Enabling the Internet Gateway Device protocol on a Debian based system running shorewall

The Internet Gateway Device (IGD) protocol allows client software on computers behind a NAT router/firewall to request that incoming networking ports on the router be forwarded to the client computer. Though this technology is often criticized as a weakening of security my analysis of the threat vectors has left me unconvinced that an IGD router/firewall represents a significant risk compared to a system without IGD. For many users, port forwarding remains an unfamiliar concept and they do not wish to take the time and effort to configure it manually. By turning on IGD a NAT router/firewall can better support the software needs of the computers on the private network.

The setup I performed was on a Debian 4.0 (Etch) system. Other operating systems such as Ubuntu should be similar but may be different. IGD support is provided by the linux-igd package which has been available in Debian since version 4.0 (Etch) and in Ubuntu since version 6.10 (Edfy Eft). The first step is to install the package:

sudo apt-get install linux-igd

On the Debian 4.0 (Etch) system this actually fails because the service cannot be started without first editing the configuration files. So the next step was to edit the configuration file /etc/init.d/upnpd:

sudo nano /etc/init.d/upnpd

I set the variables EXT_IFACE and INT_IFACE to the correct values (the interfaces for the external and internal networks). I then reinstalled the package to do away with the configuration errors:

sudo apt-get install linux-igd

I then edited the configuration file for the upnpd daemon:

sudo nano /etc/upnpd.conf

In accordance with the shorewall documentation I set the following variables:

• forward_chain_name = forwardUPnP
• prerouting_chain_name = UpnP

And then I restarted the daemon:

/etc/init.d/upnpd restart

Once that was done I needed to configure shorewall. I started by editing the /etc/shorewall/interfaces file:

sudo nano /etc/shorewall/interfaces

And added option upnp to the external interface. I then edited the /etc/shorewall/rules file:

sudo nano /etc/shorewall/rules

I added the following 2 lines:

• allowinUPnP loc fw
• forwardUPnP net loc

I then restarted shorewall:

sudo shorewall restart

To test whether the IGD was properly configures I used azureus and enabled the UpnP plugin. I was then able to watch the azureus console on the client and the syslog on the server to verify that the service was working.

More Information:

• Shorewall and UPnP
• Linux UPnP Internet Gateway Device
• Internet Gateway Device (Wikipedia)
• Configure Universal Plug-N-Play IGD services