LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 01-18-2009, 07:34 PM   #1
benderan
LQ Newbie
 
Registered: Sep 2008
Location: Boulder, CO
Distribution: Redhat EL5, Scientific Linux, Fedora
Posts: 21

Rep: Reputation: 15
UDP & TCP Port Communication is Filtered/Open in nmap


Hi,

I currently have some ports on my computer that I use for very specific data acquisition / transfer. The IP address of the computer doing that handshaking is changing. My current /etc/sysconfig/iptables file looks like this.

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25144:25145 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 1980:1982 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 15150 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 15155 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 15225 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

The ports of interest are 15150,15155,and 15225. While preparing for the new network, I tried probing through another computer to see if anyone on the local network could access those ports. What I ended up with was that nmap said the tcp ports are open, but the UDP ports were filtered/open. When I tried to handshake across these ports, it was unsuccessful.

Any insight that could be provided would be fantastic.

Also, I should add that since the network switchover is currently occuring (it's a remote machine) that I cannot access it to check anything. But any suggestions for when the network is back up would be great.
 
Old 01-19-2009, 12:10 AM   #2
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
For an explanation of how nmap scans udp ports, see the nmap(1) manpages -- specifically, the -sU option.

Quote:
Originally Posted by benderan
When I tried to handshake across these ports, it was unsuccessful.
This appears to be your problem (question?), but I'm unsure what you are asking. Were you expecting your connection attempt to be successful? What exactly did you try, and how did it fail? How are you trying to initiate a handshake with a stateless protocol (udp), BTW?
 
Old 01-19-2009, 12:34 AM   #3
benderan
LQ Newbie
 
Registered: Sep 2008
Location: Boulder, CO
Distribution: Redhat EL5, Scientific Linux, Fedora
Posts: 21

Original Poster
Rep: Reputation: 15
I guess I didn't state my problem very clearly. Currently, there is a control computer that takes packets from the computer I described above on three udp ports (this computer is in turn connected to my scientfic instruments). I was probably mis-using the word handshaking above (I'm new to all of this networking admin stuff, and am pretty confused by the online tutorials I've found). Currently the setup somehow allows this computer to access those ports (if you do an iptables -L, the -p 50 & -p 51 lines change to the name of that control computer).

For my new setup, there is going to be a dual ethernet connection with 2 different static ips. I need the new control computer to be able to access the same ports, but I also need to specify which port acts on which ethernet connection.

I was expecting my previous connection attempt to be successful because I couldn't find anything that specified the control computer as the only one with access.

My question is, where in the setup is the appropriate place to make these changes, and maybe you could point me to a straightforward reference on these topics?
 
Old 01-19-2009, 06:10 PM   #4
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
At RHEL4 or 5 installation time, the firewall rules can be configured. Afterwards you can use system-config-securitylevel.

I personally don't do either, though. I write an iptables script that I manage in the same place on each server. For a netfilter/iptables tutorial, check out: http://iptables-tutorial.frozentux.n...-tutorial.html

As for these three rules:
Code:
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 15150 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 15155 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 15225 -j ACCEPT
There is nothing in them that explicitly allows packets in from a particular source host or subnet. It should be allowing in all udp traffic to ports 15150, 15155, 15225. If that's not what is happening in reality, then check whatever application sits behind them to see if it has access control lists enabled in its configuration.

Also, for the sake of eliminating possibilities, shut off iptables entirely (service iptables stop) and then see if the connection works as you'd expect.

Finally, be sure to confirm that there are actually services listening on those udp service ports: netstat -lun | egrep '15150|15155|15225'

Hope that helps. If I'm still misunderstanding your question, then please try again in plain English (i.e. lose any tech lingo and extraneous info you're tempted to include ).
 
Old 01-20-2009, 04:17 PM   #5
benderan
LQ Newbie
 
Registered: Sep 2008
Location: Boulder, CO
Distribution: Redhat EL5, Scientific Linux, Fedora
Posts: 21

Original Poster
Rep: Reputation: 15
Ok, I understand what you've written above, and I was able to communicate with the control computer (I still don't know why this wasn't possible from the test computer).

Now, I need to configure so that ports 15155 & 15150 communicate on eth1, while 15225 communicates on eth0. I think this is again something to do in iptables, but I'm getting lost in all the options of your suggested tutorial.
 
Old 01-20-2009, 04:38 PM   #6
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
As an additional (and comprehensive) reference, also see the iptables(8) manpages.

Quote:
Originally Posted by benderan
I need to configure so that ports 15155 & 15150 communicate on eth1, while 15225 communicates on eth0.
Your rules should then look something like:
Code:
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 15150 -i eth1 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 15155 -i eth1 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 15225 -i eth0 -j ACCEPT
But don't deploy those rule changes until you understand what they're doing. (Again, the manpages may be of assistance here. Also cruise the 'net for iptables example rulesets.)
 
Old 01-20-2009, 05:08 PM   #7
benderan
LQ Newbie
 
Registered: Sep 2008
Location: Boulder, CO
Distribution: Redhat EL5, Scientific Linux, Fedora
Posts: 21

Original Poster
Rep: Reputation: 15
Do I also need to specify

-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 15150 -o eth1 -j ACCEPT

so that outgoing packets from port 15150 will travel only on eth1 as well?

Thanks so much, I think I'm starting to understand.
 
Old 01-20-2009, 06:22 PM   #8
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
You shouldn't need to specify any additional rules for outbound traffic. This rule...

Code:
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
... handles stateful connections. Even udp (which is stateless) is tracked and accommodated through this rule, AFAIK.

As long as eth0 and eth1 are on different subnets, you should get the behavior you're expecting with what we already discussed.
 
Old 01-21-2009, 05:15 PM   #9
benderan
LQ Newbie
 
Registered: Sep 2008
Location: Boulder, CO
Distribution: Redhat EL5, Scientific Linux, Fedora
Posts: 21

Original Poster
Rep: Reputation: 15
Thanks, that did it.
 
  


Reply

Tags
nmap


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
An open, ominous tcp port 666 revealed by nmap desmond33 Linux - Networking 1 02-01-2007 01:35 AM
NMAP - open/filtered response. Palula Linux - Security 9 09-20-2005 02:10 PM
Wandering, high, open UDP port detected by nmap conn-fused Linux - Security 1 05-15-2005 06:23 AM
TCP Port 53 Open - How to enable UDP 53? stardotstar Linux - Networking 6 03-16-2005 04:49 AM
Open tcp port & mails that i do not send. jrfly Linux - General 1 02-02-2005 09:02 PM


All times are GMT -5. The time now is 03:04 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration