đŸ Archived View for tilde.pink âș ~ssb22 âș upnp.gmi captured on 2022-04-29 at 11:48:00. Gemini links have been rewritten to link to archived content
View Raw
More Information
âŹ
ïž Previous capture (2022-03-01)
âĄïž Next capture (2023-01-29)
-=-=-=-=-=-=-
UPnP router command-line control scripts
These scripts allow a UPnP-based home router to be controlled programmatically from a Unix or Linux box.âThey were tested on a âSky Hubâ in 2016/17 but usual disclaimers apply.â
(If you have an older router with the widely-reported security problem of leaving its UPnP port open to the *outside*, Iâd rather you switch off and donât use UPnP.âThankfully such older routers usually provide a non-UPnP means of route configuration like the VMDG280.âServices like GRC ShieldsUp might be able to show if your older router is incorrectly handling UPnP security.âBut some newer routers are configurable *only* via UPnP, and do handle its security correctlyâthe scripts on this page can be useful for those.)â
Installation: Make sure you have Python and the miniupnpc library (sudo pip install miniupnpc or apt-get install python-miniupnpc).âUnpack upnp.tgz into /usr/local/bin or wherever.
upnp.tgz
- The scripts have been tested on both Python 2 and Python 3. The #! tags at the start assume your system has a python command with no number, pointing to whichever version you have as default.
- upnp-add-port (PortNum) Add a simple port-forwarding rule to forward incoming port PortNum (1 through 65535) to the machine running this command.âPortNum may optionally be followed by a different port number to use on the machine itself, for example if you want to reduce probing by using a non-standard external port while keeping the standard port on your network.
- But many ISP-supplied routers will not apply UPnP forwarding rules to packets originating from *inside* your network even if addressed to your *external* IPv4 address, so to use your server from home you might still need to use its internal IP (you might want to edit the hosts files of your local machines).
- Routers that lack non-UPnP forwarding options will often still allow you to specify a âDMZâ machine and have *this* respond to your external IPv4 address even for connections coming from inside your network (such as WiFi-connected mobile devices where itâs difficult to edit the hosts file).
- DMZ however will expose *all* ports (except ones directed elsewhere), so youâll have to do your own iptables work on the Linux boxâmy suggested starting point is:
iptables -A INPUT ! -i lo+ -p tcp --syn ! -s 192.168.0.0/16 ! --dport 80 -j DROP
(remember to add it to startup scripts before ifup; the package iptables-persistent might help, or if all your local-only servers are run from inetd you can try putting commands in /etc/default/openbsd-inetd)
- upnp-date Shows the current date and time from the router (via HTTP)
- Some ISP-supplied routers are âhardwiredâ to use that ISPâs internal NTP servers at startup, so the router might get stuck in 1970 if you use it with a different ISP.
- upnp-delete-port (PortNum) Delete a port-forwarding rule, specified by external port.âThe deletion takes effect only for new connections; existing connections to the port (e.g. open SSH sessions) are not affected.
- So for example if you run a Web server which you only occasionally SSH into, you can reduce the level of SSH probing by keeping the port closed until you need it, open it via a CGI script and close it again from your login script.âIf you do this via router configuration then the scripts donât need any special privileges on the server itself.âIf using the DMZ approach above, youâll instead need âsudoâ-enabled scripts (or âsuidâ scripts in a protected directory) that do the iptables -I and -D.
- upnp-ip-address Shows the routerâs current external IP address
- upnp-ports Shows the port forwarding table in a simple textual format
- upnp-uptime Shows the uptime of the router
Routers might or might not persist the port-forwarding rules across a power cycle.âFor best results you might need to arrange for them to be re-done.
Legal
All material © Silas S. Brown unless otherwise stated. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. Python is a trademark of the Python Software Foundation. Unix is a trademark of The Open Group. Wi-Fi is a trademark of the Wi-Fi Alliance. Any other trademarks I mentioned without realising are trademarks of their respective holders.