octo's guide to run a gnutella node behind a firewall

In general gnutella is very firewall-friendly. It operates entirely on one tcp port (default: 6346) which can be configured freely due to a clever protocol specification. The downside is, that it is extremely hard to block, in case you want your users not to share files. I assume that you are using IP Tables (the packet filter of linux 2.4), have some knowledge about it and that you have a basic understanding of firewall concepts.

Regular firewall

If you administer a regular firewall, using public IP adresses, configuring your firewall for gnutella is just as easy as for any other service. A possible configuration would be:


iptables -t filter -A FORWARD -s $NET_INTERN -p tcp --sport $PORT_GNUTELLA -j ACCEPT
iptables -t filter -A FORWARD -d $NET_INTERN -p tcp --dport $PORT_GNUTELLA -j ACCEPT

SNATing firewall

SNATing firewalls (which includes masquerading, because masquerading is a special case of SNAT..) are slightly more complex than regular ones. Other gnutella nodes no longer try to connect to the computer the node is actually running on, but to the IP the source is getting set to (when doing masquerading that would be the router itself). So what you have to do is to DNAT that one particular port back to the IP the node is running on. When having more than one gnutella node running behind an SNATing firewall you will have to set each node to use another port. The following two configurations can be used:

Just plain old SNAT

With regular SNAT you know which IP:port you told the world the gnutella node was running on. So now the world will try to connect to this IP:port and you have to DNAT the traffic to where it belongs:


# SNAT outgoing traffic
iptables -t nat -A POSTROUTING -s $IP_GNUTELLA -p tcp --sport $PORT_GNUTELLA -j SNAT --to-source $IP_SNAT:$PORT_SNAT

# DNAT incoming traffic
iptables -t nat -A PREROUTING -d $IP_SNAT -p tcp --dport $PORT_SNAT -j DNAT --to-destination $IP_GNUTELLA:$PORT_GNUTELLA

Masquerading - for dialup routers

People lacking a static, official IP adress will propably use "masquerading", a special type of SNAT, actually. The difference is, that we set the source-IP to the IP of our own interface and that we don't which IP that actually is. We could use some ip-up scripts or so to get around this, but masquerading makes it so much easier. All you have to know is what interface you expect your packets to come in, and that's now changes as often..


# Masquerade (SNAT) outgoing traffic
iptables -t nat -A POSTROUTING -s $IP_GNUTELLA -p tcp --sport $PORT_GNUTELLA -j MASQUERADE

# DNAT incoming traffic
iptables -t nat -A PREROUTING -i $DEV_EXTERN -p tcp --dport $PORT_GNUTELLA -j DNAT --to-destination $IP_GNUTELLA

Finding a gnutella node to start with

Reading through my webserver's logfile I found that many people found this page when looking for the IP address of a gnutella node. Well, I can't give you that, but I'm sure that you will find the GWebCache program very usefull. They have a "Cache Scan Report" which you might want to check out. Or, an even more meta method would be to just ask Google.. Have fun :)

Useful links

This document validates as XHTML 1.1!
This document uses valid CSS2!
Written by Florian octo Forster