Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
08-02-2006, 03:57 PM
|
#1
|
Member
Registered: Jul 2006
Location: Earth
Distribution: Ubuntu 9.04
Posts: 64
Rep:
|
How can find out what ports are open in my system
Hi all,
I'm quite new to linux and I would really appreciate your help with the following:
I'm using BitTorrent for downloads, but it is extremely slow in my Linux box. I found some threads where they mentioned that some ports need to be opened to improve the performance especially when there are multiple downloads.
My questions are, how can I find out what ports are open in my linux box? and how can I open certain ports?
Many thanks in advance for your help.
Linuxlainen
|
|
|
08-02-2006, 04:22 PM
|
#2
|
Senior Member
Registered: Dec 2003
Location: Shelbyville, TN, USA
Distribution: Fedora Core, CentOS
Posts: 1,019
Rep:
|
Well if you are talking about bittorrent you will want to see if your firewall is blocking your specific ports. Do you have a firewall turned on? It would help to know your distro type. on the command line you can type "/sbin/iptables -L" to show the rules. Certain distros come with a GUI application where you can view it in a more readable form. Also, do you have a router that you use to connect to the internet with? I've read it helps to forward the ports (6881-6889 i believe) to your computer running BT.
There is also a command "netstat -pant" that will show the open ports, but it does not consider the firewall. So it can show an open port but a firewall can still be blocking it.
|
|
|
08-02-2006, 04:42 PM
|
#3
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
yeah, you need to check your firewall rules... let us know if you are behind a dedicated router or if this is a directly connected box... either way, the key is the firewall rules... checking to see if your ports are "open" won't work, because ports appear as closed when not in use...
so basically, the first thing you wanna do is tell us if you're behind a router...
if not, then post the output of the command benjithegreat98 posted... or better yet, make it a little more thorough:
|
|
|
08-02-2006, 05:24 PM
|
#4
|
Member
Registered: Jul 2006
Location: Earth
Distribution: Ubuntu 9.04
Posts: 64
Original Poster
Rep:
|
I'm using Mandriva 2006. I think the firewall I have is Interactive Firewall as I keep on getting warning pop up messages from it about being port scanned
As for my connection to the internet, my linux box is connected through ADSL Router, which I have not changed any of its configurations.
I have applied the command iptables -L and here is what I got:
PHP Code:
Chain AllowICMPs (2 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp fragmentation-
needed
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
Chain Drop (1 references)
target prot opt source destination
RejectAuth all -- anywhere anywhere
dropBcast all -- anywhere anywhere
AllowICMPs icmp -- anywhere anywhere
dropInvalid all -- anywhere anywhere
DropSMB all -- anywhere anywhere
DropUPnP all -- anywhere anywhere
dropNotSyn tcp -- anywhere anywhere
DropDNSrep all -- anywhere anywhere
Chain DropDNSrep (2 references)
target prot opt source destination
DROP udp -- anywhere anywhere udp spt:domain
Chain DropSMB (1 references)
target prot opt source destination
DROP udp -- anywhere anywhere udp dpt:135
DROP udp -- anywhere anywhere udp dpts:netbios-ns
:netbios-ssn
DROP udp -- anywhere anywhere udp dpt:microsoft-d
s
DROP tcp -- anywhere anywhere tcp dpt:135
DROP tcp -- anywhere anywhere tcp dpt:netbios-ssn
DROP tcp -- anywhere anywhere tcp dpt:microsoft-d
s
Chain DropUPnP (2 references)
target prot opt source destination
DROP udp -- anywhere anywhere udp dpt:1900
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Ifw all -- anywhere anywhere
eth0_in all -- anywhere anywhere
Reject all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info pref
ix `Shorewall:INPUT:REJECT:'
reject all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
eth0_fwd all -- anywhere anywhere
Reject all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info pref
ix `Shorewall:FORWARD:REJECT:'
reject all -- anywhere anywhere
Chain Ifw (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere set ifw_wl src
DROP all -- anywhere anywhere set ifw_bl src
IFWLOG all -- anywhere anywhere state INVALID,NEW p
sd weight-threshold: 10 delay-threshold: 10000 lo-ports-weight: 1 hi-ports-weigh
t: 2 IFWLOG prefix 'SCAN'
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
fw2net all -- anywhere anywhere
Reject all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info pref
ix `Shorewall:OUTPUT:REJECT:'
reject all -- anywhere anywhere
Chain Reject (4 references)
target prot opt source destination
RejectAuth all -- anywhere anywhere
dropBcast all -- anywhere anywhere
AllowICMPs icmp -- anywhere anywhere
