You are not logged in.
Pages: 1
Topic closed
I have a home system with internet connection over a router. Firewall in the router seems to be disabled. I had installed guarddog and selected all the protocols that I need. There is no iptables in deamons line of rc.conf nor there is any iptables.rules files. There are 2 files in /etc/iptables, empty.rules and simple_firewall.rules. So, I wonder if any firewall is working at all in my system since guarddog is a frontend to iptables (i guess) and also is there any need for firewall since almost all the ports are closed.
Secondly, the main issue. I was using ktorrent and it was working fine until a few days ago. Now, bittorrent is not working. its not connecting at all. I tried deluge from community repo and tested the ports with http://www.deluge-torrent.org/test-port.php?port=6881 and it gave me this result:
TCP port 6881 closed on 121.247.200.189
UDP port 6881 open on 121.247.200.189
121.247.200.189 seems to be the ip of my isp as I got a dynamic one.
I am able to reach surf net but not able to download using bitorrent, however, both is possible in windows.
Taking clue from forum, i did nmap.
nmap on my router
[shantanu@bluehead ~]$ nmap 192.168.1.1
Starting Nmap 4.20 ( http://insecure.org ) at 2007-06-25 20:49 IST
Interesting ports on 192.168.1.1:
Not shown: 1679 filtered ports
PORT STATE SERVICE
21/tcp open ftp
23/tcp open telnet
53/tcp closed domain
80/tcp open http
443/tcp closed https
554/tcp closed rtsp
1755/tcp closed wms
2401/tcp closed cvspserver
5000/tcp closed UPnP
5001/tcp closed commplex-link
5050/tcp closed mmcc
6881/tcp closed bittorent-tracker
6969/tcp closed acmsoda
7070/tcp closed realserver
8000/tcp closed http-alt
8080/tcp closed http-proxy
8888/tcp closed sun-answerbook
11371/tcp closed pksd
Nmap finished: 1 IP address (1 host up) scanned in 27.653 seconds
nmap on my ip
[shantanu@bluehead ~]$ nmap 192.168.1.5
Starting Nmap 4.20 ( http://insecure.org ) at 2007-06-25 20:48 IST
Interesting ports on 192.168.1.5:
Not shown: 1696 closed ports
PORT STATE SERVICE
6000/tcp open X11
Nmap finished: 1 IP address (1 host up) scanned in 0.519 seconds
nmap on isp's ip displayed above.
[shantanu@bluehead ~]$ nmap 121.247.200.189
Starting Nmap 4.20 ( http://insecure.org ) at 2007-06-25 20:50 IST
Interesting ports on 121.247.200.189.bang-dynamic-bb.vsnl.net.in (121.247.200.189):
Not shown: 1679 filtered ports
PORT STATE SERVICE
21/tcp open ftp
23/tcp open telnet
53/tcp closed domain
80/tcp open http
443/tcp closed https
554/tcp closed rtsp
1755/tcp closed wms
2401/tcp closed cvspserver
5000/tcp closed UPnP
5001/tcp closed commplex-link
5050/tcp closed mmcc
6881/tcp closed bittorent-tracker
6969/tcp closed acmsoda
7070/tcp closed realserver
8000/tcp closed http-alt
8080/tcp closed http-proxy
8888/tcp closed sun-answerbook
11371/tcp closed pksd
Nmap finished: 1 IP address (1 host up) scanned in 30.573 seconds
Everywhere the bittorrent port seems to be closed. [b]How do I open this port?.[b/]
Last edited by ravisghosh (2007-06-25 21:09:55)
Offline
Hi try this
iptables -A INPUT -i $EXT_IF -p tcp -s 0/0 --dport 6881 -m state --state NEW -j ACCEPT
$EXT_IF =your internet interface maybe ppp0 or just eth0
Offline
but iptables is not running and there is no iptable.rules file.
Offline
So your router is doing NAT? You have to use port forward on your router to route port 6881 to right ip in inside network. Ports also show closed if theres no application on that port listening.
Offline
I used the deluge torrent link to check if the port is open on windows and found that it was open. Hence, it can be concluded that the router is not interfering.
Also, the command did not yield any result, probably because iptables is not running at all.
