You are not logged in.

#1 2017-05-11 12:10:40

Jojonintendo
Member
Registered: 2013-12-06
Posts: 56

[SOLVED] Livebox router won't open ports now

Edit: after a lot of time testing, this issue might be on the ISP side.

Hello community,

Yesterday I installed and configures DNSSEC with Unbound and DNScrypt, as recommended in the wiki, and I think everything is working as it should. Except that I have just noticed that Transmission (also tried with Deluge) cannot see the port as open.

I have done a fresh install a few days ago, and I configured everything as I usually do: iptables is as explained in the "simple stateful firewall" wiki, with Transmission port as open:

[root@Arch ~]# iptables -L
[...]
Chain TCP (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:51413
[...]
[root@Arch ~]#

I am not sure if the issue is related to my DNS configuration, but this is the first time I have a problem related to closed ports. I also tried to configure ufw, but the result was the same, so I remove it.

I would really appreciate any suggestion you can give me, and I thank you for your time.

Last edited by Jojonintendo (2017-05-15 08:41:34)


M/B: Asus M5A97 LE R2.0 CPU: AMD FX(tm)-6100 Six-Core Processor GPU: XFX R9 390 DD Black Edition RAM: Kingston HyperX Beast DDR3 1866 2X4GB SSD: Crucial M4 128GB SATA 3
CPU and GPU are watercooled by Ibercool kit.

Offline

#2 2017-05-11 14:36:21

rdeckard
Wiki Maintainer
Registered: 2015-01-28
Posts: 137

Re: [SOLVED] Livebox router won't open ports now

Does transmission work with no iptables rules? Are you able to resolve domains?

Give us some more info:

$ cat /etc/iptables/iptables.rules
$ systemctl cat unbound
$ systemctl cat dnscrypt-proxy
$ cat /etc/dnscrypt-proxy.conf
$ cat /etc/resolv.conf
$ drill sigfail.verteiltesysteme.net
$ drill sigok.verteiltesysteme.net

Offline

#3 2017-05-11 14:58:04

Jojonintendo
Member
Registered: 2013-12-06
Posts: 56

Re: [SOLVED] Livebox router won't open ports now

Neither Transmission nor Deluge, nor webistes like canyouseeme.org are able to see the port as open. The same happens with iptables set with empty.rules. I can resolve domains without problem. Here are the requested commands:

[root@Arch ~]# cat /etc/iptables/iptables.rules
# Generated by iptables-save v1.4.21 on Wed Nov  4 19:08:47 2015
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [62:5080]
:TCP - [0:0]
:UDP - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A TCP -p tcp -m tcp --dport 80 -j ACCEPT
-A TCP -p tcp -m tcp --dport 443 -j ACCEPT
-A TCP -p tcp -m tcp --dport 51413 -j ACCEPT
-A UDP -p udp -m udp --dport 53 -j ACCEPT
COMMIT
# Completed on Wed Nov  4 19:08:47 2015
[root@Arch ~]#
[root@Arch ~]# systemctl cat unbound
# /usr/lib/systemd/system/unbound.service
[Unit]
Description=Unbound DNS Resolver
After=network.target

[Service]
PIDFile=/run/unbound.pid
ExecStart=/usr/bin/unbound -d
ExecReload=/bin/kill -HUP $MAINPID
Restart=always

[Install]
WantedBy=multi-user.target
[root@Arch ~]#
[root@Arch ~]# systemctl cat dnscrypt-proxy
# /usr/lib/systemd/system/dnscrypt-proxy.service
[Unit]
Description=DNSCrypt client proxy
Documentation=man:dnscrypt-proxy(8)
Requires=dnscrypt-proxy.socket
After=network.target
Before=nss-lookup.target

[Install]
Also=dnscrypt-proxy.socket
WantedBy=multi-user.target

[Service]
Type=simple
NonBlocking=true
User=dnscrypt

# Edit the configuration file appropriately, or the service will not start.
# See https://dnscrypt.org for more information.
ExecStart=/usr/bin/dnscrypt-proxy /etc/dnscrypt-proxy.conf
[root@Arch ~]#
[root@Arch ~]# cat /etc/dnscrypt-proxy.conf
######################################################
#                                                    #
#    Sample configuration file for dnscrypt-proxy    #
#                                                    #
######################################################


############## Resolver settings ##############

## [CHANGE THIS] Short name of the resolver to use
## Usually the only thing you need to change in this configuration file.
## This corresponds to the first column in the dnscrypt-resolvers.csv file.
## Alternatively, "random" (without quotes) picks a random random resolver
## accessible over IPv4, that doesn't log and supports DNSSEC.

