Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have a server which acts like a router and it's been working great for a long time now. But some time ago I noticed that some of my ports weren't working anymore and I couldn't open them up again either.
Neither can I open any other port that I've tried. What's so strange is that default ports like 21, 80 etc are still open. But it isn't only the default ports that work, because I have SSH on port 2223 and that still works. And I've tried using torrents on port 42-44 but they wont open either.
Here's my iptables -vL:
Code:
Chain INPUT (policy ACCEPT 259 packets, 14925 bytes)
pkts bytes target prot opt in out source destination
2366 3519K ACCEPT all -- eth1 any anywhere anywhere
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ftp
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpts:11000:11020
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:http
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:2223
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpts:22346:22355
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:smtp
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:imap
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:9999
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:19999
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- eth1 any anywhere anywhere
0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- any any 192.168.1.14 anywhere tcp dpts:italk:12355
0 0 ACCEPT tcp -- any any 192.168.1.4 anywhere tcp dpt:22345
Chain OUTPUT (policy ACCEPT 675 packets, 995K bytes)
pkts bytes target prot opt in out source destination
1197 66256 ACCEPT all -- any eth1 anywhere anywhere
And here is the script I'm using for the iptables rules. It's my distros startup script. Oh and btw, eth0 is the external connection and eth1 is the internal:
Code:
#!/bin/sh
# /etc/conf.d/local.start
# Put the things you want to run on boot here.
echo 1 > /proc/sys/net/ipv4/conf/all/forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Set up basic iptables rules:
/usr/sbin/iptables -F FORWARD
/usr/sbin/iptables -F -t nat
/usr/sbin/iptables -P FORWARD DROP
/usr/sbin/iptables -A FORWARD -i eth1 -j ACCEPT
/usr/sbin/iptables -A INPUT -i eth1 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o eth1 -j ACCEPT
/usr/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
/usr/sbin/iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
##########################
# Port forwarding: #
##########################
# eth1:
#
# Torrent
/usr/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 12345:12355 -j DNAT --to-destination 192.168.1.14
/usr/sbin/iptables -A FORWARD -s 192.168.1.14 -p tcp --dport 12345:12355 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 22345 -j DNAT --to-destination 192.168.1.4
/usr/sbin/iptables -A FORWARD -s 192.168.1.4 -p tcp --dport 22345 -j ACCEPT
##########################
#
# eth0:
#
# FTP
/usr/sbin/iptables -A INPUT -p tcp --dport 21 -j ACCEPT
# FTP Passive
/usr/sbin/iptables -A INPUT -p tcp --dport 11000:11020 -j ACCEPT
# HTTP
/usr/sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT
# SSH
/usr/sbin/iptables -A INPUT -p tcp --dport 2223 -j ACCEPT
# Torrent
/usr/sbin/iptables -A INPUT -p tcp --dport 22346:22355 -j ACCEPT
# SMTP & IMAP
/usr/sbin/iptables -A INPUT -p tcp --dport 25 -j ACCEPT
/usr/sbin/iptables -A INPUT -p tcp --dport 143 -j ACCEPT
# Webmin & Usermin
/usr/sbin/iptables -A INPUT -p tcp --dport 9999 -j ACCEPT
/usr/sbin/iptables -A INPUT -p tcp --dport 19999 -j ACCEPT
Of all these ports, these are the ones that still work: 21, 80, 2223, 25, 143, 9999, 19999. None of the port forwarding stuff works. Neither does the passive ftp ports and torrent ports. And if I try to open another port, it doesn't actually open. It will show up in iptables -vL, but according to canyouseeme.org it's still closed.
Have I configured something wrong? But it did work before which is odd. I think I'm going crazy over this.
Last edited by Synt4x_3rr0r; 05-04-2009 at 05:42 AM.
The rules you posted (with iptables -vL) do not seem to match what your script is doing. As an example, in the script you set the FORWARD chain policy to DROP, but in the iptables output listing that is clearly not there.
The issue you're describing is a little complicated, so I would get it down to a base case to try to eliminate possibilities. Add an iptables rule to open tcp port 6969 on your input chain. Then, on the server, run the command:
$ nc -l 6969 <-- your syntax to set up a listener may differ slightly; check the nc(1) manpages
Then, on your client workstation, run the command:
$ nc -zvw 1 server.ip.here 6969
What does that say? If the connection fails, double check your iptables rule and double check (with netstat) that you set up the listener properly on the server.
That seems odd. I also tried it on my workstation which is connected by wire directly to the gateway(which is also the firewall that has the problems) and it says this instead:
I have added the gateway server's IP address and hostname to /etc/hosts on my workstation so that might be why it says that instead. The hostname on the firewall is synt4x.ath.cx, perhaps I can't have that hostname since it has two dots?
Then I tried to connect from an outside computer and it tells me this:
I have double checked the things you told me. Interestingly port 6969 does NOT show up with netstat -L. I'm not an iptables expert or anything, but this is what I did to open port 6969:
Code:
iptables -A INPUT -p tcp --dport 6969 -j ACCEPT
That is correct right? It is listed when I run iptables -vL like the rest of the ports.
Code:
1 60 ACCEPT tcp -- any any anywhere anywhere tcp dpt:6969
I hope this information is good enough to maybe point you in the right direction. Otherwise tell me what I should do to provide that information.
I have written a simple script that resets my firewall to the default settings used in the startup script that I have used since reboot. Maybe there's something wrong with that?
Interestingly port 6969 does NOT show up with netstat -L.
The command $ netstat -ltn should show that nc is listening on tcp port 6969. If it doesn't, the rest of the test is not going to work. See my last post about how to set up the listener.
It looks like you added the iptables rule correctly, BTW.
Hmm it doesn't show up anyway. I AM supposed to run netcat on the firewall, right? :S
Actually it wouldn't matter since it doesn't show up as listening on ANY of my computers. I ran nc -l 6969 on all three of my computers and then checked with netstat -ltn on all of them but it didn't show up on any of them. The laptop is running Ubuntu and the other two computers are running my own distro Enlisy.
Check the nc(1) manpages. Some versions require -l -p (rather than just -l).
Point is: this test is not going to work until you get nc listening. Once you've done so, keep the terminal open (if you kill it with Ctrl+C, the listener dies along with it.)
Ah, yes. there it is. It shows up now
And interestingly, canyouseeme.com says the port is open as well.
Edit: oh sorry, forgot about the nc -zvw 1 stuff. It still says connection refused...
Edit2: I'm kind of wondering though why my laptop says "192.168.1.1: inverse host lookup failed: Unknown host" when I'm trying to connect on it :S
Edit3: I tried again from my workstation and it says the port is open!! I also added the firewall to my laptops /etc/hosts and it also says the port is open.
Last edited by Synt4x_3rr0r; 05-11-2009 at 05:45 PM.
Ah, hehe sorry. I guess I should have mentioned that.
No it still doesn't work. The torrent ports doesn't show up with netstat -ltn and neither does the passive ftp ports(except for port 11020 for some reason), and some other ports. I'm beginning to think that it's the applications that doesn't listen on the ports correctly or something. But the weird thing is that it has worked in the past, and I can't remember that i did anything to break it.
Sorry for bumping, but the problem hasn't been resolved yet. I'm beginning to think that it might be the applications there is something wrong with, since obviously I can open the ports and get things listening on it, seeing as canyouseeme.com said the port was open when I told netcat to listen on it.
So some applications do listen on the ports, but most do not it seems. That is likely the current problem and not a firewall problem at this point. Any advice?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
