LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   How can I open up ports in iptables? (http://www.linuxquestions.org/questions/linux-networking-3/how-can-i-open-up-ports-in-iptables-130148/)

ekerik 12-30-2003 03:40 PM

How can I open up ports in iptables?
 
Hi.

I'm running a Slackware 9.1 box with kernelversion 2.4.22 and iptables v1.2.9 as a router/firewall. I'm using the basic firewall script from the IP-masq howto.

On my other box I'd like to use bittorrent, but it complains about nat problems, I can use it but the speed is really slow. I guess it's cause the firewall blocks all connections.
So my question is how do I open up a specific or several ports in iptables?
I've tried

Code:

iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 6881 -j DNAT --to 192.168.0.2:6881
Where 192.168.0.2 is the computer running bittorrent and 6881 is the port I want to open. But that did not work.

//Thanks, Erik

g-rod 12-30-2003 04:34 PM

If you are trying to open ports to the local machine then.
iptables -I INPUT -p tcp -dport 20:21 -j ACCEPT;
should do it. This would open tcp ports 20 through 21 to the local server from anywhere.

ekerik 12-30-2003 05:20 PM

Quote:

Originally posted by g-rod
If you are trying to open ports to the local machine then.
iptables -I INPUT -p tcp -dport 20:21 -j ACCEPT;
should do it. This would open tcp ports 20 through 21 to the local server from anywhere.

Thanks, Ill try that

ugge 12-31-2003 04:52 AM

Re: How can I open up ports in iptables?
 
Quote:

Originally posted by ekerik
On my other box I'd like to use bittorrent, but it complains about nat problems, I can use it but the speed is really slow. I guess it's cause the firewall blocks all connections.
So my question is how do I open up a specific or several ports in iptables?
I've tried

Code:

iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 6881 -j DNAT --to 192.168.0.2:6881
Where 192.168.0.2 is the computer running bittorrent and 6881 is the port I want to open. But that did not work.

//Thanks, Erik

This command looks correct, but the problem might be the -A wich will append the rule at the end of the chain. This way the packet might get dropped before reaching your rule. Change the -A to -I wich will insert the rule at the top of chain thus overruling all coming rules.

If this doesn't work then there might be other rules in other chains or tables messing with us. In this case run iptables -L and iptables -L -t nat and post the results here.

The previous reply to this thread has only to do about traffic destined for your gateway. This traffic your talking about is forward traffic.

ekerik 01-01-2004 11:20 AM

Re: Re: How can I open up ports in iptables?
 
Quote:

Originally posted by ugge
This command looks correct, but the problem might be the -A wich will append the rule at the end of the chain. This way the packet might get dropped before reaching your rule. Change the -A to -I wich will insert the rule at the top of chain thus overruling all coming rules.

If this doesn't work then there might be other rules in other chains or tables messing with us. In this case run iptables -L and iptables -L -t nat and post the results here.

The previous reply to this thread has only to do about traffic destined for your gateway. This traffic your talking about is forward traffic.

Thanks for your reply
I tried with I instead of A, but I still get NAT errors. First I acidentally typed in the wrong ip and didn't recived nat errors just something like "cannot test connection" but when I changed to the right ip I recivead nat errors again.

This is the output from iptables -L:
Code:

Chain INPUT (policy ACCEPT)
target    prot opt source              destination

Chain FORWARD (policy DROP)
target    prot opt source              destination
ACCEPT    all  --  anywhere            anywhere            state RELATED,ESTABLISHED
ACCEPT    all  --  anywhere            anywhere
LOG        all  --  anywhere            anywhere            LOG level warning

Chain OUTPUT (policy ACCEPT)
target    prot opt source              destination

This is from iptables -L -t nat:
Code:

Chain PREROUTING (policy ACCEPT)
target    prot opt source              destination
DNAT      tcp  --  anywhere            anywhere            tcp dpt:6881 to:192.168.0.67:6881

Chain POSTROUTING (policy ACCEPT)
target    prot opt source              destination
MASQUERADE  all  --  anywhere            anywhere

Chain OUTPUT (policy ACCEPT)
target    prot opt source              destination

//Thanks, Erik

g-rod 01-01-2004 11:43 AM

What is the verbose output of the forward chain.
iptables -L forward -n -v;
Run tail -f /var/log/messsage while try to connect. That way we can see what packets are being dropped.

ekerik 01-07-2004 06:09 AM

Quote:

Originally posted by g-rod
What is the verbose output of the forward chain.
iptables -L forward -n -v;
Run tail -f /var/log/messsage while try to connect. That way we can see what packets are being dropped.

iptables -L forward -n -v:

iptables: Table does not exist (do you need to insmod?)


When I tried connecting no messages appeared in /var/log/messages
Do you have any good and easy to configure scripts for ipmasquerading and firewalls? Maybe it's my script thats messing it up.

//Thanks Erk

g-rod 01-07-2004 07:07 AM

Sorry it's upcase FORWARD
iptables -L FORWARD -n -v;

ekerik 01-07-2004 07:42 AM

iptables -L FORWARD -n -v
Code:

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target    prot opt in    out    source              destination
24936  17M ACCEPT    all  --  eth0  eth1    0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
22492 2661K ACCEPT    all  --  eth1  eth0    0.0.0.0/0            0.0.0.0/0
    0    0 LOG        all  --  *      *      0.0.0.0/0            0.0.0.0/0          LOG flags 0 level 4


dubman 01-07-2004 02:12 PM

here is a good site on IPtables:

http://eressea.pikus.net/~pikus/plug...all/page0.html

g-rod 01-07-2004 05:52 PM

Is eth0 you internal facing network card?

ekerik 01-08-2004 01:06 PM

Quote:

Originally posted by g-rod
Is eth0 you internal facing network card?
no eth0 is the external and eth1 is the local network. Is something wrong with the config?

g-rod 01-08-2004 06:00 PM

Not that I can see. It doesn't look like tables is droping anything.
Try tail -f /var/log/messsage;
As you are trying to connect and see if anything is being logged into the kernel log.

Sum1 10-07-2009 11:00 AM

Quote:

Originally Posted by ugge (Post 675690)

In this case run iptables -L -t nat and post the results here.

Ugge, a quick thank you for this suggestion.
I was trying to solve a nat problem I was having and came across this thread.
By looking only at the "-t nat" results I was able to find my mistake in the clutter of all my iptables chains.

Great stuff.


All times are GMT -5. The time now is 01:09 PM.