ResolverName dnscrypt.org-fr


## Full path to the list of available DNSCrypt resolvers (dnscrypt-resolvers.csv)
## An up-to-date list is available here:
## https://download.dnscrypt.org/dnscrypt-proxy/dnscrypt-resolvers.csv
## and the dnscrypt-update-resolvers.sh script can be used in order to
## automatically download and verify updates.

# ResolversList /usr/local/share/dnscrypt-proxy/dnscrypt-resolvers.csv


## Manual settings, only for a custom resolver not present in the CSV file

# ProviderName    2.dnscrypt.resolver.example
# ProviderKey     E801:B84E:A606:BFB0:BAC0:CE43:445B:B15E:BA64:B02F:A3C4:AA31:AE10:636A:0790:324D
# ResolverAddress 203.0.113.1:443



############## Process options ##############

## [NOT AVAILABLE ON WINDOWS] Run the proxy as a background process.
## Unless you are using systemd, you probably want to change this to "yes"
## after having verified that the rest of the configuration works as expected.

Daemonize no


## Write the PID number to a file

# PidFile /var/run/dnscrypt-proxy.pid


## [NOT AVAILABLE ON WINDOWS] Start the process, bind the required ports, and
## run the server as a less-privileged system user.
## The value for this parameter is a user name.

# User _dnscrypt-proxy



############## Network/protocol settings ##############

## Local address and port to listen to.
## A 127.0.0.x address is recommended for local use, but 0.0.0.0 or
## a specific interface address can be used on a router, or to
## configure a single machine to act as a DNS proxy for different
## devices.
## If the socket is created by systemd, the proxy cannot change the address
## using this option. You should edit systemd's dnscrypt-proxy.socket file
## instead.

# LocalAddress 127.0.0.1:53


## Cache DNS responses to avoid outgoing traffic when the same queries
## are repeated multiple times in a row.

LocalCache on


## Creates a new key pair for every query.
## This prevents logging servers from correlating client public keys with
## IP addresses. However, this option implies extra CPU load, and is not
## very useful with trusted/non-logging servers.

EphemeralKeys off


## Maximum number of active requests waiting for a response.
## Keep it reasonable relative to the expected number of clients.

# MaxActiveRequests 250


## This is the maximum payload size allowed when using the UDP protocol.
## The default is safe, and rarely needs to be changed.

# EDNSPayloadSize 1252


## Ignore the time stamps when checking the certificates
## Do not enable this option ever, unless you know that you need it.

# IgnoreTimestamps no


## Do not send queries using UDP. Only use TCP.
## Even if some resolvers mitigate this, DNS over TCP is almost always slower
## than UDP and doesn't offer additional security.
## Only enable this option if UDP doesn't work on your network.

# TCPOnly no


## Forward queries for specific domains to one or more non-DNSCrypt resolvers.
## For instance, this can be used to redirect queries for local domains to
## the router, or queries for an internal domain to an internal DNS server.
## Multiple whitespace-delimited domains and IP addresses can be specified.
## Do not enable this unless you absolutely know you need it.
## If you see useless queries to these domains, you'd better block them with
## the BlackList feature instead of sending them in clear text to the router.
## This uses a plugin that requires dnscrypt-proxy to be compiled with
## the ldns library.

# Forward domains:"test private localdomain lan" to:"192.168.100.254"


############## Logging ##############

## Log the received DNS queries to a file, so you can watch in real-time what
## is happening on the network.
## The value for this parameter is a full path to the log file.
## The file name can be prefixed with ltsv: in order to store logs using the
## LTSV format (ex: ltsv:/tmp/dns-queries.log).

# QueryLogFile /tmp/dns-queries.log


## Log file to write server errors and information to.
## If you use this tool for privacy, keeping logs of any kind is usually not
## a good idea.

# LogFile /var/log/dnscrypt-proxy.log


## Don't log events with priority above this log level after the service has
## been started up. Default is 6.
## Valid values are between 0 (critical) to 7 (debug-level messages).

# LogLevel 6


## [NOT AVAILABLE ON WINDOWS] Send server logs to the syslog daemon
## Log entries can optionally be prefixed with a string.

# Syslog       off
# SyslogPrefix dnscrypt



############## Local filtering ##############

## If your network doesn't support IPv6, chances are that your
## applications are still constantly trying to resolve IPv6 addresses,
## causing unnecessary slowdowns.
## This causes the proxy to immediately reply to IPv6 requests,
## without having to send a useless request to upstream resolvers, and
## having to wait for a response.
## This uses a plugin that requires dnscrypt-proxy to be compiled with
## the ldns library.

BlockIPv6 no


## Want to filter ads, malware, sensitive or inappropriate websites and
## domain names? This feature can block lists of IP addresses and names
## matching a list of patterns. The list of rules remains private, and
## the filtering process directly happens on your own network. In order
## to filter IP addresses, the list of IPs has to be put into a text
## file, with one IP address per line. Lists of domain names can also be
## blocked as well. Put the list into a text file, one domain per line.
## Domains can include wildcards (*) in order to match patterns. For
## example *sex* will match any name that contains the sex substring, and
## ads.* will match anything starting with ads. The Internet has plenty
## of free feeds of IP addresses and domain names used for malware,
## phishing and spam that you can use with this feature.
##
## This uses a plugin that requires dnscrypt-proxy to be compiled with
## the ldns library.
##
## To enable, uncomment one of the following definitions:

## Block query names matching the rules stored in that file:
# BlackList domains:"/etc/dnscrypt-blacklist-domains.txt"

## Block responses whose IP addresses match IPs stored in that file:
# BlackList ips:"/etc/dnscrypt-blacklist-ips.txt"

## Block both domain names and IP addresses:
# BlackList domains:"/etc/dnscrypt-blacklist-domains.txt" ips:"/etc/dnscrypt-blacklist-ips.txt"

## Same as the above + log the blocked queries in a file.
## The log file can be prefixed with ltsv: (ex: ltsv:/tmp/log.txt) in order to
## store logs using the LTSV format.
# BlackList domains:"/etc/dnscrypt-blacklist-domains.txt" logfile:"/var/log/dnscrypt-blocked.log"
# BlackList ips:"/etc/dnscrypt-blacklist-ips.txt" logfile:"/var/log/dnscrypt-blocked.log"
# BlackList domains:"/etc/dnscrypt-blacklist-domains.txt" ips:"/etc/dnscrypt-blacklist-ips.txt" logfile:"/var/log/dnscrypt-blocked.log"



############## User identification ##############

## Use a client public key for identification
## By default, the client uses a randomized key pair in order to make tracking
## more difficult. This option does the opposite and uses a static key pair, so
## that DNS providers can offer premium services to queries signed with a known
## set of public keys. A client cannot decrypt the received responses without
## also knowing the secret key.
## The value for this property is the path to a file containing the secret key,
## encoded as a hexadecimal string. The corresponding public key is computed
## automatically.

# ClientKey /etc/dnscrypt-client-secret.key



############## Monitoring ##############

## Do not actually start the proxy, but check that a valid certificate can be
## retrieved from the server and that it will remain valid for the specified
## time period. The process exit code is 0 if a valid certificate can be used,
## 2 if no valid certificates can be used, 3 if a timeout occurred, and 4 if a
## currently valid certificate is going to expire before the given margin.
## Useful in a cron job to monitor your own dnscrypt-servers.
## The margin is specified in minutes.

# Test 2880



############## Recursive configuration ##############

## A configuration file can include other configuration files by inserting
## the `Include` directive anywhere (the full path required, no quotes):

# Include /etc/dnscrypt-proxy-common.conf
[root@Arch ~]#
[root@Arch ~]# cat /etc/resolv.conf
# Generated by resolvconf
nameserver 127.0.0.1
[root@Arch ~]#
[root@Arch ~]# drill sigfail.verteiltesysteme.net
;; ->>HEADER<<- opcode: QUERY, rcode: SERVFAIL, id: 42577
;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 
;; QUESTION SECTION:
;; sigfail.verteiltesysteme.net.	IN	A

;; ANSWER SECTION:

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 332 msec
;; SERVER: 127.0.0.1
;; WHEN: Thu May 11 14:53:22 2017
;; MSG SIZE  rcvd: 46
[root@Arch ~]#
[root@Arch ~]# drill sigok.verteiltesysteme.net
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 59413
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 
;; QUESTION SECTION:
;; sigok.verteiltesysteme.net.	IN	A

;; ANSWER SECTION:
sigok.verteiltesysteme.net.	583	IN	A	134.91.78.139

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 119 msec
;; SERVER: 127.0.0.1
;; WHEN: Thu May 11 14:53:47 2017
;; MSG SIZE  rcvd: 60
[root@Arch ~]#

I think it is working as expected, because I carefully followed the wiki and checked after ever step, but somehow iptables doesn't apply changes. I also followed the wiki about iptables to start/enable it correctly, but I still can't open 51413 port.
Thank you very much for your help.


M/B: Asus M5A97 LE R2.0 CPU: AMD FX(tm)-6100 Six-Core Processor GPU: XFX R9 390 DD Black Edition RAM: Kingston HyperX Beast DDR3 1866 2X4GB SSD: Crucial M4 128GB SATA 3
CPU and GPU are watercooled by Ibercool kit.

