LinuxQuestions.org
Help answer threads with 0 replies.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
Reload this Page GIPtables firewall need to open custom ports access
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 01-24-2010, 08:07 AM   #1
lithos
Senior Member
 
Registered: Jan 2010
Location: SI : 45.9531, 15.4894
Distribution: CentOS, OpenNA/Trustix, testing desktop openSuse 12.1 /Cinnamon/KDE4.8
Posts: 1,144

Rep: Reputation: 217Reputation: 217Reputation: 217
GIPtables firewall need to open custom ports access

Hello

I'm stuck with server which has installed OpenNA linux on it and uses GIPTABLES firewall which makes me a headache.

I need to enable 2 services access to/from web and I can't seem to find any help about, bcoz openna.com and giptables.org sites seem to close any support for it.

I'm just asking if anyone please can help me opening custom ports from GIPtables as I need it to work (let's say I need port 321 and 8080)

I have my giptables.conf like this:

LOAD_CUSTOM_RULES="yes"

ACCEPT_NTP="yes"
INTERFACE0_NTP_CLIENT="yes"

INTERFACE0_NTP_OUT_SRC_IPADDR[0]=$INTERFACE0_IPADDR
INTERFACE0_NTP_OUT_DST_IPADDR[0]=$ANY_IPADDR
INTERFACE0_NTP_OUT_SPORT123_REQUEST[0]="yes"

# Interface 0 NTP incoming client request

INTERFACE0_NTP_SERVER="yes"

INTERFACE0_NTP_IN_SRC_IPADDR[0]=$ANY_IPADDR
INTERFACE0_NTP_IN_DST_IPADDR[0]=$INTERFACE0_IPADDR
INTERFACE0_NTP_IN_SPORT123_REQUEST[0]="yes"


This is just one module not working for me as of the second port 8080 I can't imagine how to make it open.

Please if anyone can help me.


Thank you
 
Old 01-24-2010, 01:22 PM   #2
nimnull22
Senior Member
 
Registered: Jul 2009
Distribution: OpenSuse 11.1, Fedora 14, Ubuntu 12.04/12.10, FreeBSD 9.0
Posts: 1,571

Rep: Reputation: 92
I have never done anything with giptables, but config doesn't seem to be difficult.

You gave a "giptables.conf" - does it work like this?
 
Old 01-25-2010, 04:01 PM   #3
lithos
Senior Member
 
Registered: Jan 2010
Location: SI : 45.9531, 15.4894
Distribution: CentOS, OpenNA/Trustix, testing desktop openSuse 12.1 /Cinnamon/KDE4.8
Posts: 1,144

Original Poster
Rep: Reputation: 217Reputation: 217Reputation: 217
"... does it work like this?"

Yes,

Giptables use GIPTABLES.CONF located in /etc (if I get it right what you meant)

And in that giptables.conf is everything defined with:

ACCEPT_NTP="yes" (or "no" )

which then goes to /lib/giptables/modules to load suitable module, like
'giptables-NTP' containing even more code:


Code:
# ----------------------------------------------------------------------------
# GIPTables Firewall v1.1 http://www.giptables.org
# Copyright (C) 2002 Adrian Pascalau <apascalau@openna.com>
# NTP module
#
# ----------------------------------------------------------------------------
# This file is part of GIPTables Firewall
#
# GIPTables Firewall is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA

# ----------------------------------------------------------------------------
# About NTP

# ntp             123/udp                         # Network Time Protocol

NTP_PORT="123"

# ----------------------------------------------------------------------------
# accept_ntp_request
# Usage: accept_ntp_request chain ntp_client_ipaddr ntp_server_ipaddr
#

accept_ntp_request ()
{
    local chain=$1
    local ntp_client_ipaddr=$2
    local ntp_server_ipaddr=$3

    $IPTABLES -A $chain -p udp \
              -s $ntp_client_ipaddr --sport $UNPRIV_PORTS \
              -d $ntp_server_ipaddr --dport $NTP_PORT \
              -m state --state NEW,ESTABLISHED \
              -j ACCEPT
    return 0
}

# ----------------------------------------------------------------------------
# accept_ntp_reply
# Usage: accept_ntp_reply chain ntp_server_ipaddr ntp_client_ipaddr
#

accept_ntp_reply ()
{
    local chain=$1
    local ntp_server_ipaddr=$2
    local ntp_client_ipaddr=$3

    $IPTABLES -A $chain -p udp \
              -s $ntp_server_ipaddr --sport $NTP_PORT \
              -d $ntp_client_ipaddr --dport $UNPRIV_PORTS \
              -m state --state ESTABLISHED \
              -j ACCEPT

    return 0
}
this goes on 213 lines.

And this is what makes me locked out these services I need custom defined port, if I change the port 123 to 312 or some other, I don't have access to that service from internet.
 
Old 01-25-2010, 04:13 PM   #4
nimnull22
Senior Member
 
Registered: Jul 2009
Distribution: OpenSuse 11.1, Fedora 14, Ubuntu 12.04/12.10, FreeBSD 9.0
Posts: 1,571

Rep: Reputation: 92
Have you noticed variables like:
chain=$1
ntp_server_ipaddr=$2
ntp_client_ipaddr=$3

Have you noticed, that this rules set up for UDP protocol.

Can you describe, what service do you want to add?
Last edited by nimnull22; 01-25-2010 at 08:29 PM.
 
Old 01-26-2010, 02:28 AM   #5
lithos
Senior Member
 
Registered: Jan 2010
Location: SI : 45.9531, 15.4894
Distribution: CentOS, OpenNA/Trustix, testing desktop openSuse 12.1 /Cinnamon/KDE4.8
Posts: 1,144

Original Poster
Rep: Reputation: 217Reputation: 217Reputation: 217
Yes,

simple rtorrent (which uses UDP and TCP) but I'd like to have it work on ports above 6xxx.

TY
 
Old 01-26-2010, 03:03 PM   #6
nimnull22
Senior Member
 
Registered: Jul 2009
Distribution: OpenSuse 11.1, Fedora 14, Ubuntu 12.04/12.10, FreeBSD 9.0
Posts: 1,571

Rep: Reputation: 92
You need to allow ANY outgoing connection, and rtorrent will work.

Actually, you need to allow all outgoing connection.
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Open ports behind a firewall? ni0wn Slackware 4 09-16-2004 07:48 AM
Firewall (Giptables) Can't seem to work... ImAnEwBiE Linux - Software 0 09-08-2004 10:13 PM
PLEASE !!! Can't open ports with rc.firewall peryserv Linux - Networking 2 08-26-2004 07:43 PM
Giptables custom problem pazvant Linux - Networking 0 11-10-2003 03:58 AM
Open ports on firewall LionMaster Linux - Security 3 04-13-2003 05:29 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 03:40 AM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration