LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
LinkBack Search this Thread
Old 12-30-2003, 03:40 PM   #1
ekerik
LQ Newbie
 
Registered: Oct 2003
Location: Sweden
Distribution: Slackware 9.1
Posts: 6

Rep: Reputation: 0
How can I open up ports in iptables?


Hi.

I'm running a Slackware 9.1 box with kernelversion 2.4.22 and iptables v1.2.9 as a router/firewall. I'm using the basic firewall script from the IP-masq howto.

On my other box I'd like to use bittorrent, but it complains about nat problems, I can use it but the speed is really slow. I guess it's cause the firewall blocks all connections.
So my question is how do I open up a specific or several ports in iptables?
I've tried

Code:
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 6881 -j DNAT --to 192.168.0.2:6881
Where 192.168.0.2 is the computer running bittorrent and 6881 is the port I want to open. But that did not work.

//Thanks, Erik
 
Old 12-30-2003, 04:34 PM   #2
g-rod
Member
 
Registered: Dec 2003
Location: Long Island, NY USA
Distribution: RedHat, SUSE
Posts: 336

Rep: Reputation: 30
If you are trying to open ports to the local machine then.
iptables -I INPUT -p tcp -dport 20:21 -j ACCEPT;
should do it. This would open tcp ports 20 through 21 to the local server from anywhere.
 
Old 12-30-2003, 05:20 PM   #3
ekerik
LQ Newbie
 
Registered: Oct 2003
Location: Sweden
Distribution: Slackware 9.1
Posts: 6

Original Poster
Rep: Reputation: 0
Quote:
Originally posted by g-rod
If you are trying to open ports to the local machine then.
iptables -I INPUT -p tcp -dport 20:21 -j ACCEPT;
should do it. This would open tcp ports 20 through 21 to the local server from anywhere.
Thanks, Ill try that
 
Old 12-31-2003, 04:52 AM   #4
ugge
Senior Member
 
Registered: Dec 2000
Location: Gothenburg, SWEDEN
Distribution: OpenSUSE 10.3
Posts: 1,028

Rep: Reputation: 45
Re: How can I open up ports in iptables?

Quote:
Originally posted by ekerik
On my other box I'd like to use bittorrent, but it complains about nat problems, I can use it but the speed is really slow. I guess it's cause the firewall blocks all connections.
So my question is how do I open up a specific or several ports in iptables?
I've tried

Code:
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 6881 -j DNAT --to 192.168.0.2:6881
Where 192.168.0.2 is the computer running bittorrent and 6881 is the port I want to open. But that did not work.

//Thanks, Erik
This command looks correct, but the problem might be the -A wich will append the rule at the end of the chain. This way the packet might get dropped before reaching your rule. Change the -A to -I wich will insert the rule at the top of chain thus overruling all coming rules.

If this doesn't work then there might be other rules in other chains or tables messing with us. In this case run iptables -L and iptables -L -t nat and post the results here.

The previous reply to this thread has only to do about traffic destined for your gateway. This traffic your talking about is forward traffic.
 
Old 01-01-2004, 11:20 AM   #5
ekerik
LQ Newbie
 
Registered: Oct 2003
Location: Sweden
Distribution: Slackware 9.1
Posts: 6

Original Poster
Rep: Reputation: 0
Re: Re: How can I open up ports in iptables?

Quote:
Originally posted by ugge
This command looks correct, but the problem might be the -A wich will append the rule at the end of the chain. This way the packet might get dropped before reaching your rule. Change the -A to -I wich will insert the rule at the top of chain thus overruling all coming rules.

If this doesn't work then there might be other rules in other chains or tables messing with us. In this case run iptables -L and iptables -L -t nat and post the results here.

The previous reply to this thread has only to do about traffic destined for your gateway. This traffic your talking about is forward traffic.
Thanks for your reply
I tried with I instead of A, but I still get NAT errors. First I acidentally typed in the wrong ip and didn't recived nat errors just something like "cannot test connection" but when I changed to the right ip I recivead nat errors again.

