Iptables - Port Won't Open
 

Hey, i have a problem with my iptables, i have a Linux Debian Sarge installed, and iptables 1.21. My firewall seems to work fine. the problems is that i cannot open desired port using
-A INPUT *** -j ACCEPT.
the command goes in, but the port stays closed.
i need to open port 10216 to allow remote connections on my WINDOWS2003 server, where i have R-ADMIN istalled, so i could remotly manage my INTRANET.
and several other ports (UDP and TCP) in order to run a small game server of that windows2003.
here is my script that i use for my iptables:
---------------------------------------------
#!/bin/sh
echo -e "\n\nSETTING UP IPTABLES PROXY..."
INTIF="eht1"
EXTIF="eth0"
EXTIP="***.***.***.***"
echo "Loading required stateful/NAT kernel modules..."
/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_nat_irc
echo " Enabling IP forwarding..."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo " External interface: $EXTIF"
echo " External interface IP address is: $EXTIP"
echo " Loading proxy server rules...Please Wait"
# Drop ICMP echo-request messages sent to broadcast or multicast addresses
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Drop source routed packets
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
# Enable TCP SYN cookie protection from SYN floods
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Don't accept ICMP redirect messages
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
# Don't send ICMP redirect messages
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
# Enable source address spoofing protection
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
# Log packets with impossible source addresses
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
echo " Clearing any existing rules and setting default policy...\n\n"
iptables -P INPUT DROP
iptables -F INPUT
iptables -P OUTPUT DROP
iptables -F OUTPUT
iptables -P FORWARD DROP
iptables -F FORWARD
iptables -t nat -F
echo " Compiling new values for IPTABLES\n\n"
#Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT
#Allowed loopback traffic and internal LAN
iptables -A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 10.1.10.146 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s ***.***.***.***-j ACCEPT
iptables -A INPUT -p ALL -i eth1 -s 195.168.1.100 -j ACCEPT
iptables -A INPUT -p ALL -i eth1 -d 195.168.1.100 -j ACCEPT
iptables -A INPUT -p ALL -i eth1 -s 195.168.1.105 -j ACCEPT
iptables -A INPUT -p ALL -i eth1 -d 195.168.1.105 -j ACCEPT
iptables -A INPUT -p ALL -i eth1 -s 195.168.1.102 -j ACCEPT
iptables -A INPUT -p ALL -i eht1 -d 195.168.1.102 -j ACCEPT
# Allowed internet connection to eth0
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 22 -j ACCEPT
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 21 -j ACCEPT
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 80 -j ACCEPT
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 8000 -j ACCEPT
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 1221 -j ACCEPT
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 3306 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! eth0 -j ACCEPT
#Allow ICMP types
iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
#Allow outgoing connection to Internet
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -p ALL -s 10.1.10.146 -j ACCEPT
iptables -A OUTPUT -p ALL -s ***.***.***.*** -j ACCEPT
#Allow outgoing connections from the LAN side.
iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
#MASQUERADE
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# Don't forward from the outside to the inside.
#iptables -A FORWARD -i eth0 -o eth0 -j REJECT
# LOGING OF INPUT OUTPUT FORWARD
iptables -A INPUT -j LOG
iptables -A FORWARD -j LOG
iptables -A OUTPUT -j LOG
echo -e " Proxy server rule loading complete\n\n"
echo -e " Iptables list\n\n"
iptables -L
-------------------------
I did not include my:
-A INPUT -p TCP -i eth0 -s 0/0 --dport 10216 -j ACCEPT
due to this rule not wokring for me,
if you have any idea how to actuall y OPEN port so i can scan it form outside and coonect using my software pleae suggest.
i spent about a week trying to figure tha out, and still not go..
thank you.
ps. ip: **.***.*** is my EXTERNAL. so stays here as "*"

There where the ***.***.***.*** stuff is, you seem to lack a space before "-j ACCEPT", don't know if it's just a typing error though.

The command you wrote should work, I see no problem in that (hmm..I'm a bit tired anyway), unless TCP and tcp make difference. I think iptables reads the rules from top to bottom, so try to add that rule in an early phase, see if it makes difference. Have you run nmap scan or equivalent, does it show the port closed or filtered or what?

It seems that you are opening port 10216 on the local machine, rather than forwarding it to your windows server. Aren't you trying to do port forwarding? What does "nmap -sS -p- localhost" tell you? Did you write that script that you posted?

re to :Mortus Canis
 

hey, Mortus Canis
The script above is the collection of bits a pieces of many other scripts that i gathered around the web and adopted those to my settings, and desires,
The NMAP tha you were talking about gives me the following:
----
Interesting ports on 10.1.10.146:
(The 1647 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
113/tcp open auth
139/tcp open netbios-ssn
445/tcp open microsoft-ds
548/tcp open afpovertcp
699/tcp open unknown
791/tcp open unknown
901/tcp open samba-swat
2049/tcp open nfs
2401/tcp open cvspserver
3306/tcp open mysql
5432/tcp open postgres
----
As you can see there is no 10216, just as if i would run another port scanner just to check, I use "(free port scaner) utility."It also shows that port CLOSED
---
Here is NMAP for just port 10216
---
Linux-server:~# nmap -sS -p 10216 10.1.10.146

