LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 07-04-2005, 10:06 AM   #1
dr_zayus69
Member
 
Registered: Sep 2004
Location: western massachusetts
Distribution: fedora core 3, Suse 10
Posts: 877

Rep: Reputation: 35
Testing port 6881....NAT Error - error in Azureus


hi im trying to get azureus set up and when i test the port it is set to by default to use i get this message

Testing port 6881....NAT Error

i think i need to open port 6881. I believe i enabled the firewall when i installed fc3 but im not sure how to manipulate it. Im not asking how to do it specifically i just need some direction. Im not sure if i have to look into selinux or iptables? any replies would be appreciated. thanks in advance.
 
Old 07-04-2005, 11:05 AM   #2
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
i don't know about selinux, but as far as iptables is concerned just do a:
Code:
iptables -I INPUT -p TCP --dport 6881:6999 -m state --state NEW -j ACCEPT
this command assumes you are running azureus on the firewalled box itself...

if you are filtering outgoing packets you'd need to add a similar rule to the OUTPUT chain...

http://dessent.net/btfaq/#ports
 
Old 10-31-2005, 03:33 PM   #3
dr_zayus69
Member
 
Registered: Sep 2004
Location: western massachusetts
Distribution: fedora core 3, Suse 10
Posts: 877

Original Poster
Rep: Reputation: 35
for the longest time the command worked like a charm. However now when i do it i still get a nat error from azureus. So im not positive what it could be.
 
Old 10-31-2005, 11:44 PM   #4
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
please post the output of (when you get the error):
Code:
iptables -L
Code:
iptables -L -t nat
what about your log file? what does it show at the time of the error??
Code:
tail -f /var/log/syslog
 
Old 11-01-2005, 07:09 AM   #5
dr_zayus69
Member
 
Registered: Sep 2004
Location: western massachusetts
Distribution: fedora core 3, Suse 10
Posts: 877

Original Poster
Rep: Reputation: 35
i have no syslog with that absolute path. this is what i get when i search for it.

Code:
[root@localhost jeff]# find / -name syslog
/etc/rc.d/init.d/syslog
/etc/logrotate.d/syslog
/etc/sysconfig/syslog
/var/lock/subsys/syslog
/usr/share/doc/ruby-libs-1.8.3/ext/syslog
/media/slave/etc/logrotate.d/syslog
/media/slave/etc/sysconfig/syslog
/media/slave/etc/rc.d/init.d/syslog
media/slave is a mount point for hdb so those are safe entries to ignore. The rub libs one seems like another entry that could be ignored. Which one should i look at?

Code:
[root@localhost jeff]# /sbin/iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp dpts:6881:6999 state NEW
RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp any
ACCEPT     ipv6-crypt--  anywhere             anywhere
ACCEPT     ipv6-auth--  anywhere             anywhere
ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:5353
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ftp
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:smtp
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
Code:
[root@localhost jeff]# /sbin/iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
what does the -L stand for in the command? list?
 
Old 11-01-2005, 07:15 AM   #6
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
as for the syslog file, make sure you are indeed running the syslog daemon:
Code:
 ps aux | grep syslogd
as for you iptables rules, being that your INPUT policy is set to ACCEPT, all of your ACCEPT rules are pointless...

i'm not sure what's going on with your Azureus... have you tried disabling selinux to see if it helps??
 
Old 11-01-2005, 07:32 PM   #7
dr_zayus69
Member
 
Registered: Sep 2004
Location: western massachusetts
Distribution: fedora core 3, Suse 10
Posts: 877

Original Poster
Rep: Reputation: 35
yeah the syslog daemon is running. I'll have to look up a tutorial on iptables so i understand it more so that i can use it to allow Azureus to run without disabling selinux. I am not sure how to disable selinux but i'd rather try to find a better solution then that. i can still download using azureus with the nat error but my smiley icons for azureus are never green when i have the nat error.
 
Old 11-01-2005, 08:45 PM   #8
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally posted by dr_zayus69
yeah the syslog daemon is running. I'll have to look up a tutorial on iptables so i understand it more so that i can use it to allow Azureus to run without disabling selinux.
except that you are already allowing ALL traffic through your firewall, so there's nothing more you could "allow" as far as iptables is concerned...

