On Tue, 2013-04-02 at 14:06 +0100, Bob Williams wrote:
Actually, on further thought, I've come to the conclusion I haven't got a clue about this. From the point of view of SuSEfirewall2 running on this computer (which is running the minidlna server), my router *is* an external device. So what I want is DLNA traffic to pass unimpeded from this machine, through the router to the Bluray player/TV, without being exposed to the *real* outside world. That is, the internet cannot see that ports 8200 and 1900 are open.
I need to do some homework.
/sbin/iptables -F /sbin/ip6tables -F /sbin/iptables -P INPUT DROP /sbin/iptables -P OUTPUT ACCEPT /sbin/iptables -P FORWARD DROP /sbin/ip6tables -P INPUT DROP /sbin/ip6tables -P OUTPUT ACCEPT /sbin/ip6tables -P FORWARD DROP /sbin/iptables -A INPUT -i lo -j ACCEPT /sbin/ip6tables -A INPUT -i lo -j ACCEPT /sbin/ip6tables -A INPUT -s fe80::/10 -j ACCEPT /sbin/ip6tables -A INPUT -d ff00::/8 -j ACCEPT /sbin/iptables -A INPUT -s ipv4.home.range/24 -j ACCEPT <------ allow any home PC on your home LAN ipv4 /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/ip6tables -A FORWARD -s ipv6:home:range/64 -j ACCEPT <------ allow any home PC on your home ipv6 LAN if not using IPv6 ignore all ip6tables commands (I assume this DLNA box is not acting as a router) NOTE: I give the example of -m state --state ... above, although with modern netfilter, the preferred method is iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -m state was obsoleted in one recent version of netfilter, but a link was put back in the current version because it bit too many people.