LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 05-16-2004, 04:02 AM   #1
jslmg
Member
 
Registered: Apr 2004
Distribution: Ubuntu 7.10
Posts: 31

Rep: Reputation: 15
Firewall seems configured properly, but still can't open ports needed


Hello. This is a continuation of the problem discussed in the following threads:

http://www.linuxquestions.org/questi...hreadid=179530
http://www.linuxquestions.org/questi...hreadid=180518

I'm running RH 9 with kernel 2.4.8-20. I need to open ports 8000 and 8001 for a SHOUTcast streaming server. I have successfully used this server on the same IP address over Windows and Mac, so I know the network is not the problem.

My iptables seem configured properly, unless someone can please tell me of any errors here that might be causing the problem. Notice that ports 8000 and 8001 are set to "ACCEPT". There's also an additional filter suggested by a fellow SHOUTcast broadcaster designed specifically to open 8000 and 8001:

# Firewall configuration written by lokkit
# Manual customization of this file is not recommended.
# Note: ifup-post will punch the current nameservers through the
# firewall; such entries will *not* be listed here.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Lokkit-0-50-INPUT - [0:0]
-A INPUT -j RH-Lokkit-0-50-INPUT
-A FORWARD -j RH-Lokkit-0-50-INPUT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 7998 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 7999 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 8000 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 8001 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 23 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 25 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 21 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:1023 --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2049 --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0:1023 -j REJECT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 2049 -j REJECT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 6000:6009 --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 7100 --syn -j REJECT
COMMIT
*filter
:INPUT DROP [16986:724916]
:FORWARD DROP [0:0]
:OUTPUT DROP [409:31084]
:SERVICES - [0:0]
-A INPUT -d xxx.xxx.xxx.xxx -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j SERVICES
-A OUTPUT -s xxx.xxx.xxx.xxx -o eth0 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j LOG --log-prefix "[FILTER/OUTPUT] "
-A SERVICES -d xxx.xxx.xxx.xxx -i eth0 -p tcp --dport 8000 -j ACCEPT
-A SERVICES -d xxx.xxx.xxx.xxx -i eth0 -p tcp --dport 8001 -j ACCEPT
-A SERVICES -d xxx.xxx.xxx.xxx -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
COMMIT

Despite the apparent settings in iptables, I still do not see ports 8000 and 8001 when I run "nmap -v" or "nmap -sT". Here's what it shows:

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
No tcp,udp, or ICMP scantype specified, assuming SYN Stealth scan. Use -sP if you really don't want to portscan (and just want to see what hosts are up).
Host (xxx.xxx.xxx.xxx) appears to be up ... good.
Initiating SYN Stealth Scan against (xxx.xxx.xxx.xxx)
Adding open port 6000/tcp
Adding open port 111/tcp
Adding open port 22/tcp
The SYN Stealth Scan took 2 seconds to scan 1601 ports.
Interesting ports on (xxx.xxx.xxx.xxx):
(The 1598 ports scanned but not shown below are in state: closed)
Port State Service
22/tcp open ssh
111/tcp open sunrpc
6000/tcp open X11

And here's what the SC server tells me:

*******************************************************************************
** SHOUTcast Distributed Network Audio Server
** Copyright (C) 1998-2004 Nullsoft, Inc. All Rights Reserved.
** Use "sc_serv filename.ini" to specify an ini file.
*******************************************************************************

Event log:
<05/16/04@17:33:42> [SHOUTcast] DNAS/Linux v1.9.4 (Mar 17 2004) starting up...
<05/16/04@17:33:42> [main] pid: 17423
<05/16/04@17:33:42> [main] loaded config from sc_serv.conf
<05/16/04@17:33:42> [main] initializing (usermax:100 portbase:8000)...
<05/16/04@17:33:42> [main] No ban file found (sc_serv.ban)
<05/16/04@17:33:42> [main] No rip file found (sc_serv.rip)
<05/16/04@17:33:42> [main] relay thread starting
<05/16/04@17:33:42> [source] creating relay socket
<05/16/04@17:33:42> [main] opening client socket
<05/16/04@17:33:42> [main] Client Stream thread [0] starting
<05/16/04@17:33:42> [main] client main thread starting
<05/16/04@17:33:42> [source] relay host gave success (ICY 200 OK)
<05/16/04@17:33:42> [source] relay from 165.132.194.122 established.
<05/16/04@17:33:42> [source] icy-name:RADIO MACONDO: Pura Salsa, Puro Son...El Canal Salsero de ORSRADIO ; icy-genre:World Latin Salsa
<05/16/04@17:33:42> [source] icy-pub:1 ; icy-br:96 ; icy-url:http://homepage.mac.com/jslmg/radiomacondo/english.htm
<05/16/04@17:33:42> [source] icy-irc:N/A ; icy-icq:N/A ; icy-aim:N/A
<05/16/04@17:33:54> [yp_add] yp.shoutcast.com gave error (nak)
<05/16/04@17:33:54> [yp_add] yp.shoutcast.com gave extended error (Cannot see your station/computer (IP: xxx.xxx.xxx.xxx:8000) from the Internet, disable Internet Sharing/NAT/firewall/ISP cache (Connection timed out))

Is there anything else I can do to open these ports?

