Miniupnpd

From LinuxReviews
Jump to navigationJump to search
Network-wired.png

Miniupnpd is a internet gateway daemon that lets clients on a local network request ports to be forwarded to them using the UPnP and NatPMP standards. It is very small, it uses almost no memory and it can be configured to be more secure than most of the alternatives.

Features[edit]

miniupnpd can be setup on a local networks firewall/gateway in order to provide programs running on clients on the local network with a means of requesting that ports be forwarded to them. Network-heavy programs like qBittorrent can use UPnP or NatPMP provided by miniupnpd to allow clients on the Internet to open direct communications with them.

miniupnp can be configured to restrict what ports clients on the local network can request. This is important because you don't want clients on the local network to be able to request ports like 80 or 443 if you are running a web server on the gateway or another box on your local network.

miniupnp does not offer any services beyond giving LAN clients the ability to have ports forwarded to them. It is not a DNLA server, it does not offer things like music streaming, file transfer or any other functionality you may find in other uPnP software. That can be a strength, miniupnpd does what it is supposed to and only that. If you use a GNU/Linux box as a gateway/firewall and you want LAN clients to be able to request a limited set of port then miniupnpd is a great choice.

Configuration[edit]

File: /etc/miniupnpd/miniupnpd.conf
## Interface configuration
# WAN (Internet-facing) network interface
ext_ifname=enp13s0
# LAN (Local network) network interface
listening_ip=br0

# UPnP clients can only add mappings to their own IP in "secure" mode.
secure_mode=yes

### Port permission rules / restrictions. IMPORTANT
# (allow|deny) (external port range) IP/mask (internal port range)
# A port range is <min port>-<max port> or <port> if there is only
# one port in the range.
# IP/mask format must be nnn.nnn.nnn.nnn/nn
### Replace 192.168.0.1 with your own LAN subnet!
allow 51000-54000 192.168.0.1/24 1024-65535
deny 0-65535 0.0.0.0/0 0-65535

# Port LAN clients can use to talk to miniupnpd
http_port=50080

# Protocols LAN clients can (ab)use
enable_natpmp=yes
enable_upnp=yes

# Allowed lifetime of a port forwarded to the LAN
min_lifetime=240
max_lifetime=86400

# Report system uptime instead of daemon uptime if clients ask
system_uptime=yes

# Notify interval in seconds. Default is 30 seconds.
notify_interval=60

# Eradicate all recently unused rules every 1200 seconds
clean_ruleset_interval=1200

# Devices will ask and show what supposed "device" is
# providing uPnP and NatPMP service. Shown in some programs.
serial=666
model_number=SNSD

The allow and deny lines in the above example are very important. The allow configuration line should be

allow (external port or port range, min-max) (allowed subnet) (internal port or range)

So the following line will allow external ports 51000 to 54000 to be forwarded to ports 1024-65535 on any local network client on the subnet 192.168.0.1:

allow 51000-54000 192.168.0.1/24 1024-65535

Make sure you use/keep the deny line the manual page and the default configuration file proposes:

deny 0-65535 0.0.0.0/0 0-65535

The above configuration example will not work on your machine uness you change ext_ifname= to the interface facing Internet and listening_ip= to the interface (or IP). You can have multiple listening_ip= lines if you have multiple local networks.

Links[edit]

The MiniUPnP project has a homepage at miniupnp.free.fr.


Add your comment
LinuxReviews welcomes all comments. If you do not want to be anonymous, register or log in. It is free.