By default, all requests arriving at the pi, coming from the internet (WAN), are blocked. Only requests coming from your local LAN are allowed.
To do this, Raspbmc uses iptables. It’s like a firewall, and uses a set of rules to determine if a request has to be blocked or not.
Interested to see your current iptables rules? Use this command:
iptables -L -n
If you want to allow a port, to be not blocked, you have to add this to your iptables. The following bash command is an example that allows all tcp requests to the port 5050:
iptables -A INPUT -p tcp --dport 5050 -j ACCEPT
However, every time you restart your pi, this rules are flushed or emptied. That’s why we need to add them to a script, that gets executed on every boot. That script is: /etc/network/if-up.d/secure-rmc.
Use:
sudo nano /etc/network/if-up.d/secure-rmc
Change/add the ports you want open, to the script. I’ll add 5050, 9091 & 8888. That’s for couchpotato, transmission & BitTorrent Sync. You’ll find the block at the end of the script.
if [ "$IFACE" != "lo" ]; then NETMASK=$(get_subnet $IFACE) if [ ${#NETMASK} -eq 0 ]; then logger -t secure-rmc "netmask not found" exit 1 fi iptables -A INPUT -s $NETMASK -i $IFACE -j ACCEPT iptables -A INPUT -p tcp --dport 5050 -j ACCEPT iptables -A INPUT -p tcp --dport 9091 -j ACCEPT iptables -A INPUT -p tcp --dport 8888 -j ACCEPT iptables -A INPUT -i $IFACE -j DROP fi
Resources
- http://forum.stmlabs.com/showthread.php?tid=6755
- http://www.rackspace.com/knowledge_center/article/common-iptables-rules-for-fedora-10
- http://www.cyberciti.biz/faq/howto-display-linux-iptables-loaded-rules/
- http://www.linuxquestions.org/questions/linux-security-4/how-to-open-ports-with-iptables-237939/
- http://forum.stmlabs.com/showthread.php?tid=6850
- http://yiqingsim.com/blog/post/22/how-to-ssh-into-raspbmc-from-outside-your-lan/
- http://raspberry-at-home.com/making-raspi-visible/