Search code examples
linuxtcpfirewalliptablesalljoyn

Alljoyn Service behind a Linux firewall (iptables)

I want to use the Alljoyn framework on an embedded linux device. Due to security reasons, it is necessary to configure a firewall for that device. This is done with iptables.

What I've done so far: I tried to run the AboutService example on that device without firewall and then checked the TCPDump. As client, I used the IoT Explorer for AllJoyn (Windows 10), but AboutClient should work well, too. Checking TCPDump with wireshark, the ports for the announcement are clear, I have to open Ports 9955 (alljoyn-mcm) 9956 (alljoyn) and 5353 (MDNS?!?) for UDP. I solved that with following rules:

$ iptables -A OUTPUT -p udp --sport 9955 -j ACCEPT
$ iptables -A OUTPUT -p udp --sport 9956 -j ACCEPT
$ iptables -A OUTPUT -p udp --dport 5353 -j ACCEPT
$ iptables -A INPUT  -p udp --sport 9955 -j ACCEPT

With these rules, device is succesfully discovered in IoT explorer.

But when acessing the device (e.g. to get full about-data) TCP communication starts. And this is not on a certain port. The port seems to be random. NMap shows e.g. following ports, when (re)starting the AboutService.

  • 46368/tcp open unknown, or
  • 52739/tcp open unknown

How can I determine the port? How can I force Alljoyn framework to nail the TCP-Communication to a certain port or at least small port range, e.g. 41000-41100? Or is there any other way to configure the firewall so Alljoyn communication is not blocked?

Solution

  • I solved it in another way:

    Before starting my Alljoyn Service, I launched the alljoyn-daemon binary from the Alljoyn core lib. This routes the traffic over definable ports, by default over port 9955 (alljoyn-mcm).

    With this setup I could configure following firewall rules and everything worked:

    $ iptables -A INPUT  -p udp -m multiport --dports 9955,9956,5353 -j ACCEPT
$ iptables -A INPUT  -p udp -m multiport --sports 9955,9956,5353 -j ACCEPT
$ iptables -A INPUT  -p tcp -m multiport --dports 9955,9956,5353 -j ACCEPT
$ iptables -A INPUT  -p tcp -m multiport --sports 9955,9956,5353 -j ACCEPT
$ iptables -A OUTPUT -p udp -m multiport --dports 9955,9956,5353 -j ACCEPT
$ iptables -A OUTPUT -p udp -m multiport --sports 9955,9956,5353 -j ACCEPT
$ iptables -A OUTPUT -p tcp -m multiport --dports 9955,9956,5353 -j ACCEPT
$ iptables -A OUTPUT -p tcp -m multiport --sports 9955,9956,5353 -j ACCEPT

    Hint: I suppose these are too much open ports but this is enough for me. With more investigation, the list can surely be reduced.