This is the output from iptables -L:
Code:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
LOG        all  --  anywhere             anywhere            LOG level warning

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
This is from iptables -L -t nat:
Code:
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       tcp  --  anywhere             anywhere            tcp dpt:6881 to:192.168.0.67:6881

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
//Thanks, Erik
 
Old 01-01-2004, 11:43 AM   #6
g-rod
Member
 
Registered: Dec 2003
Location: Long Island, NY USA
Distribution: RedHat, SUSE
Posts: 336

Rep: Reputation: 30
What is the verbose output of the forward chain.
iptables -L forward -n -v;
Run tail -f /var/log/messsage while try to connect. That way we can see what packets are being dropped.
 
Old 01-07-2004, 06:09 AM   #7
ekerik
LQ Newbie
 
Registered: Oct 2003
Location: Sweden
Distribution: Slackware 9.1
Posts: 6

Original Poster
Rep: Reputation: 0
Quote:
Originally posted by g-rod
What is the verbose output of the forward chain.
iptables -L forward -n -v;
Run tail -f /var/log/messsage while try to connect. That way we can see what packets are being dropped.
iptables -L forward -n -v:

iptables: Table does not exist (do you need to insmod?)


When I tried connecting no messages appeared in /var/log/messages
Do you have any good and easy to configure scripts for ipmasquerading and firewalls? Maybe it's my script thats messing it up.

//Thanks Erk
 
Old 01-07-2004, 07:07 AM   #8
g-rod
Member
 
Registered: Dec 2003
Location: Long Island, NY USA
Distribution: RedHat, SUSE
Posts: 336

Rep: Reputation: 30
Sorry it's upcase FORWARD
iptables -L FORWARD -n -v;
 
Old 01-07-2004, 07:42 AM   #9
ekerik
LQ Newbie
 
Registered: Oct 2003
Location: Sweden
Distribution: Slackware 9.1
Posts: 6

Original Poster
Rep: Reputation: 0
iptables -L FORWARD -n -v
Code:
Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
24936   17M ACCEPT     all  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
22492 2661K ACCEPT     all  --  eth1   eth0    0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 4
 
Old 01-07-2004, 02:12 PM   #10
dubman
Member
 
Registered: Jan 2003
Distribution: Redhat 9, Fedora Core 1, Suse 8
Posts: 188

Rep: Reputation: 30
here is a good site on IPtables:

http://eressea.pikus.net/~pikus/plug...all/page0.html
 
Old 01-07-2004, 05:52 PM   #11
g-rod
Member
 
Registered: Dec 2003
Location: Long Island, NY USA
Distribution: RedHat, SUSE
Posts: 336

Rep: Reputation: 30
Is eth0 you internal facing network card?
 
Old 01-08-2004, 01:06 PM   #12
ekerik
LQ Newbie
 
Registered: Oct 2003
Location: Sweden
Distribution: Slackware 9.1
Posts: 6

Original Poster
Rep: Reputation: 0
Quote:
Originally posted by g-rod
Is eth0 you internal facing network card?
no eth0 is the external and eth1 is the local network. Is something wrong with the config?
 
Old 01-08-2004, 06:00 PM   #13
g-rod
Member
 
Registered: Dec 2003
Location: Long Island, NY USA
Distribution: RedHat, SUSE
Posts: 336

Rep: Reputation: 30
Not that I can see. It doesn't look like tables is droping anything.
Try tail -f /var/log/messsage;
As you are trying to connect and see if anything is being logged into the kernel log.
 
Old 10-07-2009, 11:00 AM   #14
Sum1
Member
 
Registered: Jul 2007
Distribution: Slackware and Gentoo
Posts: 218

Rep: Reputation: 21
Quote:
Originally Posted by ugge View Post

In this case run iptables -L -t nat and post the results here.
Ugge, a quick thank you for this suggestion.
I was trying to solve a nat problem I was having and came across this thread.
By looking only at the "-t nat" results I was able to find my mistake in the clutter of all my iptables chains.

Great stuff.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Open All Ports - iptables Artik Linux - Networking 2 06-21-2005 03:17 PM
ports open with iptables saugato Linux - Security 3 04-19-2005 01:31 AM
open ports with iptables? tykkea811 Linux - Networking 2 12-12-2004 01:43 AM
how to open ports with iptables lsimon4180 Linux - Security 2 10-19-2004 08:52 AM
Iptables: Open some ports! Abomm Linux - Networking 2 05-31-2002 01:49 AM


All times are GMT -5. The time now is 02:04 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration