Iptables - Port Won't Open
Hey, i have a problem with my iptables, i have a Linux Debian Sarge installed, and iptables 1.21. My firewall seems to work fine. the problems is that i cannot open desired port using
-A INPUT *** -j ACCEPT. the command goes in, but the port stays closed. i need to open port 10216 to allow remote connections on my WINDOWS2003 server, where i have R-ADMIN istalled, so i could remotly manage my INTRANET. and several other ports (UDP and TCP) in order to run a small game server of that windows2003. here is my script that i use for my iptables: --------------------------------------------- #!/bin/sh echo -e "\n\nSETTING UP IPTABLES PROXY..." INTIF="eht1" EXTIF="eth0" EXTIP="***.***.***.***" echo "Loading required stateful/NAT kernel modules..." /sbin/depmod -a /sbin/modprobe ip_tables /sbin/modprobe ip_conntrack /sbin/modprobe ip_conntrack_ftp /sbin/modprobe iptable_nat /sbin/modprobe ip_nat_ftp /sbin/modprobe ip_nat_irc echo " Enabling IP forwarding..." echo "1" > /proc/sys/net/ipv4/ip_forward echo "1" > /proc/sys/net/ipv4/ip_dynaddr echo " External interface: $EXTIF" echo " External interface IP address is: $EXTIP" echo " Loading proxy server rules...Please Wait" # Drop ICMP echo-request messages sent to broadcast or multicast addresses echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Drop source routed packets echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route # Enable TCP SYN cookie protection from SYN floods echo 1 > /proc/sys/net/ipv4/tcp_syncookies # Don't accept ICMP redirect messages echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects # Don't send ICMP redirect messages echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects # Enable source address spoofing protection echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter # Log packets with impossible source addresses echo 1 > /proc/sys/net/ipv4/conf/all/log_martians echo " Clearing any existing rules and setting default policy...\n\n" iptables -P INPUT DROP iptables -F INPUT iptables -P OUTPUT DROP iptables -F OUTPUT iptables -P FORWARD DROP iptables -F FORWARD iptables -t nat -F echo " Compiling new values for IPTABLES\n\n" #Always accept loopback traffic iptables -A INPUT -i lo -j ACCEPT #Allowed loopback traffic and internal LAN iptables -A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT iptables -A INPUT -p ALL -i lo -s 10.1.10.146 -j ACCEPT iptables -A INPUT -p ALL -i lo -s ***.***.***.***-j ACCEPT iptables -A INPUT -p ALL -i eth1 -s 195.168.1.100 -j ACCEPT iptables -A INPUT -p ALL -i eth1 -d 195.168.1.100 -j ACCEPT iptables -A INPUT -p ALL -i eth1 -s 195.168.1.105 -j ACCEPT iptables -A INPUT -p ALL -i eth1 -d 195.168.1.105 -j ACCEPT iptables -A INPUT -p ALL -i eth1 -s 195.168.1.102 -j ACCEPT iptables -A INPUT -p ALL -i eht1 -d 195.168.1.102 -j ACCEPT # Allowed internet connection to eth0 iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 22 -j ACCEPT iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 21 -j ACCEPT iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 80 -j ACCEPT iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 8000 -j ACCEPT iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 1221 -j ACCEPT iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 3306 -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -m state --state NEW -i ! eth0 -j ACCEPT #Allow ICMP types iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT #Allow outgoing connection to Internet iptables -A OUTPUT -o lo -j ACCEPT iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT iptables -A OUTPUT -p ALL -s 10.1.10.146 -j ACCEPT iptables -A OUTPUT -p ALL -s ***.***.***.*** -j ACCEPT #Allow outgoing connections from the LAN side. iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT #MASQUERADE iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE # Don't forward from the outside to the inside. #iptables -A FORWARD -i eth0 -o eth0 -j REJECT # LOGING OF INPUT OUTPUT FORWARD iptables -A INPUT -j LOG iptables -A FORWARD -j LOG iptables -A OUTPUT -j LOG echo -e " Proxy server rule loading complete\n\n" echo -e " Iptables list\n\n" iptables -L ------------------------- I did not include my: -A INPUT -p TCP -i eth0 -s 0/0 --dport 10216 -j ACCEPT due to this rule not wokring for me, if you have any idea how to actuall y OPEN port so i can scan it form outside and coonect using my software pleae suggest. i spent about a week trying to figure tha out, and still not go.. thank you. ps. ip: **.***.*** is my EXTERNAL. so stays here as "*" |
There where the ***.***.***.*** stuff is, you seem to lack a space before "-j ACCEPT", don't know if it's just a typing error though.