Last edited by ravisghosh (2007-06-26 16:03:28)
Offline
Hi,
Have you checked if perhaps your windows bittorrent client uses UPnP to "ask" the router to allow access to your bittorrent port?
Afterwards you could check if the linux client can use UPnP to do the same.
Also AFAIK when you use nmap to scan your routers internal ip address, you will get the ports that are open from the inside out! (Feel free to correct me if I'm wrong.)
you say there is no iptables.rules file, but have you tried to run
iptables -L
in a console? (you may need to su to root) This will give you a list of ports opened to your machine via IPtables. If you get something like
INPUT allow ALL
OUTPUT allow ALL
iptables is disabled, or no rules have been defined. (the list may wary a little, as I'm getting this from memory. I'm at work right now, and only use windows there.
The nmap scan you ran on your own computer, suggests that only port 6000 is open. This could indicate that some kind of firewall rules are indeed setup. Perhaps guarddog sets up the rules without using the iptables.rules file?
Let me know how it goes.
MadEye | Registered Linux user #167944 since 2000-02-28 | Homepage
Offline
@madeye, first of all thanks a lot for such elaborate help.
I used utorrent in windows and u r very much right that it uses UPnP. In deluge (bt client on arch), UPnP was there but disabled (shaded). Hence, I tried running utorrent using wine and it gave a error message "Unable to map UPnP port' and is not able to connect. So, UPnP is not working in my box.
Then I tried as you suggested "iptables -L" and it gave me the following results.
[shantanu@bluehead ~]$ sudo iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
ACCEPT 0 -- 192.168.1.5 192.168.1.255
logaborted tcp -- anywhere anywhere state RELATED,ESTABLISHED tcp flags:RST/RST
ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
nicfilt 0 -- anywhere anywhere
srcfilt 0 -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
srcfilt 0 -- anywhere anywhere
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp spt:bootpc dpt:bootps
ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
s1 0 -- anywhere anywhere
Chain f0to1 (3 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpts:6970:7170
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpts:6881:6889 state NEW
logdrop 0 -- anywhere anywhere
Chain f1to0 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpt:6969 state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpt:http state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpt:http-alt state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpt:8008 state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpt:8000 state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpt:8888 state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpt:ftp state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpt:https state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:rtsp state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:7070 state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpt:cvspserver state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:1755 state NEW
ACCEPT udp -- anywhere anywhere udp dpt:1755
ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpt:11371 state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpt:5050 state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpt:telnet state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpts:5000:5001 state NEW
ACCEPT udp -- anywhere anywhere udp spts:1024:5999 dpt:5000
ACCEPT tcp -- anywhere anywhere tcp dpt:domain state NEW
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpt:5222 state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpt:5223 state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpts:6881:6889 state NEW
logdrop 0 -- anywhere anywhere
Chain logaborted (1 references)
target prot opt source destination
logaborted2 0 -- anywhere anywhere limit: avg 1/sec burst 10
LOG 0 -- anywhere anywhere limit: avg 2/min burst 1 LOG level warning prefix `LIMITED '
Chain logaborted2 (1 references)
target prot opt source destination
LOG 0 -- anywhere anywhere LOG level warning tcp-sequence tcp-options ip-options prefix `ABORTED '
ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED
Chain logdrop (4 references)
target prot opt source destination
logdrop2 0 -- anywhere anywhere limit: avg 1/sec burst 10
LOG 0 -- anywhere anywhere limit: avg 2/min burst 1 LOG level warning prefix `LIMITED '
DROP 0 -- anywhere anywhere
Chain logdrop2 (1 references)
target prot opt source destination
LOG 0 -- anywhere anywhere LOG level warning tcp-sequence tcp-options ip-options prefix `DROPPED '
DROP 0 -- anywhere anywhere
Chain logreject (0 references)
target prot opt source destination
logreject2 0 -- anywhere anywhere limit: avg 1/sec burst 10
LOG 0 -- anywhere anywhere limit: avg 2/min burst 1 LOG level warning prefix `LIMITED '
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
DROP 0 -- anywhere anywhere
Chain logreject2 (1 references)
target prot opt source destination
LOG 0 -- anywhere anywhere LOG level warning tcp-sequence tcp-options ip-options prefix `REJECTED '
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
DROP 0 -- anywhere anywhere
Chain nicfilt (1 references)
target prot opt source destination
RETURN 0 -- anywhere anywhere
RETURN 0 -- anywhere anywhere
RETURN 0 -- anywhere anywhere
logdrop 0 -- anywhere anywhere
Chain s0 (1 references)
target prot opt source destination
f0to1 0 -- anywhere 192.168.1.5
f0to1 0 -- anywhere 192.168.1.255
f0to1 0 -- anywhere bluehead.localdomain
logdrop 0 -- anywhere anywhere
Chain s1 (1 references)
target prot opt source destination
f1to0 0 -- anywhere anywhere
Chain srcfilt (2 references)
target prot opt source destination
s0 0 -- anywhere anywhere
That means iptables is not disabled and that firewall rules are setup by guarddog.
