You are not logged in.

#1 2007-06-25 15:28:13

ravisghosh
Member
From: Intergalactic Spaces
Registered: 2006-10-12
Posts: 516
Website

closed port for torrent with no iptables.rules

I have a home system with internet connection over a router. Firewall in the router seems to be disabled. I had installed guarddog and selected all the protocols that I need. There is no iptables in deamons line of rc.conf nor there is any iptables.rules files. There are 2 files in /etc/iptables, empty.rules and simple_firewall.rules. So, I wonder if any firewall is working at all in my system since guarddog is a frontend to iptables (i guess) and also is there any need for firewall since almost all the ports are closed.

Secondly, the main issue. I was using ktorrent and it was working fine until a few days ago. Now, bittorrent is not working. its not connecting at all. I tried deluge from community repo and tested the ports with http://www.deluge-torrent.org/test-port.php?port=6881 and it gave me this result:

TCP port 6881 closed on 121.247.200.189

UDP port 6881 open on 121.247.200.189

121.247.200.189 seems to be the ip of my isp as I got a dynamic one.

I am able to reach surf net but not able to download using bitorrent, however, both is possible in windows.

Taking clue from forum, i did nmap.

nmap on my router

[shantanu@bluehead ~]$ nmap 192.168.1.1

Starting Nmap 4.20 ( http://insecure.org ) at 2007-06-25 20:49 IST
Interesting ports on 192.168.1.1:
Not shown: 1679 filtered ports
PORT      STATE  SERVICE
21/tcp    open   ftp
23/tcp    open   telnet
53/tcp    closed domain
80/tcp    open   http
443/tcp   closed https
554/tcp   closed rtsp
1755/tcp  closed wms
2401/tcp  closed cvspserver
5000/tcp  closed UPnP
5001/tcp  closed commplex-link
5050/tcp  closed mmcc
6881/tcp  closed bittorent-tracker
6969/tcp  closed acmsoda
7070/tcp  closed realserver
8000/tcp  closed http-alt
8080/tcp  closed http-proxy
8888/tcp  closed sun-answerbook
11371/tcp closed pksd

Nmap finished: 1 IP address (1 host up) scanned in 27.653 seconds

nmap on my ip

[shantanu@bluehead ~]$ nmap 192.168.1.5

Starting Nmap 4.20 ( http://insecure.org ) at 2007-06-25 20:48 IST
Interesting ports on 192.168.1.5:
Not shown: 1696 closed ports
PORT     STATE SERVICE
6000/tcp open  X11

Nmap finished: 1 IP address (1 host up) scanned in 0.519 seconds

nmap on isp's ip displayed above.

[shantanu@bluehead ~]$ nmap 121.247.200.189

Starting Nmap 4.20 ( http://insecure.org ) at 2007-06-25 20:50 IST
Interesting ports on 121.247.200.189.bang-dynamic-bb.vsnl.net.in (121.247.200.189):
Not shown: 1679 filtered ports
PORT      STATE  SERVICE
21/tcp    open   ftp
23/tcp    open   telnet
53/tcp    closed domain
80/tcp    open   http
443/tcp   closed https
554/tcp   closed rtsp
1755/tcp  closed wms
2401/tcp  closed cvspserver
5000/tcp  closed UPnP
5001/tcp  closed commplex-link
5050/tcp  closed mmcc
6881/tcp  closed bittorent-tracker
6969/tcp  closed acmsoda
7070/tcp  closed realserver
8000/tcp  closed http-alt
8080/tcp  closed http-proxy
8888/tcp  closed sun-answerbook
11371/tcp closed pksd

Nmap finished: 1 IP address (1 host up) scanned in 30.573 seconds

Everywhere the bittorrent port seems to be closed. [b]How do I open this port?.[b/]

Last edited by ravisghosh (2007-06-25 21:09:55)

Offline

#2 2007-06-26 00:01:19

albLinux
Member
Registered: 2007-04-24
Posts: 56

Re: closed port for torrent with no iptables.rules

Hi try this

iptables -A INPUT -i $EXT_IF -p tcp -s 0/0 --dport  6881 -m state --state NEW -j ACCEPT

$EXT_IF =your internet interface maybe ppp0 or just eth0

Offline

#3 2007-06-26 07:24:59

ravisghosh
Member
From: Intergalactic Spaces
Registered: 2006-10-12
Posts: 516
Website

Re: closed port for torrent with no iptables.rules

but iptables is not running and there is no iptable.rules file.

Offline

#4 2007-06-26 15:06:50

Obi-Lan
Member
From: Finland
Registered: 2007-05-23
Posts: 179

Re: closed port for torrent with no iptables.rules

So your router is doing NAT? You have to use port forward on your router to route port 6881 to right ip in inside network. Ports also show closed if theres no application on that port listening.

Offline

#5 2007-06-26 15:52:43

ravisghosh
Member
From: Intergalactic Spaces
Registered: 2006-10-12
Posts: 516
Website

Re: closed port for torrent with no iptables.rules

I used the deluge torrent link to check if the port is open on windows and found that it was open. Hence, it can be concluded that the router is not interfering.

Also, the command did not yield any result, probably because iptables is not running at all.

Last edited by ravisghosh (2007-06-26 16:03:28)

Offline

#6 2007-06-27 10:04:39

madeye
Member
From: Denmark
Registered: 2006-07-19
Posts: 331
Website

Re: closed port for torrent with no iptables.rules

Hi,

Have you checked if perhaps your windows bittorrent client uses UPnP to "ask" the router to allow access to your bittorrent port?
Afterwards you could check if the linux client can use UPnP to do the same.

Also AFAIK when you use nmap to scan your routers internal ip address, you will get the ports that are open from the inside out! (Feel free to correct me if I'm wrong.)

you say there is no iptables.rules file, but have you tried to run

iptables -L

in a console? (you may need to su to root) This will give you a list of ports opened to your machine via IPtables. If you get something like

INPUT allow ALL
OUTPUT allow ALL

iptables is disabled, or no rules have been defined. (the list may wary a little, as I'm getting this from memory. I'm at work right now, and only use windows there. sad

The nmap scan you ran on your own computer, suggests that only port 6000 is open. This could indicate that some kind of firewall rules are indeed setup. Perhaps guarddog sets up the rules without using the iptables.rules file?

Let me know how it goes.


MadEye | Registered Linux user #167944 since 2000-02-28 | Homepage

Offline

#7 2007-06-27 15:09:12

ravisghosh
Member
From: Intergalactic Spaces
Registered: 2006-10-12
Posts: 516
Website

Re: closed port for torrent with no iptables.rules

@madeye, first of all thanks a lot for such elaborate help.

I used utorrent in windows and u r very much right that it uses UPnP. In deluge (bt client on arch), UPnP was there but disabled (shaded). Hence, I tried running utorrent using wine and it gave a error message "Unable to map UPnP port' and is not able to connect. So, UPnP is not working in my box.

Then I tried as you suggested "iptables -L" and it gave me the following results.

[shantanu@bluehead ~]$ sudo iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     0    --  anywhere             anywhere            
ACCEPT     udp  --  anywhere             anywhere            udp spt:bootps dpt:bootpc 
ACCEPT     0    --  192.168.1.5          192.168.1.255       
logaborted  tcp  --  anywhere             anywhere            state RELATED,ESTABLISHED tcp flags:RST/RST 
ACCEPT     0    --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     icmp --  anywhere             anywhere            icmp destination-unreachable 
ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded 
ACCEPT     icmp --  anywhere             anywhere            icmp parameter-problem 
nicfilt    0    --  anywhere             anywhere            
srcfilt    0    --  anywhere             anywhere            

Chain FORWARD (policy DROP)
target     prot opt source               destination         
ACCEPT     0    --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     icmp --  anywhere             anywhere            icmp destination-unreachable 
ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded 
ACCEPT     icmp --  anywhere             anywhere            icmp parameter-problem 
srcfilt    0    --  anywhere             anywhere            

Chain OUTPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     0    --  anywhere             anywhere            
ACCEPT     udp  --  anywhere             anywhere            udp spt:bootpc dpt:bootps 
ACCEPT     0    --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     icmp --  anywhere             anywhere            icmp destination-unreachable 
ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded 
ACCEPT     icmp --  anywhere             anywhere            icmp parameter-problem 
s1         0    --  anywhere             anywhere            

Chain f0to1 (3 references)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere            udp dpts:6970:7170 
ACCEPT     icmp --  anywhere             anywhere            icmp echo-reply 
ACCEPT     tcp  --  anywhere             anywhere            tcp spts:1024:65535 dpts:6881:6889 state NEW 
logdrop    0    --  anywhere             anywhere            