The command you wrote should work, I see no problem in that (hmm..I'm a bit tired anyway), unless TCP and tcp make difference. I think iptables reads the rules from top to bottom, so try to add that rule in an early phase, see if it makes difference. Have you run nmap scan or equivalent, does it show the port closed or filtered or what? |
It seems that you are opening port 10216 on the local machine, rather than forwarding it to your windows server. Aren't you trying to do port forwarding? What does "nmap -sS -p- localhost" tell you? Did you write that script that you posted?
|
re to :Mortus Canis
hey, Mortus Canis
The script above is the collection of bits a pieces of many other scripts that i gathered around the web and adopted those to my settings, and desires, The NMAP tha you were talking about gives me the following: ---- Interesting ports on 10.1.10.146: (The 1647 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 53/tcp open domain 80/tcp open http 111/tcp open rpcbind 113/tcp open auth 139/tcp open netbios-ssn 445/tcp open microsoft-ds 548/tcp open afpovertcp 699/tcp open unknown 791/tcp open unknown 901/tcp open samba-swat 2049/tcp open nfs 2401/tcp open cvspserver 3306/tcp open mysql 5432/tcp open postgres ---- As you can see there is no 10216, just as if i would run another port scanner just to check, I use "(free port scaner) utility."It also shows that port CLOSED --- Here is NMAP for just port 10216 --- Linux-server:~# nmap -sS -p 10216 10.1.10.146 Starting nmap 3.81 (somewebaddress) at 2006-11-06 16:13 CST Interesting ports on 10.1.10.146: PORT STATE SERVICE 10216/tcp closed unknown Nmap finished: 1 IP address (1 host up) scanned in 0.200 seconds --- It is true that i want to forward my port 10216 to my WIndowsPC, however as i thought about it, if i want to FORWARD something, i first have to LET REQUEST IN (this is where -A INPUT would be)and only the FORWARD it, i hope that I'm correct on my thinking. ---------------------- TO b0uncer : That "***-j " section was just a typo, sorry about that, please do not get confused, Original script is correct, ---------------------- So, i still stuck with openning that port, i've tried DNAT it, and SNAT it, based on the solutions that i found on other forums, ALSO, note, that my cable modem is fully setup to ALLOW port 10216(settings worked when i used to use Windows PCs) so it is a linux Iptables issue. Any other thoughts, please share, thanx |
I've also searched the web and i found some info aboout ICMP they mention there these two types that i though about using:
--- Quote:
But it still did not help. Last night i've also changed the order of open ports, and it did not help either... It looks like the port will be open only if there is/are a service that requere that prot, like in case with ICECAST2(braodcasting service) that needs port 8000 open, or mysql(3306), if i do not write --dport 8000(3306) -j ACCEPT,the port doesnt show with NMAP< as soon as i ACCEPT it, everything is fine, but like i said, i doesn work with a port that suppose to then FORWARD stuff. Ideas? Thnx. |
Quote:
HIGHLIGHTED TEXT in not correct. Quote:
Code:
iptables -t nat -A PREROUTING -p tcp -i <WAN-interface> --dport 10216 --j DNAT --to <windows-box-ip> Code:
iptables -t nat -A POSTROUTING -d <windows-box-ip> -j SNAT --to <your-firewall-box-lan-ip> |
Dear amitsharma_26,
