Home / ubuntu / Questions / 1028570
In Process
aaa
Asked: 2018-04-27 15:41:32 +0800 CST

UFW blocking upnp port mapping

  • 772

I'm attempting to use portmapper-2.1.1 (https://github.com/kaklakariada/portmapper) to get a upnp mapping to my ubuntu 16.04LTS machine.

I've got UFW configured to allow all outgoing and block incoming (aside from a few specific ports).

I thought this would work because I'm running portmapper on the ubuntu box (eg. outgoing), but isn't. I think this is due to the way upnp is setup to find clients. To be clear, with UFW disabled, portmapper works as expected.

My first thought was to just allow the port that the upnp service 'replies' on, but that seems to be random. Ex (from my UFW log):

Apr 26 19:07:34 [UFW BLOCK] IN=enp2s0 OUT= SRC=192.168.1.1 DST=192.168.1.161 LEN=411 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=41927 LEN=391

Apr 26 19:33:32 [UFW BLOCK] IN=enp2s0 OUT= SRC=192.168.1.1 DST=192.168.1.161 LEN=411 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=60212 LEN=391

(192.168.1.1 is my router, 192.168.1.161 is the ubuntu box)

I don't want to just open most/all ports to incoming udp packets for this, so the question is: Is there a UFW/iptables rule that will allow this to work that isn't just 'allow everything'?

networking server upnp ufw 16.04

1 Answers

  1. It looks like the packets you need to allow have these characteristics:

    • They are incoming on interface enp2s0
    • They have a source IP address of 192.168.1.1
    • They have a source UDP port of 1900

    So what you need is to allow all incoming UDP packets from 192.168.1.1 port 1900.

    Use this command to add the rule:

    sudo ufw allow from 192.168.1.1 port 1900 to any proto udp

    Check out the added rule:

    me@ubuntu:~$ sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
Anywhere                   ALLOW       192.168.1.1 1900/udp

    Hope this helps!

    • 6