Chain f1to0 (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere            tcp spts:1024:5999 dpt:6969 state NEW 
ACCEPT     tcp  --  anywhere             anywhere            tcp spts:1024:5999 dpt:http state NEW 
ACCEPT     tcp  --  anywhere             anywhere            tcp spts:1024:5999 dpt:http-alt state NEW 
ACCEPT     tcp  --  anywhere             anywhere            tcp spts:1024:5999 dpt:8008 state NEW 
ACCEPT     tcp  --  anywhere             anywhere            tcp spts:1024:5999 dpt:8000 state NEW 
ACCEPT     tcp  --  anywhere             anywhere            tcp spts:1024:5999 dpt:8888 state NEW 
ACCEPT     tcp  --  anywhere             anywhere            tcp spts:1024:5999 dpt:ftp state NEW 
ACCEPT     tcp  --  anywhere             anywhere            tcp spts:1024:5999 dpt:https state NEW 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:rtsp state NEW 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:7070 state NEW 
ACCEPT     tcp  --  anywhere             anywhere            tcp spts:1024:5999 dpt:cvspserver state NEW 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:1755 state NEW 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:1755 
ACCEPT     tcp  --  anywhere             anywhere            tcp spts:1024:5999 dpt:11371 state NEW 
ACCEPT     tcp  --  anywhere             anywhere            tcp spts:1024:5999 dpt:5050 state NEW 
ACCEPT     tcp  --  anywhere             anywhere            tcp spts:1024:5999 dpt:telnet state NEW 
ACCEPT     tcp  --  anywhere             anywhere            tcp spts:1024:5999 dpts:5000:5001 state NEW 
ACCEPT     udp  --  anywhere             anywhere            udp spts:1024:5999 dpt:5000 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain state NEW 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain 
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request 
ACCEPT     tcp  --  anywhere             anywhere            tcp spts:1024:5999 dpt:5222 state NEW 
ACCEPT     tcp  --  anywhere             anywhere            tcp spts:1024:5999 dpt:5223 state NEW 
ACCEPT     tcp  --  anywhere             anywhere            tcp spts:1024:5999 dpts:6881:6889 state NEW 
logdrop    0    --  anywhere             anywhere            

Chain logaborted (1 references)
target     prot opt source               destination         
logaborted2  0    --  anywhere             anywhere            limit: avg 1/sec burst 10 
LOG        0    --  anywhere             anywhere            limit: avg 2/min burst 1 LOG level warning prefix `LIMITED ' 

Chain logaborted2 (1 references)
target     prot opt source               destination         
LOG        0    --  anywhere             anywhere            LOG level warning tcp-sequence tcp-options ip-options prefix `ABORTED ' 
ACCEPT     0    --  anywhere             anywhere            state RELATED,ESTABLISHED 

Chain logdrop (4 references)
target     prot opt source               destination         
logdrop2   0    --  anywhere             anywhere            limit: avg 1/sec burst 10 
LOG        0    --  anywhere             anywhere            limit: avg 2/min burst 1 LOG level warning prefix `LIMITED ' 
DROP       0    --  anywhere             anywhere            

Chain logdrop2 (1 references)
target     prot opt source               destination         
LOG        0    --  anywhere             anywhere            LOG level warning tcp-sequence tcp-options ip-options prefix `DROPPED ' 
DROP       0    --  anywhere             anywhere            

Chain logreject (0 references)
target     prot opt source               destination         
logreject2  0    --  anywhere             anywhere            limit: avg 1/sec burst 10 
LOG        0    --  anywhere             anywhere            limit: avg 2/min burst 1 LOG level warning prefix `LIMITED ' 
REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset 
REJECT     udp  --  anywhere             anywhere            reject-with icmp-port-unreachable 
DROP       0    --  anywhere             anywhere            

Chain logreject2 (1 references)
target     prot opt source               destination         
LOG        0    --  anywhere             anywhere            LOG level warning tcp-sequence tcp-options ip-options prefix `REJECTED ' 
REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset 
REJECT     udp  --  anywhere             anywhere            reject-with icmp-port-unreachable 
DROP       0    --  anywhere             anywhere            

Chain nicfilt (1 references)
target     prot opt source               destination         
RETURN     0    --  anywhere             anywhere            
RETURN     0    --  anywhere             anywhere            
RETURN     0    --  anywhere             anywhere            
logdrop    0    --  anywhere             anywhere            

Chain s0 (1 references)
target     prot opt source               destination         
f0to1      0    --  anywhere             192.168.1.5         
f0to1      0    --  anywhere             192.168.1.255       
f0to1      0    --  anywhere             bluehead.localdomain 
logdrop    0    --  anywhere             anywhere            

Chain s1 (1 references)
target     prot opt source               destination         
f1to0      0    --  anywhere             anywhere            

Chain srcfilt (2 references)
target     prot opt source               destination         
s0         0    --  anywhere             anywhere

That means iptables is not disabled and that firewall rules are setup by guarddog.