I removed guarding using "pacman -Rns guarddog" and rebooted. Still get the same results with utorrent and "iptables -L" and also the port test shows tcp 6881 is still closed.
Removed iptables and now bt clients seems to be able to connect and it works; however, port test still shows tcp 6881 closed.
Last edited by ravisghosh (2007-06-27 16:51:12)
Offline
Glad to be able to help.
It wasn't necessary to remove iptables though. You could just have flushed the rules, and made your own.
If you're interested you can use the following as a script to setup the firewall.
#!/bin/sh
# Define where the iptables executable is located.
IPTABLES=/usr/bin/iptables
# To flush all firewall rules
# This cleares all the rules, and will prevent any and all access inbound or outbound until we're finished.
$IPTABLES -F
# To delete all firewall chains
# It's been my experience that it's often easier to delete all the chains before makeing new rules.
# Especially if another firewall program has made custom rules.
$IPTABLES -X
# Set default policies
# If no other rule matches then the default will be used
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT
# Allow loopback device to access itself
# If you don't have this, many of your programs will stop working, as they need to acces themselves over the loopback device
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
# Allow outgoing traffic
# Typically there is no need to block outgoing connections. Most attacks will come from the outside.
$IPTABLES -A OUTPUT -o eth0 -j ACCEPT
# Allow established and related connections
# This rule is needed to allow connections who are established to maintain it's connection.
# This is also one of those rules you need to make your machine work correctly.
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow incoming bittorrent connections to tcp port 6901
# If you use another port than 6901, just substitute it.
$IPTABLES -A INPUT -p tcp --dport 6901 -j ACCEPT
# Finnally lets drop all other connections
# Maybe this is like using both suspenders and a belt, but you can never have enough security.
$IPTABLES -A INPUT -p tcp --syn -j DROP
Just copy the code into a text file and run it as root in a console.
e.g. run kate (the kde editor) and paste the code into it. Then save the file as firewall.sh in your home folder.
start a console, and use the su command to switch to the root user.
Now run
cd /home/<your username>
sh ./firewall.sh
and the rules should be setup as described in the script.
Let me know if there is anything else you need.
EDIT: I forgot to mention, if you want to keep the rules after the next time you reboot, you'll need to run the command
/etc/rc.d/iptables save
Last edited by madeye (2007-06-29 06:36:46)
MadEye | Registered Linux user #167944 since 2000-02-28 | Homepage
Offline
Madeye, you seem to have a great ability to write fool-proof instructions. that was such a nice description. However, I found on the forum that a router can double up as firewall and work effectively. I have posted that query under a different heading http://bbs.archlinux.org/viewtopic.php?id=34643
Offline
I have encountered with the same problem: double firewall, but I know only one of them.
I use ufw, but I could not connect to ANY specified port even when properly allowed. After a while I had to reconfigure my ADSL setting with pppoe-setup, which asks at the end, what level of firewalling I need. If there I choose "0" - no firewall, my ufw set rules start working, and I have control again.
I do not know the exact underlying events, but pppoe-setup seems to erase iptables (?) rules, which were doubling my firewall.
Coordinator of the Wesnoth Hungarian Translation Team
http://wesnoth.fsf.hu/
http://www.wesnoth.org
Offline
Rudanar, this post is more than 3 years old. I am sure the op is no longer looking for a solution.
Closing.....
There's no such thing as a stupid question, but there sure are a lot of inquisitive idiots !
Offline
Pages: 1
Topic closed