Thank you for the tip given me, and correcting my line of thoughts... I’ve managed to get my port to forward and my software to connect and operate the way I need it. The code provided to me was something I new and tried, but without any results, however, I’ve used those links posted at the end of you message (Port forwarding tutorial), and here is what a part of my script now looks like: --- #Allow outgoing connection to Internet iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -p ALL -s lo -j ACCEPT iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT iptables -A OUTPUT -p ALL -s 10.1.10.146 -j ACCEPT iptables -A OUTPUT -p ALL -s ***.***.***.*** -j ACCEPT iptables -A OUTPUT -p tcp -d 10.1.10.146 --dport 10216 -j DNAT --to-destination 195.168.1.102:10216 #PORT FORWARD iptables -A FORWARD -i eth0 -p tcp --dport 10216 -o eth1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i eth1 -p tcp --sport 10216 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 10216 -j DNAT --to-destination 195.168.1.102:10216 iptables -t nat -A POSTROUTING -d 195.168.1.102 --dport 10216 -j SNAT --to-source 10.1.10.146:10216 ---- I greatly appreciate everyone’s help and assistance, thank you for taking your time helping me with my problem. Regards, Stas. p.s. please check if the end results of my scrip (forward chain) is correct, and i also assume that in future if i need to forward additional ports all i have to do is copy/paste the above inputs and change the port number... thnx |
Hi Again,
Well, just as i thought, looks like im goint to need the expert's help again. Back to that script and iptables... so i got my port 10216 to forward to my <windows-box>, and everything is fine, however, now when i tried same technique to transfer UDP ports, and RANGE then it seems to me that i need another tip, or CHECK on my script. so here is a part of script that cnfuses me and also gives me an error of "UKNOWN ARGUMENt"(i will post the detais): ------- #Allow outgoing connection to Internet iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -p ALL -s lo -j ACCEPT iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT iptables -A OUTPUT -p ALL -s 10.1.10.146 -j ACCEPT iptables -A OUTPUT -p ALL -s 67.175.24.201 -j ACCEPT iptables -A OUTPUT -p tcp -d 10.1.10.146 --dport 10216 -j DNAT --to-destination 195.168.1.102:10216#Counter-Strike server on Windows 2003 OUTGOING iptables -A OUTPUT -p udp -d 10.1.10.146 --dport 1200 -j DNAT --to-destination 195.168.1.102:1200 iptables -A OUTPUT -p udp -d 10.1.10.146 --dport 27000:27015 -j DNAT --to-destination 195.168.1.102:27000:27015 iptables -A OUTPUT -p udp -d 10.1.10.146 --dport 27020 -j DNAT --to-destination 195.168.1.102:27020 iptables -A OUTPUT -p tcp -d 10.1.10.146 --dport 27039 -j DNAT --to-destination 195.168.1.102:27030:27039 iptables -A OUTPUT -p tcp -d 10.1.10.146 --dport 27015 -j DNAT --to-destination 195.168.1.102:27015 #PORT FORWARD iptables -A FORWARD -i eth0 -p tcp --dport 10216 -o eth1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i eth1 -p tcp --sport 10216 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 10216 -j DNAT --to-destination 195.168.1.102:10216 iptables -t nat -A POSTROUTING -d 195.168.1.102 --dport 10216 -j SNAT --to-source 10.1.10.146:10216 #Counter-Strike servef on Windows 2003 PORTFORWARD iptables -A FORWARD -i eth0 -p udp --dport 1200 -o eth1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i eth1 -p udp --dport 1200 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i eth0 -p udp --dport 27000:27015 -o eth1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i eth1 -p udp --dport 27000:27015 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i eth0 -p udp --dport 27020 -o eth1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i eth1 -p udp --dport 27020 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i eth0 -p tcp --dport 27030:27039 -o eth1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i eth1 -p tcp --dport 27030:27039 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i eth0 -p tcp --dport 27015 -o eth1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i eth1 -p tcp --dport 27015 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -t nat -A PREROUTING -p udp -i eth0 --dport 1200 -j DNAT --to-destination 195.168.1.102:1200 iptables -t nat -A PREROUTING -p udp -i eth0 --dport 27000:27015 -j DNAT --to-destination 195.168.1.102 iptables -t nat -A PREROUTING -p udp -i eth0 --dport 27020 -j DNAT --to-destination 195.168.1.102 iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 27030:27039 -j DNAT --to-destination 195.168.1.102 iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 27015 -j DNAT --to-destination 195.168.1.102 iptables -t nat -A POSTROUTING -d 195.168.1.102 --dport 1200 -j SNAT --to-source 10.1.10.146 iptables -t nat -A POSTROUTING -d 195.168.1.102 --dport 27000:27015 -j SNAT --to-source 10.1.10.146 iptables -t nat -A POSTROUTING -d 195.168.1.102 --dport 27020 -j SNAT --to-source 10.1.10.146 iptables -t nat -A POSTROUTING -d 195.168.1.102 --dport 27030:27039 -j SNAT --to-source 10.1.10.146 iptables -t nat -A POSTROUTING -d 195.168.1.102 --dport 27015 -j SNAT --to-source 10.1.10.146 ------------------------------ highlited are the oprtions of the script, that MADE MY 10216 to FORWARD, so the above code is based on that, but when i run my script i get the following: ------------------------------ Linux-server:~# /etc/init.d/proxy2.sh SETTING UP IPTABLES PROXY... Loading required stateful/NAT kernel modules... Enabling IP forwarding... External interface: eth0 External interface IP address is: ***.***.***.*** Loading proxy server rules...Please Wait Clearing any existing rules and setting default policy... Compiling new values for IPTABLES iptables v1.2.11: host/network `lo' not found Try `iptables -h' or 'iptables --help' for more information. iptables: Invalid argument iptables: Invalid argument iptables: Invalid argument iptables: Invalid argument iptables: Invalid argument iptables: Invalid argument iptables v1.2.11: Unknown arg `--dport' Try `iptables -h' or 'iptables --help' for more information. iptables v1.2.11: Unknown arg `--dport' Try `iptables -h' or 'iptables --help' for more information. iptables v1.2.11: Unknown arg `--dport' Try `iptables -h' or 'iptables --help' for more information. iptables v1.2.11: Unknown arg `--dport' Try `iptables -h' or 'iptables --help' for more information. iptables v1.2.11: Unknown arg `--dport' Try `iptables -h' or 'iptables --help' for more information. iptables v1.2.11: Unknown arg `--dport' Try `iptables -h' or 'iptables --help' for more information. Proxy server rule loading complete ------------------------------- Does anyone knows why it gives me an error, while the first FORWARD rule for port 10216 works FINE ? thank you. Stas |
Star,
All the POSTROUTING rules lack the presence of protocol (-p) option & as it is a must for specifying -dport you are getting errors for the same. So you got to specify Code:
-p udp/tcp Quote:
|
Yes, sir amitsharma_26 , you solved the problem with POSTROUTING, and as i was reading your post, i thought exactly the same thing, with the PORT i have to have a TYPE of port.,
So, now, after it all boots up fine, and i dont get that same message abouit "lo" thing, i've changed it to localhost, as you were suggesting, i was still running into problems: IPTABLES INVALID ARGUMENT. i went back to my script, and as i was test running it disabling and enbalidng different strikes, i figured that the command, ---- iptables -A OUTPUT -p tcp -d 10.1.10.146 --dport 10216 -j DNAT --to 195.168.1.102:10216 ---- gives me that error, I'm taking that same old port 10216, coz all other lines are based on that, i read a lot about this invalid argument thing, but seems like people do not really suggest much, and i had my buddy try it on his unix (he is running kernle2.4 and i have 2.6) he had no problems what so ever. Does this line here really requried by my script configuration ? Any advise? Thanx, Stas |
Quote:
Code:
-t nat e.g: iptables -A OUTPUT -t nat -p tcp -d 10.1.10.146 --dport 10216 -j DNAT --to 195.168.1.102:10216 |
Hey, amitsharma_26
THANX A LOT ! i got my stuff fixed, really appriciate your help here, i wound never guessed tat would be just as simple as a -t nat... ) thanx again, i will continue exploring Linux systems and ask questions... |
All times are GMT -5. The time now is 09:07 PM. |