dropInvalid all -- anywhere anywhere
RejectSMB all -- anywhere anywhere
DropUPnP all -- anywhere anywhere
dropNotSyn tcp -- anywhere anywhere
DropDNSrep all -- anywhere anywhere
Chain RejectAuth (2 references)
target prot opt source destination
reject tcp -- anywhere anywhere tcp dpt:auth
Chain RejectSMB (1 references)
target prot opt source destination
reject udp -- anywhere anywhere udp dpt:135
reject udp -- anywhere anywhere udp dpts:netbios-ns
:netbios-ssn
reject udp -- anywhere anywhere udp dpt:microsoft-d
s
reject tcp -- anywhere anywhere tcp dpt:135
reject tcp -- anywhere anywhere tcp dpt:netbios-ssn
reject tcp -- anywhere anywhere tcp dpt:microsoft-d
s
Chain all2all (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTAB
LISHED
Reject all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info pref
ix `Shorewall:all2all:REJECT:'
reject all -- anywhere anywhere
Chain dropBcast (2 references)
target prot opt source destination
DROP all -- anywhere anywhere PKTTYPE = broadcast
DROP all -- anywhere anywhere PKTTYPE = multicast
Chain dropInvalid (2 references)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
Chain dropNotSyn (2 references)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp flags:!FIN,SYN,
RST,ACK/SYN
Chain dynamic (2 references)
target prot opt source destination
Chain eth0_fwd (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere state INVALID,NEW
Chain eth0_in (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere state INVALID,NEW
net2all all -- anywhere anywhere
Chain fw2net (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTAB
LISHED
ACCEPT all -- anywhere anywhere
Chain net2all (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTAB
LISHED
Drop all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info pref
ix `Shorewall:net2all:DROP:'
DROP all -- anywhere anywhere
Chain reject (11 references)
target prot opt source destination
DROP all -- anywhere anywhere PKTTYPE = broadcast
DROP all -- anywhere anywhere PKTTYPE = multicast
DROP all -- a81-197-63-255.elisa-laajakaista.fi anywhere
DROP all -- 255.255.255.255 anywhere
DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere
REJECT tcp -- anywhere anywhere reject-with tcp-res
et
REJECT udp -- anywhere anywhere reject-with icmp-po
rt-unreachable
REJECT icmp -- anywhere anywhere reject-with icmp-ho
st-unreachable
REJECT all -- anywhere anywhere reject-with icmp-ho
st-prohibited
Chain shorewall (0 references)
target prot opt source destination
Chain smurfs (0 references)
target prot opt source destination
LOG all -- a81-197-63-255.elisa-laajakaista.fi anywhere LOG
level info prefix `Shorewall:smurfs:DROP:'
DROP all -- a81-197-63-255.elisa-laajakaista.fi anywhere
LOG all -- 255.255.255.255 anywhere LOG level info pref
ix `Shorewall:smurfs:DROP:'
DROP all -- 255.255.255.255 anywhere
LOG all -- BASE-ADDRESS.MCAST.NET/4 anywhere LOG level info
prefix `Shorewall:smurfs:DROP:'
DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere
[root@a81-197-40-141 hasan]# clear
[root@a81-197-40-141 hasan]# iptables -L
Chain AllowICMPs (2 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
Chain Drop (1 references)
target prot opt source destination
RejectAuth all -- anywhere anywhere
dropBcast all -- anywhere anywhere
AllowICMPs icmp -- anywhere anywhere
dropInvalid all -- anywhere anywhere
DropSMB all -- anywhere anywhere
DropUPnP all -- anywhere anywhere
dropNotSyn tcp -- anywhere anywhere
DropDNSrep all -- anywhere anywhere
Chain DropDNSrep (2 references)
target prot opt source destination
DROP udp -- anywhere anywhere udp spt:domain
Chain DropSMB (1 references)
target prot opt source destination
DROP udp -- anywhere anywhere udp dpt:135
DROP udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn
DROP udp -- anywhere anywhere udp dpt:microsoft-ds
DROP tcp -- anywhere anywhere tcp dpt:135
DROP tcp -- anywhere anywhere tcp dpt:netbios-ssn
DROP tcp -- anywhere anywhere tcp dpt:microsoft-ds
Chain DropUPnP (2 references)
target prot opt source destination
DROP udp -- anywhere anywhere udp dpt:1900
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Ifw all -- anywhere anywhere
eth0_in all -- anywhere anywhere
Reject all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Shorewall:INPUT:REJECT:'
reject all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
eth0_fwd all -- anywhere anywhere
Reject all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Shorewall:FORWARD:REJECT:'
reject all -- anywhere anywhere
Chain Ifw (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere set ifw_wl src
DROP all -- anywhere anywhere set ifw_bl src
IFWLOG all -- anywhere anywhere state INVALID,NEW psd weight-threshold: 10 delay-threshold: 10000 lo-ports-weight: 1 hi-ports-weight: 2 IFWLOG prefix 'SCAN'
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
fw2net all -- anywhere anywhere