Starting nmap 3.81 (somewebaddress) at 2006-11-06 16:13 CST
Interesting ports on 10.1.10.146:
PORT STATE SERVICE
10216/tcp closed unknown

Nmap finished: 1 IP address (1 host up) scanned in 0.200 seconds
---
It is true that i want to forward my port 10216 to my WIndowsPC, however as i thought about it, if i want to FORWARD something, i first have to LET REQUEST IN (this is where -A INPUT would be)and only the FORWARD it, i hope that I'm correct on my thinking.
----------------------
TO b0uncer :
That "***-j " section was just a typo, sorry about that, please do not get confused, Original script is correct,
----------------------
So, i still stuck with openning that port, i've tried DNAT it, and SNAT it, based on the solutions that i found on other forums,
ALSO, note, that my cable modem is fully setup to ALLOW port 10216(settings worked when i used to use Windows PCs) so it is a linux Iptables issue.
Any other thoughts, please share,
thanx

I've also searched the web and i found some info aboout ICMP they mention there these two types that i though about using:
---
---
But it still did not help. Last night i've also changed the order of open ports, and it did not help either... It looks like the port will be open only if there is/are a service that requere that prot, like in case with ICECAST2(braodcasting service) that needs port 8000 open, or mysql(3306), if i do not write --dport 8000(3306) -j ACCEPT,the port doesnt show with NMAP< as soon as i ACCEPT it, everything is fine, but like i said, i doesn work with a port that suppose to then FORWARD stuff.
Ideas?
Thnx.

You got to forward that port & incase of forwarding you are not supposed to open anything at INPUT.
HIGHLIGHTED TEXT in not correct.

Apart from that you are not supposed to write/use any other rule if you have put this firewall box as the gateway for your windows box. And if in case you cant do that, you got use another POSTROUTING rule; i.e.

p.s. Your FORWARD chain rules are OK & you are not supposed to add any other rule apart from these two to do port forwarding.

Dear amitsharma_26,
Thank you for the tip given me, and correcting my line of thoughts...
I’ve managed to get my port to forward and my software to connect and operate the way I need it.
The code provided to me was something I new and tried, but without any results, however, I’ve used those links posted at the end of you message (Port forwarding tutorial), and here is what a part of my script now looks like:
---
#Allow outgoing connection to Internet
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p ALL -s lo -j ACCEPT
iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -p ALL -s 10.1.10.146 -j ACCEPT
iptables -A OUTPUT -p ALL -s ***.***.***.*** -j ACCEPT
iptables -A OUTPUT -p tcp -d 10.1.10.146 --dport 10216 -j DNAT --to-destination 195.168.1.102:10216
#PORT FORWARD
iptables -A FORWARD -i eth0 -p tcp --dport 10216 -o eth1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -p tcp --sport 10216 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 10216 -j DNAT --to-destination 195.168.1.102:10216
iptables -t nat -A POSTROUTING -d 195.168.1.102 --dport 10216 -j SNAT --to-source 10.1.10.146:10216
----
I greatly appreciate everyone’s help and assistance, thank you for taking your time helping me with my problem.
Regards, Stas.
p.s. please check if the end results of my scrip (forward chain) is correct, and i also assume that in future if i need to forward additional ports all i have to do is copy/paste the above inputs and change the port number...
thnx

Hi Again,
Well, just as i thought, looks like im goint to need the expert's help again.
Back to that script and iptables...
so i got my port 10216 to forward to my <windows-box>, and everything is fine, however, now when i tried same technique to transfer UDP ports, and RANGE then it seems to me that i need another tip, or CHECK on my script.
so here is a part of script that cnfuses me and also gives me an error of "UKNOWN ARGUMENt"(i will post the detais):
-------
#Allow outgoing connection to Internet
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p ALL -s lo -j ACCEPT
iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -p ALL -s 10.1.10.146 -j ACCEPT
iptables -A OUTPUT -p ALL -s 67.175.24.201 -j ACCEPT
iptables -A OUTPUT -p tcp -d 10.1.10.146 --dport 10216 -j DNAT --to-destination 195.168.1.102:10216#Counter-Strike server on Windows 2003 OUTGOING
iptables -A OUTPUT -p udp -d 10.1.10.146 --dport 1200 -j DNAT --to-destination 195.168.1.102:1200
iptables -A OUTPUT -p udp -d 10.1.10.146 --dport 27000:27015 -j DNAT --to-destination 195.168.1.102:27000:27015
iptables -A OUTPUT -p udp -d 10.1.10.146 --dport 27020 -j DNAT --to-destination 195.168.1.102:27020
iptables -A OUTPUT -p tcp -d 10.1.10.146 --dport 27039 -j DNAT --to-destination 195.168.1.102:27030:27039
iptables -A OUTPUT -p tcp -d 10.1.10.146 --dport 27015 -j DNAT --to-destination 195.168.1.102:27015
#PORT FORWARD
iptables -A FORWARD -i eth0 -p tcp --dport 10216 -o eth1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -p tcp --sport 10216 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 10216 -j DNAT --to-destination 195.168.1.102:10216
iptables -t nat -A POSTROUTING -d 195.168.1.102 --dport 10216 -j SNAT --to-source 10.1.10.146:10216
#Counter-Strike servef on Windows 2003 PORTFORWARD
iptables -A FORWARD -i eth0 -p udp --dport 1200 -o eth1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -p udp --dport 1200 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -p udp --dport 27000:27015 -o eth1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -p udp --dport 27000:27015 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -p udp --dport 27020 -o eth1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -p udp --dport 27020 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -p tcp --dport 27030:27039 -o eth1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -p tcp --dport 27030:27039 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -p tcp --dport 27015 -o eth1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -p tcp --dport 27015 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A PREROUTING -p udp -i eth0 --dport 1200 -j DNAT --to-destination 195.168.1.102:1200
iptables -t nat -A PREROUTING -p udp -i eth0 --dport 27000:27015 -j DNAT --to-destination 195.168.1.102
iptables -t nat -A PREROUTING -p udp -i eth0 --dport 27020 -j DNAT --to-destination 195.168.1.102
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 27030:27039 -j DNAT --to-destination 195.168.1.102
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 27015 -j DNAT --to-destination 195.168.1.102
iptables -t nat -A POSTROUTING -d 195.168.1.102 --dport 1200 -j SNAT --to-source 10.1.10.146
iptables -t nat -A POSTROUTING -d 195.168.1.102 --dport 27000:27015 -j SNAT --to-source 10.1.10.146
iptables -t nat -A POSTROUTING -d 195.168.1.102 --dport 27020 -j SNAT --to-source 10.1.10.146
iptables -t nat -A POSTROUTING -d 195.168.1.102 --dport 27030:27039 -j SNAT --to-source 10.1.10.146
iptables -t nat -A POSTROUTING -d 195.168.1.102 --dport 27015 -j SNAT --to-source 10.1.10.146
------------------------------
highlited are the oprtions of the script, that MADE MY 10216 to FORWARD, so the above code is based on that,
but when i run my script i get the following:
------------------------------
Linux-server:~# /etc/init.d/proxy2.sh

SETTING UP IPTABLES PROXY...
Loading required stateful/NAT kernel modules...
Enabling IP forwarding...
External interface: eth0
External interface IP address is: ***.***.***.***
Loading proxy server rules...Please Wait
Clearing any existing rules and setting default policy...
Compiling new values for IPTABLES

iptables v1.2.11: host/network `lo' not found
Try `iptables -h' or 'iptables --help' for more information.

iptables: Invalid argument
iptables: Invalid argument
iptables: Invalid argument
iptables: Invalid argument
iptables: Invalid argument
iptables: Invalid argument

iptables v1.2.11: Unknown arg `--dport'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.11: Unknown arg `--dport'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.11: Unknown arg `--dport'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.11: Unknown arg `--dport'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.11: Unknown arg `--dport'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.11: Unknown arg `--dport'
Try `iptables -h' or 'iptables --help' for more information.
Proxy server rule loading complete
-------------------------------
Does anyone knows why it gives me an error, while the first FORWARD rule for port 10216 works FINE ?
thank you.
Stas

Star,
All the POSTROUTING rules lack the presence of protocol (-p) option & as it is a must for specifying -dport you are getting errors for the same. So you got to specify in all of those POSTROUTING rules.

You can use "localhost" instead of "lo".

Yes, sir amitsharma_26 , you solved the problem with POSTROUTING, and as i was reading your post, i thought exactly the same thing, with the PORT i have to have a TYPE of port.,
So, now, after it all boots up fine, and i dont get that same message abouit "lo" thing, i've changed it to localhost, as you were suggesting, i was still running into problems: IPTABLES INVALID ARGUMENT.
i went back to my script, and as i was test running it disabling and enbalidng different strikes, i figured that the command,
----
iptables -A OUTPUT -p tcp -d 10.1.10.146 --dport 10216 -j DNAT --to 195.168.1.102:10216
----
gives me that error, I'm taking that same old port 10216, coz all other lines are based on that, i read a lot about this invalid argument thing, but seems like people do not really suggest much, and i had my buddy try it on his unix (he is running kernle2.4 and i have 2.6) he had no problems what so ever. Does this line here really requried by my script configuration ?

Any advise?
Thanx, Stas

You forgot to mention the table name for the above mentioned rules; so would be required for any 'DNAT or SNAT'ing action.

e.g: iptables -A OUTPUT -t nat -p tcp -d 10.1.10.146 --dport 10216 -j DNAT --to 195.168.1.102:10216

Hey, amitsharma_26
THANX A LOT !
i got my stuff fixed, really appriciate your help here,
i wound never guessed tat would be just as simple as a -t nat... )

thanx again, i will continue exploring Linux systems and ask questions...