Last edited by jslmg; 05-16-2004 at 04:12 AM.
 
Old 05-16-2004, 09:00 AM   #2
jslmg
Member
 
Registered: Apr 2004
Distribution: Ubuntu 7.10
Posts: 31

Original Poster
Rep: Reputation: 15
Update:

I ran "netstat -ant | grep LISTEN" and saw 0.0.0.0:8000 LISTEN

Still getting the error on the SC server, though.
 
Old 06-15-2004, 07:26 PM   #3
fuubar2003
Member
 
Registered: May 2004
Location: Orlando, Florida
Distribution: SLES10/11, RH4/5 svrs, Fedora, Debian/Ubuntu/Mint; FreeBSD/OpenBSD
Posts: 63

Rep: Reputation: 26
You need output rules, all you have is input rules. IE. when your svr broadcasts a stream, the listener will request more packets with a destination port of your server IP:8000. Setup a packet capture on the linux box, I used tcpdump. For windows, install Ethereal. Then run a packet capture and you will see that while traffic leaves your svr via port 8000, it also comes back in the same port. I had the same problem you had until I created an output rule for 8000. I found netstat and nmap unhelpful as they may show ports that are "open" or listening, but it means nothing if the actual traffic gets blocked.

Here is my iptables script. Notice the TOS rule that basically sts to give the outbound shoutcast traffic priority over other outbound traffic. Enjoy.

#!/bin/bash
# Anti-spoof
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f; done
# Policies (default)
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
#Flush
iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT
# Rules for incoming packets from local interface
iptables -A INPUT -i lo -j ACCEPT
#Rules for incoming packets from the internet
# Packets for established connections
iptables -A INPUT -p ALL -d 192.168.0.2 -m state --state ESTABLISHED,RELATED -j ACCEPT
# TOS
iptables -A OUTPUT -t mangle -p tcp --sport 8000 -j TOS --set-tos Maximize-Throughput
#Rules for TCP/UDP packets
iptables -A INPUT -p tcp -m tcp -s 0/0 -d 192.168.0.2 --dport 22 --syn -j ACCEPT
iptables -A INPUT -p tcp -m tcp -s 0/0 -d 192.168.0.2 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m tcp -s 0/0 --dport 8000 --syn -j ACCEPT
iptables -A INPUT -p tcp -m tcp -s 0/0 --dport 8000 -j ACCEPT
iptables -A INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport 67:68 -i eth0 -j ACCEPT
iptables -A INPUT -p udp -m udp -s 200.150.110.25 --sport 53 -d 0/0 -j ACCEPT
iptables -A INPUT -p udp -m udp -s 203.153.0.53 --sport 53 -d 0/0 -j ACCEPT
 
Old 07-13-2004, 11:06 AM   #4
tuxrules
Senior Member
 
Registered: Jun 2004
Location: Chicago
Distribution: Slackware64 -current
Posts: 1,158

Rep: Reputation: 61
Hi guys,
Can you look at this link and help me out here...seems you guys know about shoutcast and its config...
and yes...i can run shoutcast under windows (dual boot windows/RH9) pretty well so i'm doing something wrong under linux.

Thanks in advance.
 
Old 07-13-2004, 11:08 AM   #5
tuxrules
Senior Member
 
Registered: Jun 2004
Location: Chicago
Distribution: Slackware64 -current
Posts: 1,158

Rep: Reputation: 61
sorry broken link in the earlier post...
here's the link
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
How to open ports on hardware firewall? ben_build#2.1.0 Linux - Security 3 03-13-2005 02:59 PM
Open ports behind a firewall? ni0wn Slackware 4 09-16-2004 07:48 AM
PLEASE !!! Can't open ports with rc.firewall peryserv Linux - Networking 2 08-26-2004 07:43 PM
Help with RedHat firewall open ports Linux6574 Red Hat 2 04-24-2004 08:20 AM
Open ports on firewall LionMaster Linux - Security 3 04-13-2003 05:29 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 12:39 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration