You are not logged in.

Pages: 1

#1 2016-05-16 17:30:46

bobeflick
Member
Registered: 2014-11-06
Posts: 5

[Solved] Unable to connect to certain ports remotely

I am having a strange experience with iptables/ufw.  I am able to remotely ssh into my machine on the usual port 22 with no problem.  I can even forward X11 stuff over ssh with no hiccups.  But, when I try to connect to two other services on different ports, connections are being rejected.  Since ufw is enabled, I did not enable the iptables service.  I verified the services with systemctl.  The ports I am trying to connect to are properly forwarded on my router's NAT (which is why ssh can work).  The only ports I need at the moment are 64738 (murmur) and 60001 (mosh).  Currently I have resorted to removing the usual default deny rule, but even that does not fix my issue.  So after much head scratching, I have come to the experts of networking for some help.

iptables -S | grep ACCEPT wrote:

-P OUTPUT ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -p icmp -j ACCEPT
-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
-A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
-A ufw-before-output -o lo -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-skip-to-policy-output -j ACCEPT
-A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 22 -m comment --comment "\'dapp_SSH\'" -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 64738 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 64738 -j ACCEPT
-A ufw-user-input -p udp -m multiport --dports 60000:61000 -j ACCEPT
-A ufw-user-limit-accept -j ACCEPT

# ufw status
Status: active

To                         Action      From
--                         ------      ----
SSH                        ALLOW       Anywhere
64738                      ALLOW       Anywhere
60000:61000/udp            ALLOW       Anywhere                   # mosh
SSH (v6)                   ALLOW       Anywhere (v6)
64738 (v6)                 ALLOW       Anywhere (v6)
60000:61000/udp (v6)       ALLOW       Anywhere (v6)              # mosh
systemctl status ufw wrote:

● ufw.service - CLI Netfilter Manager
   Loaded: loaded (/usr/lib/systemd/system/ufw.service; enabled; vendor preset: disabled)
   Active: active (exited) since Tue 2016-05-10 20:52:08 CDT; 5 days ago
Main PID: 291 (code=exited, status=0/SUCCESS)
    Tasks: 0 (limit: 512)
   CGroup: /system.slice/ufw.service

Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.

systemctl status iptables wrote:

● iptables.service - Packet Filtering Framework
   Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled; vendor preset: disabled)
   Active: inactive (dead)

Update: About a month ago I installed libvirt and enabled firewalld and libvirt services.  Stopping firewalld allowed ufw to function properly.

Last edited by bobeflick (2016-05-19 02:34:07)

Offline

Pages: 1

Board footer

Powered by FluxBB