I removed guarding using "pacman -Rns guarddog" and rebooted. Still get the same results with utorrent and "iptables -L" and also the port test shows tcp 6881 is still closed.

Removed iptables and now bt clients seems to be able to connect and it works; however, port test still shows tcp 6881 closed.

Last edited by ravisghosh (2007-06-27 16:51:12)

Offline

#8 2007-06-28 16:52:06

madeye
Member
From: Denmark
Registered: 2006-07-19
Posts: 331
Website

Re: closed port for torrent with no iptables.rules

Glad to be able to help.
It wasn't necessary to remove iptables though. You could just have flushed the rules, and made your own.
If you're interested you can use the following as a script to setup the firewall.

#!/bin/sh

# Define where the iptables executable is located.
IPTABLES=/usr/bin/iptables

# To flush all firewall rules
# This cleares all the rules, and will prevent any and all access inbound or outbound until we're finished.
$IPTABLES -F

# To delete all firewall chains
# It's been my experience that it's often easier to delete all the chains before makeing new rules.
# Especially if another firewall program has made custom rules.
$IPTABLES -X

# Set default policies
# If no other rule matches then the default will be used
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT

# Allow loopback device to access itself
# If you don't have this, many of your programs will stop working, as they need to acces themselves over the loopback device
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT

# Allow outgoing traffic
# Typically there is no need to block outgoing connections. Most attacks will come from the outside.
$IPTABLES -A OUTPUT -o eth0 -j ACCEPT

# Allow established and related connections
# This rule is needed to allow connections who are established to maintain it's connection. 
# This is also one of those rules you need to make your machine work correctly.
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow incoming bittorrent connections to tcp port 6901
# If you use another port than 6901, just substitute it.
$IPTABLES -A INPUT -p tcp --dport 6901 -j ACCEPT

# Finnally lets drop all other connections
# Maybe this is like using both suspenders and a belt, but you can never have enough security.
$IPTABLES -A INPUT -p tcp --syn -j DROP

Just copy the code into a text file and run it as root in a console.
e.g. run kate (the kde editor) and paste the code into it. Then save the file as firewall.sh in your home folder.
start a console, and use the su command to switch to the root user.
Now run

cd /home/<your username>
sh ./firewall.sh

and the rules should be setup as described in the script.

Let me know if there is anything else you need.

EDIT: I forgot to mention, if you want to keep the rules after the next time you reboot, you'll need to run the command

/etc/rc.d/iptables save

Last edited by madeye (2007-06-29 06:36:46)


MadEye | Registered Linux user #167944 since 2000-02-28 | Homepage

Offline

#9 2007-06-29 02:22:00

ravisghosh
Member
From: Intergalactic Spaces
Registered: 2006-10-12
Posts: 516
Website

Re: closed port for torrent with no iptables.rules

Madeye, you seem to have a great ability to write fool-proof instructions. that was such a nice description. However, I found on the forum that a router can double up as firewall and work effectively. I have posted that query under a different heading http://bbs.archlinux.org/viewtopic.php?id=34643

Offline

#10 2010-09-19 21:07:55

Rudanar
Member
From: Nagykovácsi, Hungary
Registered: 2009-11-13
Posts: 7

Re: closed port for torrent with no iptables.rules

I have encountered with the same problem: double firewall, but I know only one of them. smile
I use ufw, but I could not connect to ANY specified port even when properly allowed. After a while I had to reconfigure my ADSL setting with pppoe-setup, which asks at the end, what level of firewalling I need. If there I choose "0" - no firewall, my ufw set rules start working, and I have control again.
I do not know the exact underlying events, but pppoe-setup seems to erase iptables (?) rules, which were doubling my firewall.


Coordinator of the Wesnoth Hungarian Translation Team
http://wesnoth.fsf.hu/
http://www.wesnoth.org

Offline

#11 2010-09-19 21:28:35

Inxsible
Forum Fellow
From: Chicago
Registered: 2008-06-09
Posts: 9,183

Re: closed port for torrent with no iptables.rules

Rudanar, this post is more than 3 years old. I am sure the op is no longer looking for a solution.

Closing.....


Forum Rules

There's no such thing as a stupid question, but there sure are a lot of inquisitive idiots !

Offline

Board footer

Powered by FluxBB