Offline

#4 2017-05-11 17:06:43

rdeckard
Wiki Maintainer
Registered: 2015-01-28
Posts: 137

Re: [SOLVED] Livebox router won't open ports now

# Generated by iptables-save v1.4.21 on Wed Nov  4 19:08:47 2015

Is that correct? 2015?

Try:

# iptables-restore < /etc/iptables/empty.rules

And then run tranmission.

Also, what is the exact error transmission is giving you?

Offline

#5 2017-05-11 17:27:03

Jojonintendo
Member
Registered: 2013-12-06
Posts: 56

Re: [SOLVED] Livebox router won't open ports now

Is that correct? 2015?

Well... I didn't know I was using such an old config for iptables. I will make a new one.

Try:

# iptables-restore < /etc/iptables/empty.rules

And then run tranmission.

I already tried that, but the port still is closed to any application, even websites that check them.

Also, what is the exact error transmission is giving you?

When I click "test port", it fails as "closed" after some time. I even tried disabling iptables completely, but it still doesn't open the port (which is open on the router since 2015, probably).

Edit: I just updated my iptables.rules by following the instructions in the wiki, and although the file is a little different, the result is the same: 51413 port closed.

Last edited by Jojonintendo (2017-05-11 18:03:37)


M/B: Asus M5A97 LE R2.0 CPU: AMD FX(tm)-6100 Six-Core Processor GPU: XFX R9 390 DD Black Edition RAM: Kingston HyperX Beast DDR3 1866 2X4GB SSD: Crucial M4 128GB SATA 3
CPU and GPU are watercooled by Ibercool kit.

Offline

#6 2017-05-12 15:51:15

Jojonintendo
Member
Registered: 2013-12-06
Posts: 56

Re: [SOLVED] Livebox router won't open ports now

I have been trying all day, but nothing works. Even a clean Live USB of Ubuntu gives me the same problem, with no firewall set.

It looks like my Livebox doesn't even receive UPnP requests, because nothing is shown there. On the logs I see many "UDP flood" with my IP and port, but somehow the router rejects them. It is weird, because I have UPnP and manual NAT forwarding set up. I even tried to reset the router to factory defaults, but the same happens.

I already wrote the about this, I hope we can find where is the problem.


M/B: Asus M5A97 LE R2.0 CPU: AMD FX(tm)-6100 Six-Core Processor GPU: XFX R9 390 DD Black Edition RAM: Kingston HyperX Beast DDR3 1866 2X4GB SSD: Crucial M4 128GB SATA 3
CPU and GPU are watercooled by Ibercool kit.

Offline

#7 2017-05-13 06:41:59

theZorro266
Member
From: Germany
Registered: 2017-05-12
Posts: 4

Re: [SOLVED] Livebox router won't open ports now

Seems like it's not a problem with your DNS setup then. Maybe you want to change the title.
I do have a question though: why do you allow UDP port 53 for DNS from outside? Isn't your DNS server supposed to be a local resolver only?

Offline

#8 2017-05-13 09:42:59

Jojonintendo
Member
Registered: 2013-12-06
Posts: 56

Re: [SOLVED] Livebox router won't open ports now

theZorro266 wrote:

Seems like it's not a problem with your DNS setup then. Maybe you want to change the title.
I do have a question though: why do you allow UDP port 53 for DNS from outside? Isn't your DNS server supposed to be a local resolver only?

I'm going to change the title right now. I think you're right about the DNS port, I'll remove it from my iptables.rules.

I think the problem might be related to the recent attacks that happened to different ISP, and that for security reasons they deactivated anything related to:
- Firewall settings
- DMZ
- NAT settings
- UPnP
Because the Livebox doesn't seem to apply any change I make on those settings.

Thanks for your help !


M/B: Asus M5A97 LE R2.0 CPU: AMD FX(tm)-6100 Six-Core Processor GPU: XFX R9 390 DD Black Edition RAM: Kingston HyperX Beast DDR3 1866 2X4GB SSD: Crucial M4 128GB SATA 3
CPU and GPU are watercooled by Ibercool kit.

Offline

#9 2017-05-15 08:41:18

Jojonintendo
Member
Registered: 2013-12-06
Posts: 56

Re: [SOLVED] Livebox router won't open ports now

As I suspected, now the port is open, and the router works just as expected, without doing anything. So my ISP probably did something on its end.


M/B: Asus M5A97 LE R2.0 CPU: AMD FX(tm)-6100 Six-Core Processor GPU: XFX R9 390 DD Black Edition RAM: Kingston HyperX Beast DDR3 1866 2X4GB SSD: Crucial M4 128GB SATA 3
CPU and GPU are watercooled by Ibercool kit.

Offline

Board footer

Powered by FluxBB