iptables selectively allowing ports through

mrsteveman1 · 06-21-2006, 09:34 AM

I have gentoo running on a p4 box, 2 nics etc. all networking works, and all services work (im a cisco net admin so i know how to use most of this stuff), BUT i cannot for the life of me figure out why iptables is selectively allowing some ports through and not others, and by selective i mean its only honoring SOME of the ACL rules i entered in. Keep in mind the ports in question are open locally and the services on them respond locally. As well, SOME services are going through the firewall fine, but not always the same one, and it changes based on the clouds outside for all i can tell.

For instance:

port 80 http never has worked its a new service though
port 21 worked fine, now doesnt work
port 22 worked fine now doesnt work, selectively works then quits
port 1337 irc works perfectly all the time.

All of the access rules for those ports are IDENTICAL other than the port number, so there is no difference between them.

I will paste my saved rules file here, i need to know why iptables is not passing through these ports while passing on others fine. I can provide any information needed, im good with linux so ask for a command result and ill provide it (ls -l, ps -A etc)

/var/lib/iptables/rules-save

i removed the numbers [0:0] etc before each line for ease of reading here. there still in the real file.

Quote:

# Generated by iptables-save v1.3.4 on Wed Jun 21 02:07:11 2006
*filter
:INPUT ACCEPT [435378:613163056]
:FORWARD DROP [162:8356]
:OUTPUT ACCEPT [10632076:603304402]
:PREROUTING - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -i ! eth0 -p udp -m udp --dport 67 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i ! eth0 -p udp -m udp --dport 53 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i ! eth0 -p tcp -m tcp --dport 0:1023 -j DROP
-A INPUT -i ! eth0 -p udp -m udp --dport 0:1023 -j DROP
-A INPUT -i ppp0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i ppp0 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -i ppp0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i ppp0 -p tcp -m tcp --dport 1337 -j ACCEPT
-A FORWARD -d 192.168.1.0/255.255.255.0 -i eth0 -j DROP
-A FORWARD -s 192.168.1.0/255.255.255.0 -i eth0 -j ACCEPT
-A FORWARD -d 192.168.1.0/255.255.255.0 -i ppp0 -j ACCEPT
COMMIT
# Completed on Wed Jun 21 02:07:11 2006
# Generated by iptables-save v1.3.4 on Wed Jun 21 02:07:11 2006
*nat
:PREROUTING ACCEPT [327155:24925561]
:POSTROUTING ACCEPT [2442:194212]
:OUTPUT ACCEPT [6294:444377]
-A POSTROUTING -o ppp0 -j MASQUERADE
COMMIT
# Completed on Wed Jun 21 02:07:11 2006
# Generated by iptables-save v1.3.4 on Wed Jun 21 02:07:11 2006
*mangle
:PREROUTING ACCEPT [75167183:96597472404]
:INPUT ACCEPT [65541943:91444787711]
:FORWARD ACCEPT [9622118:5152451221]
:OUTPUT ACCEPT [43409298:2110202814]
:POSTROUTING ACCEPT [53012444:7260847720]
COMMIT
# Completed on Wed Jun 21 02:07:11 2006

intel_ro · 06-21-2006, 09:50 AM

iptables have some predefinde rule

INPUT - is for procesing packet IN local destinate the the machine (not for clients)
OUTPUT - is for procesing packet OUT local destinate the the machine (not for clients)
PREROUTING is for control packet and redirect an is behind routing proces
POSTROUTING is for control packet and modifi anfter routing rpces wat can be do with packet

FORWARD wat is getting tru machine

some script u will find at http://www.linuxguruz.com/iptables/
an u can modify to be used to your needs