Reject all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Shorewall:OUTPUT:REJECT:'
reject all -- anywhere anywhere
Chain Reject (4 references)
target prot opt source destination
RejectAuth all -- anywhere anywhere
dropBcast all -- anywhere anywhere
AllowICMPs icmp -- anywhere anywhere
dropInvalid all -- anywhere anywhere
RejectSMB all -- anywhere anywhere
DropUPnP all -- anywhere anywhere
dropNotSyn tcp -- anywhere anywhere
DropDNSrep all -- anywhere anywhere
Chain RejectAuth (2 references)
target prot opt source destination
reject tcp -- anywhere anywhere tcp dpt:auth
Chain RejectSMB (1 references)
target prot opt source destination
reject udp -- anywhere anywhere udp dpt:135
reject udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn
reject udp -- anywhere anywhere udp dpt:microsoft-ds
reject tcp -- anywhere anywhere tcp dpt:135
reject tcp -- anywhere anywhere tcp dpt:netbios-ssn
reject tcp -- anywhere anywhere tcp dpt:microsoft-ds
Chain all2all (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Reject all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Shorewall:all2all:REJECT:'
reject all -- anywhere anywhere
Chain dropBcast (2 references)
target prot opt source destination
DROP all -- anywhere anywhere PKTTYPE = broadcast
DROP all -- anywhere anywhere PKTTYPE = multicast
Chain dropInvalid (2 references)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
Chain dropNotSyn (2 references)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN
Chain dynamic (2 references)
target prot opt source destination
Chain eth0_fwd (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere state INVALID,NEW
Chain eth0_in (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere state INVALID,NEW
net2all all -- anywhere anywhere
Chain fw2net (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
Chain net2all (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Drop all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Shorewall:net2all:DROP:'
DROP all -- anywhere anywhere
Chain reject (11 references)
target prot opt source destination
DROP all -- anywhere anywhere PKTTYPE = broadcast
DROP all -- anywhere anywhere PKTTYPE = multicast
DROP all -- a81-197-63-255.elisa-laajakaista.fi anywhere
DROP all -- 255.255.255.255 anywhere
DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
REJECT icmp -- anywhere anywhere reject-with icmp-host-unreachable
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain shorewall (0 references)
target prot opt source destination
Chain smurfs (0 references)
target prot opt source destination
LOG all -- a81-197-63-255.elisa-laajakaista.fi anywhere LOG level info prefix `Shorewall:smurfs:DROP:'
DROP all -- a81-197-63-255.elisa-laajakaista.fi anywhere
LOG all -- 255.255.255.255 anywhere LOG level info prefix `Shorewall:smurfs:DROP:'
DROP all -- 255.255.255.255 anywhere
LOG all -- BASE-ADDRESS.MCAST.NET/4 anywhere LOG level info prefix `Shorewall:smurfs:DROP:'
DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere
So, how am I supposed to proceed now?
Thank you so much for your help
Linuxlainen
|
|
|
08-02-2006, 07:20 PM
|
#5
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
it would have been much easier to comprehend your rules if you would have added the -n and -v...
having said that, what kinda stuff are you doing on this box?? i'm trying to understand why you'd have such complicated rules... either way, this command would open the ports you need:
Code:
iptables -I INPUT -p TCP -i $WAN_IFACE --dport 6881:6889 -j ACCEPT
replace $WAN_IFACE with your interface's name... i don't know what it is since you didn't post the verbose output...
|
|
|
08-02-2006, 07:20 PM
|
#6
|
Senior Member
Registered: Dec 2003
Location: Shelbyville, TN, USA
Distribution: Fedora Core, CentOS
Posts: 1,019
Rep:
|
Unfortuneatley I don't know Mandriva so well, but basically you need to go through the menu on the task bar and look for the firewall config program because you do have the firewall running. It's probably called Interactive Firewall. If you can't find it try posting in the Mandriva forum on how to get to it.
Once you are in you need to find where you can allow ports 6881-6889. They might refer to them as exceptions. Then apply your changes.
Next you need to get into your DSL Router. Open up a webbrowser and go to the address of your gateway. Many times it is 192.168.1.1 or 192.168.100.1. If you need help figuring that out let us know. If you've never set a password in there it is probably 'admin' for both the username and password. Once you are in you should look for a way to do "Port Forwarding". If it doesn't call it that it might refer to it as "applications". That varies from router to router. Once there you need to Forward ports 6881-6889 to your ip address. If you need help finding out your IP address let us know on that too.
