UPnP

This article explains how to set up linux-igd on Gentoo, to allow UPnP aware devices to configure your firewall, to gain access to the internet and to set up port forwardings.

What is UPnP?
The Universal Plug and Play (UPnP) protocol is a standard developed by the UPnP Forum. It defines several protocols to access devices to seamlessly and to easily integrate them with networks. The most prominent of those protocols is the IGD (Internet Gateway device), which allows devices to configure an existing router or firewall to gain access to the internet.

linux-igd
linux-igd is a implementation of the IGD under linux. It allows UPnP aware devices to configure an iptable firewall to their needs. There are several applications out there making use of IGD, like Azureus or the instant messenger Miranda (which uses UPnP to make direct file transfers possible, even from behind a firewall).

A note on security
The UPnP standard defines no access control whatsoever for UPnP aware devices. As of this fact, several security concerns may arise. Malicious software could, with the help of UPnP, open up your network to attacks from the Internet.

Setting up linux-igd
First you need to merge linux-igd. It has no USE flags, so it is just a simple

There are two configuration files, you need to edit. They are both very well commented, and editing them is no big deal.

You should also edit

UPnP uses multicast to make network wide announcements, so other UPnP aware devices become aware of its existence. For this to work you have to make sure your firewall allows multicast packages to be sent and received by the machine where linux-igd is running on. There is also the need to add a route to your routing table, luckily the init script of linux-igd takes care of that.

After you finished editing all the config files, you can start linux-igd by typing

To load linux-igd on system start, you should also run

Embedding linux-igd into iptables
linux-igd has the option to automatically add and remove forward rules to iptables. For this to be done you have to provide the table name of your PREROUTING table. This is where linux-igd inserts port forwarding rules for the device setting up the Internet access. Another option let's you specify the FORWARD table to use. Here linux-igd will insert the rules associated with the port forwarding rules mentioned before. With these rule linux-igd opens up a hole in your firewall for the port(s) specified by the device using the IGD service. Most firewalls have a default policy, that either drops or rejects packages not covered by any firewall rule. As linux-igd just appends the rules at the end of a given chain, chances are that a new rule gets added behind a DROP or REJECT target, and thus is never reached. To prevent this, you can create a chain, that is only used for UPNP and add a jump from your FORWARD chain to it, like so:

In the linux-igd file you change the name of the forward chain to UPNP and set insert_forward_rules = yes. With these changes all rules added by linuxigd will go into the newly created chain, and will therefore always be evaluated.