Quote:
I am not sure how to disable selinux but i'd rather try to find a better solution then that. i can still download using azureus with the nat error but my smiley icons for azureus are never green when i have the nat error.
if the issue is indeed being caused by selinux, then nothing else you do will help you... if i were you i'd temporarily disable the selinux protection and see if it does the trick, then at least you'd know where you stand and you could then proceed to find the proper configuration you need to apply to selinux for your azureus... i don't know anything about selinux, but this would be a start if you wanna temporarily disable it:

http://www.google.com/search?q=disable+selinux
 
Old 11-01-2005, 08:57 PM   #9
dr_zayus69
Member
 
Registered: Sep 2004
Location: western massachusetts
Distribution: fedora core 3, Suse 10
Posts: 877

Original Poster
Rep: Reputation: 35
Quote:
Originally posted by win32sux
except that you are already allowing ALL traffic through your firewall, so there's nothing more you could "allow" as far as iptables is concerned...
and you see why i need a tutorial on iptables. lol
 
Old 11-01-2005, 09:58 PM   #10
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Actually the last rule in the RH-Firewall-1-INPUT chain is usually a clean-up rule with a REJECT target so all packets that make it to that point get rejected before they get to the default input chain policy. I don't see the rule you added in the output of iptables -L, so I'd take a guess that your system rebooted at some point and the firewall reset to the original Fedora Core default. Try re-running the rule posted above (iptables -I INPUT -p TCP --dport 6881:6999 -m state --state NEW -j ACCEPT) and see if azureus works. If so, then do "service iptables save" so that the change will be persistant over reboots.
 
Old 11-01-2005, 10:54 PM   #11
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
thanks for the heads-up Capt_Caveman... i overlooked the REJECT rule at the end of the RH chain... having said that, the 6881:6999/tcp rules does show-up:
Quote:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpts:6881:6999 state NEW
 
Old 11-02-2005, 06:27 AM   #12
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Quote:
Originally posted by win32sux
having said that, the 6881:6999/tcp rules does show-up:
Thanks, I stand corrected . In that case, you may want to completely rule out the firewall by temporarily disabling it with the command "service iptables stop" and then retry azureus. Make sure to restart it after testing with "service iptables start".

May also want to verify that your ISP hasn't started filtering those ports. Try using a free online security scanner to verify that they are indeed open. There are a number of scanners available, including ones at grc.com and sygate SOS.
 
Old 11-02-2005, 08:01 AM   #13
dr_zayus69
Member
 
Registered: Sep 2004
Location: western massachusetts
Distribution: fedora core 3, Suse 10
Posts: 877

Original Poster
Rep: Reputation: 35
yeah it works fine when i do /sbin/service iptables stop but after exiting it and starting iptables back up it gets the nat error message again. i haven't scanned any ports yet tho. i don't understand the 6999 in the command i know the first number is the port but why is the 6999 there? is it declaring a range of ports? I would change the port but then i wouldn't know what i needed to do to change the iptables command. To be honest i had this post bookmarked and would just copy and paste the command when i used azureus so i didn't completely understand it. Recently i'd use ctrl+r to do a reverse lookup of the command in the shell to get it back up to enter it again. And thought about putting it in a shell script to execute when i started azureus or have it execute with the startup scripts. My basic understanding is that it opens up the port to allow for communication. Thanks for the help so far.
 
Old 11-02-2005, 11:45 AM   #14
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Ok, that would indicate it's a firewall issue then. Looking over the Azureus user guide, it appears that it only uses port 6881 now and uses both tcp and udp protocols. Try adding these rules:

iptables -I INPUT -p tcp --dport 6881 -j ACCEPT
iptables -I INPUT -p udp --dport 6881 -j ACCEPT
 
Old 11-02-2005, 07:21 PM   #15
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
yeah i think you are right, Capt_Caveman... i actually had no idea that bittorret used udp packets, i thought it was all tcp... but now i read through this azureus faq: http://azureus.aelitis.com/wiki/inde...PortForwarding and yeah it says it will use both tcp and udp on the same port (it also says azureus only needs one port)... that would explain why an error would be obtained even though things seemed to still be working fine i think... like, it was just complaining about the udp packets not getting through and stuff... i think...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Azureus and NAT error :( Peleus Linux - Software 1 11-08-2005 08:53 AM
Nat error - azureus ceborame Linux - Newbie 1 09-03-2005 11:24 AM
Azureus NAT error on port 6881 dealerman Fedora 3 08-21-2005 10:42 AM
Azureus problems, specifically port 6881 cegha Mandriva 5 07-20-2005 04:19 AM
nat error in azureus rosscopeeko Linux - Software 4 12-31-2004 12:04 AM


All times are GMT -5. The time now is 02:40 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration