on a computer by wrapping it in a script that uses ssh to run the script below to create the forwarding rule before the app starts and remove it after the app closes. This is really nice for running a bit torrent client. 

#!/bin/sh

# A simple sh script to create a firewall forwarding rule for a bit torrent
# client.  This has been tested on a Linksys WRT54GL running tomato.
# This script can be run via ssh from a remote machine.  If you have public 
# key authentication, then you also don't need to enter a password.
#
# The following forwards port $port to the IP address $ip
#
# ssh root@router "/home/root/bin/open_firewall allow $ip $port"
#
# The following removes the forwarding of port $port to the IP address $ip
#
# ssh root@router "/home/root/bin/open_firewall deny $ip $port"
#

IPTABLES=/usr/sbin/iptables

EXTINT=ppp0
EXTIP="`ifconfig $EXTINT | grep 'inet addr' | \
                        awk '{print $2}' | sed -e 's/.*://'`"

OA_PRE_RULE="PREROUTING -d $EXTIP --dport $3 -j DNAT --to-destination $2"
OA_POST_RULE="POSTROUTING --dport $3 -s 192.168.1.1/255.255.255.0 -d $2 -j SNAT --to-source 192.168.1.1"
WO_WI_RULE="wanin -d $2 --dport $3 -j ACCEPT"

if [ "$1" == "allow" ]
then
    $IPTABLES -t nat -p tcp -A $OA_PRE_RULE
    $IPTABLES -t nat -p tcp -A $OA_POST_RULE
    $IPTABLES -p tcp -A $WO_WI_RULE
    $IPTABLES -t nat -p udp -A $OA_PRE_RULE
    $IPTABLES -t nat -p udp -A $OA_POST_RULE
    $IPTABLES -p udp -A $WO_WI_RULE
elif [ "$1" == "deny" ]
then
    $IPTABLES -t nat -p tcp -D $OA_PRE_RULE
    $IPTABLES -t nat -p tcp -D $OA_POST_RULE
    $IPTABLES -p tcp -D $WO_WI_RULE
    $IPTABLES -t nat -p udp -D $OA_PRE_RULE
    $IPTABLES -t nat -p udp -D $OA_POST_RULE
    $IPTABLES -p udp -D $WO_WI_RULE
fi
[edit]

Why not just use UPnP?

Why don't I just enable UPnP on my router? UPnP (Universal Plug and Play) is a protocol to allow software running behind the firewall to open ports in the firewall. Unfortunately because UPnP is a standard, malware can also use it to open holes in the firewall. Using this home grown solution makes it far less likely that a piece of malware running on my computer would be able to effect my firewall settings.

Retrieved from "http://www.floccinaucinihilipilification.net/wiki/index.php/Forward_ports_via_scripting"

This page has been accessed 760 times. This page was last modified 23:24, 13 May 2008.