1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Using UPnP to trigger access restriction.

Discussion in 'Tomato Firmware' started by onehomelist, Apr 26, 2010.

  1. onehomelist

    onehomelist Addicted to LI Member

    The UPnP page shows which p2p applications are being used by the users. It would be good if someone could come up with a script, which has names of all p2p applications as keywords (even allows admins to add keywords for newer p2p applications), which triggers tomato 'access restriction' when users launch those p2p applications. As UPnP list gets refreshed, if users stop using p2p applications, their entry in access restrction list also gets removed automatically.

    up12.jpg
     
  2. Azuse

    Azuse LI Guru Member

    A better question would probably be is it even possible to script anything at all using an application name form the upnp table...

    Personally I'd guess no, because if it were people would almost certainly have been restricting uTorrents ports to make their qos work.
     
  3. onehomelist

    onehomelist Addicted to LI Member

    If gui can display the application name, then surely there is a way to run a script which blocks the internet. Or it can be done another way. I have noticed that in my network there are no legit applications which require upnp, only p2p applications or malware infected pcs open ports. So any clients which tries to open a port via upnp should get blocked. And if there are any legit applications which need upnp, those applications can be added as exceptions.
     
  4. Toastman

    Toastman Super Moderator Staff Member Member

    Well, clearly if UPnP is capable of displaying the application, it must be **possible** to garner and use that information somehow.

    Adding the port for anything labelled "uTorrent" , "Bit Torrent" or "eMule" etc automatically to a QOS P2P rule would be a neat idea. The question is, how difficult, is it worth doing - and so on. I like the idea....
     
  5. mstombs

    mstombs Network Guru Member

    In teddy_bear releases at least miniupnpd stores its leases in /etc/upnp/data.info, i.e.

    Code:
    root@unknown:/# cat /etc/upnp/data.info
    UDP 17619 192.168.1.101 17619 [Skype UDP at 192.168.1.101:17619 (1212)]
    TCP 17619 192.168.1.101 17619 [Skype TCP at 192.168.1.101:17619 (1212)]
     
  6. onehomelist

    onehomelist Addicted to LI Member

    My stats. I feel too downhearted when most of my network users just use p2p and hog my too costly 4 Mbp/s bandwidth.

    Can someone explain how access restriction works? and what code it executes?
     
  7. xorglub

    xorglub Addicted to LI Member

    That is really funny because I was working on exactly that yesterday !

    So yeah /etc/upnp/data.info is the file, BUT it seems to be only gets refreshed when miniupnpd gets a SIGUSR2 and there is a /etc/upnp/info file. I had to dig in the miniupnpd's source code to find this hidden feature, which seems to have been developped specifically for the tomato's GUI (top of the miniupnpd.c).

    Now I've got another problem : the upnp mappings disappear after a while but torrent clients are still running. It may be because of wrong timeout values I set (or not set, I used the default values). Anyway this stupid script should get you started :

    Code:
    BANNED_EXPR="torrent|dna"
    
    #Create the chain (it doesn't matter if it already exists).
    iptables -N upnptrap 2> /dev/null
    #Add it to the RESTRICT chain (if non existing).
    iptables -L restrict -n | grep -q "upnptrap"
    if [ $? -ne 0 ]; then
      iptables -A restrict -j upnptrap
    fi
    
    #Clear old rules
    iptables -F upnptrap
    
    #Tomato way !
    touch /etc/upnp/info
    killall -SIGUSR2 miniupnpd
    grep -i -E ${BANNED_EXPR} /etc/upnp/data.info | while read PROTO EXTPORT IP INTPORT DESC
    do
    #Remove the upnp rules
      iptables -L upnp -n --line-numbers | grep ${IP} | grep -i ${PROTO} | sort -r | while read RULENR THEREST
      do
        iptables -D upnp ${RULENR}
      done
      iptables -L upnp -n --line-numbers -t nat | grep ${IP} | grep -i ${PROTO} | sort -r | while read RULENR THEREST
      do
        iptables -t nat -D upnp ${RULENR}
      done
    
    #Ban !
      iptables -A upnptrap -s ${IP} -j DROP
    done
    
     
  8. onehomelist

    onehomelist Addicted to LI Member

    Where the script should go? WANUP or FIREWALL
     
  9. Azuse

    Azuse LI Guru Member

    uTorrent refreshes it's upnp entries every 30 minutes I believe, although my timeout is the default 10 min and the log is still full of rule removals.

    1. What does that script do? :biggrin:

    2. What does the op mean by trigger access restriction? Do you mean literally an access rule that blocks internet access or forcing utorrent + anything less into a specific qos class regardless of ports? (my preference).
     