Let us know if you run into anything. Good luck!
|
|
|
08-02-2006, 07:29 PM
|
#7
|
Senior Member
Registered: Dec 2003
Location: Shelbyville, TN, USA
Distribution: Fedora Core, CentOS
Posts: 1,019
Rep:
|
Looking through the firewall output you sent, it occurs to me that you might want to look for a program called "Shorewall"
It looks like shorewall is the program that generated the firewall rules which would explain why they are as complex as they are.
If you can't find it go to the command line and type 'shorewall' if that doesn't work try '/sbin/shorewall' and '/usr/sbin/shorewall'
|
|
|
08-03-2006, 02:56 PM
|
#8
|
Member
Registered: Jul 2006
Location: Earth
Distribution: Ubuntu 9.04
Posts: 64
Original Poster
Rep:
|
Thank you all for your help,
I have done the port forwarding on my router and it seems to be working fine. However the command
Code:
iptables -I INPUT -p TCP -i $WAN_IFACE --dport 6881:6889 -j ACCEPT
gave me the following message
Quote:
Warning: wierd character in interface `--dport' (No aliases, :, ! or *).
Bad argument `6881:6889'
Try `iptables -h' or 'iptables --help' for more information.
|
benjithegreat98, I am not really sure where did I get all these complex rules from. I guess this is the default configuration of Mandriva 2006. And yes it seems I have Shorewall. I have applies the command and here is what I got
Quote:
Usage: shorewall [debug|trace] [nolock] [ -x ] [ -q ] [ -f ] [ -v ] <command>
where <command> is one of:
add <interface>[:{<bridge-port>[:<host>]|<host>}[,...]] ... <zone>
allow <address> ...
check [ <directory> ]
clear
delete <interface>[:{<bridge-port>[:<host>]|<host>}[,...]] ... <zone>
drop <address> ...
forget [ <file name> ]
help [ <command > | host | address ]
hits
ipcalc [ <address>/<vlsm> | <address> <netmask> ]
iprange <address>-<address>
logwatch [<refresh interval>]
monitor [<refresh interval>]
refresh
reject <address> ...
reset
restart [ <directory> ]
restore [ <file name> ]
save [ <file name> ]
show [<chain> [ <chain> ... ]|capabilities|classifiers|connections|log|nat|tc|tos|zones]
start [ <directory> ]
stop
status
try <directory> [ <timeout> ]
version
safe-start
safe-restart
|
I also re-ran the command iptables -L -n -v and here is what I got:
Any idea why the port openning command didn't work? please advise me what to do and thanks againg for the help.
|
|
|
08-03-2006, 03:19 PM
|
#9
|
Senior Member
Registered: Dec 2003
Location: Shelbyville, TN, USA
Distribution: Fedora Core, CentOS
Posts: 1,019
Rep:
|
for the iptables command do this:
Code:
iptables -I INPUT -p TCP -i eth0 --dport 6881:6889 -j ACCEPT
When you do that in the command line it will open the ports up, but it not be applied if you reboot.
You can put that in a script that will start up with Mandriva (/etc/rc.d/rc.local is one such file) or you can find the program in the menu that will let you add the ports to your configuration. I would look for that if you can.
Or another thing you can do is find the shorewall configuration file and edit that, but that will take a skill level that may be a little over you so I wouldn't recommend it.
|
|
|
08-03-2006, 04:16 PM
|
#10
|
Member
Registered: Jul 2006
Location: Earth
Distribution: Ubuntu 9.04
Posts: 64
Original Poster
Rep:
|
Thanks a lot benjithegreat98. My BitTorrent speed jumped from 3kb/s to 180kb/s. This is just GREATE.
One last thing, I have applied the command you gave to open the port and I also found the SW where I can configure my firewall (it is under system configuration --> Security --> Setup personal firewall...), how can I know that these ports are open after I reboot the system? What is the command that would list the open ports?
Many thanks again
Linuxlainen
|
|
|
08-03-2006, 05:05 PM
|
#11
|
Senior Member
Registered: Dec 2003
Location: Shelbyville, TN, USA
Distribution: Fedora Core, CentOS
Posts: 1,019
Rep:
|
If you put the ports 6881-6889 to be open in the 'setup personal firewall' and save it, then it should be applied even when you reboot. I don't have Mandriva so unfortunately I can't walk you through how to do that.....
The command to list the open ports is iptables -L -n -v. I would just reboot and see if it is still listed in the 'personal firewall' program.
180kb/s? I'm jealous I never get that fast.
|
|
|
All times are GMT -5. The time now is 03:20 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|