  10. onehomelist

    onehomelist Addicted to LI Member

    I used it as firewall script. After some time the clients reappear slowly one by one. If I restart the firewall manually then the upnp listing gets cleared. Another problem is that some appications have mix of random numbers and letters as the names. So they cannot be added to BANNED_EXPRE. So the script should be modified to respond to any name (for example if any application uses upnp to open port it should be picked up by the script and the rules should be executed).

    Thank you xorglub.
     
  11. onehomelist

    onehomelist Addicted to LI Member

    If I restart the firewall with the command 'service firewall restart' the upnp table gets cleared, and in QOS graph all p2p activity disappers. Slowly the bittorrent clients reappear on the table one by one. If I do firewall restart again unp table gets cleared. I think the script should be modified to automatically run on intervals.

    The most exciting thing is conntrack shows only 600 connections, earlier it used to be more than 3000. So the script really doing its job:clap2:
     
  12. onehomelist

    onehomelist Addicted to LI Member

    Here is the output of the iptables -L command after 10 minutes of running upnp restriction script

    Code:
    Chain upnp (1 references)
    target     prot opt source               destination         
    ACCEPT     tcp  --  anywhere             192.168.0.192       tcp dpt:62612 
    ACCEPT     udp  --  anywhere             192.168.0.192       udp dpt:62612 
    ACCEPT     tcp  --  anywhere             Ar-PC             tcp dpt:57618 
    ACCEPT     udp  --  anywhere             Ar-PC             udp dpt:57618 
    ACCEPT     tcp  --  anywhere             192.168.4.133       tcp dpt:52242 
    ACCEPT     udp  --  anywhere             192.168.4.133       udp dpt:52242 
    ACCEPT     tcp  --  anywhere             kri-PC          tcp dpt:46014 
    ACCEPT     udp  --  anywhere             kri-PC          udp dpt:46014 
    ACCEPT     tcp  --  anywhere             pun-PC          tcp dpt:19427 
    ACCEPT     udp  --  anywhere             pun-PC          udp dpt:19427 
    ACCEPT     tcp  --  anywhere             192.168.5.200       tcp dpt:48705 
    ACCEPT     udp  --  anywhere             192.168.5.200       udp dpt:48705 
    ACCEPT     tcp  --  anywhere             acer                tcp dpt:16453 
    ACCEPT     udp  --  anywhere             acer                udp dpt:16453 
    ACCEPT     tcp  --  anywhere             ad80481     tcp dpt:49517 
    ACCEPT     udp  --  anywhere             sad80481     udp dpt:49517 
    ACCEPT     tcp  --  anywhere             a0cc8bbb39     tcp dpt:64462 
    ACCEPT     udp  --  anywhere             a0cc8bbb39     udp dpt:64462 
    
    Chain upnptrap (1 references)
    target     prot opt source               destination         
    DROP       all  --  c6e4cd08      anywhere            
    DROP       all  --  c6e4cd08      anywhere            
    DROP       all  --  192.168.4.220        anywhere            
    DROP       all  --  Ar-PC             anywhere            
    DROP       all  --  sus               anywhere            
    DROP       all  --  sus              anywhere            
    DROP       all  --  a0cc8bbb39      anywhere            
    DROP       all  --  a0cc8bbb39      anywhere            
    DROP       all  --  a0cc8bbb39      anywhere            
    DROP       all  --  a0cc8bbb39      anywhere
     
  13. xorglub

    xorglub Addicted to LI Member

    The script was intended to be run regularly, ie as a cron job.
    There are many legitimate uses for Upnp, like MSN messenger, skype, Xbox Live, or even Teredo (build in win Vista and 7) to name only a few, so you definitely need to be selective. The BANNED_EXPR is used as a regular expression so you can be more creative than I was to deal with numbers and other degrees randomness in the mapping names. The grep manual is a good start.

    I will not work on it any further though as it would be a lot of work turning it into something that is actually useful.
    First, simply blocking all traffic from the users you catch is going to cause a lot of complaints from them (and as you can imagine you'll end up blocking almost everyone, might as well unplug the router !). You'd need to either block only the p2p traffic (good luck with that) or make some kind of captive portal telling them they were caught using program xxx, please close it to re-enable your network access...
    Then there is a fine tweaking of the timing values - miniupnpd's rule cleaning interval, rule time to live, how often the p2p clients renew their mapping, and how often the script is run to check for them. That's a lot of factors and finding a good combination will be very time consuming.
    And finally, anyone a bit knowledgeable will eventually find out how you detect them and disable upnp in their p2p clients.
     

Share This Page