You are not logged in.

Pages: 1

#1 2008-04-30 22:40:41

praka123
Member
From: Kerala,India
Registered: 2008-03-04
Posts: 182
Website

iptables -port not opening!

Hi,
I followed http://wiki.archlinux.org/index.php/Sim … wall_HOWTO
to setup my firewall rules.
I use deluge torrent client.with 54876 as the target open port ,It is not opened unless I flush the rules.

with rule :

iptables -A open -i ppp0 -p tcp --dport 54876:54876 -j ACCEPT
iptables -A open -i ppp0 -p udp --dport 54876:54876 -j ACCEPT

Isnt the dest port open?but it doesnot! sad

So,please help me open this port!if I flush the rules,the port can be opened by the application(deluge).

I have two chains made as per guide,
1.interfaces -for local ip
2.open -for iface ppp0 -internet

To make it easy for you guys,I am posting what I exactly did:-

# iptables -P INPUT ACCEPT
# iptables -P FORWARD ACCEPT
# iptables -P OUTPUT ACCEPT
# iptables -F
# iptables -X

# iptables -N open
# iptables -N interfaces

# iptables -A INPUT -p icmp -j ACCEPT
# iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# iptables -A INPUT -j interfaces
# iptables -A INPUT -j open

# iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset 
# iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable 

# iptables -P INPUT DROP

# iptables -P FORWARD DROP

# iptables -P OUTPUT ACCEPT

# iptables -A interfaces -i lo -j ACCEPT
# iptables -A interfaces -i eth0 -j ACCEPT

# iptables -A open -p tcp --dport 22 -j ACCEPT
# iptables -A open -i ppp0 -p tcp --dport 80 -j ACCEPT

[b]# iptables -A open -i ppp0 -p tcp --dport 54876:54876 -j ACCEPT
# iptables -A open -i ppp0 -p udp --dport 54876:54876 -j ACCEPT[/b]

 iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
  iptables -A INPUT -f -j DROP
  iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
  iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

 iptables -I INPUT -i eth0 -s 10.0.0.0/8 -j DROP
  iptables -I INPUT -i eth0 -s 172.16.0.0/12 -j DROP
  iptables -I INPUT -i eth0 -s 192.168.0.0/16 -j DROP
  iptables -I INPUT -i eth0 -s 127.0.0.0/8 -j DROP

  iptables -A INPUT -p icmp --icmp-type echo-request -i eth0 -j DROP

 iptables -I INPUT -p icmp --icmp-type redirect -j DROP
  iptables -I INPUT -p icmp --icmp-type router-advertisement -j DROP
  iptables -I INPUT -p icmp --icmp-type router-solicitation -j DROP
  iptables -I INPUT -p icmp --icmp-type address-mask-request -j DROP
  iptables -I INPUT -p icmp --icmp-type address-mask-reply -j DROP

^this is what I setyo:rolleyes:

below is the o/p of iptables -L :

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
LOG        udp  --  anywhere             anywhere            udp dpts:0:1023 LOG level warning 
LOG        tcp  --  anywhere             anywhere            tcp dpts:0:1023 LOG level warning 
DROP       udp  --  anywhere             anywhere            udp dpts:0:1023 
DROP       tcp  --  anywhere             anywhere            tcp dpts:0:1023 
LOG        tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning 
DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN 
DROP       icmp --  anywhere             anywhere            icmp echo-request 

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain interfaces (0 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            

Chain open (0 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:54876 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:54876

Offline

#2 2008-04-30 23:58:35

praka123
Member
From: Kerala,India
Registered: 2008-03-04
Posts: 182
Website

Re: iptables -port not opening!

I have dynamic IP provided by my ISP.

Offline

#3 2008-05-01 09:09:33

kezar
Member
Registered: 2007-08-14
Posts: 61

Re: iptables -port not opening!

Maybe you'll want to send your packets to then open chain after it came from the INPUT one (as you see there is 0 reference to this chain, since it's never called).
Add -a INPUT -j open

Blacklist blocking is not the best way to protect a computer, you should use whitelisting and drop all disallowed traffic.

Offline

#4 2008-05-01 12:18:19

praka123
Member
From: Kerala,India
Registered: 2008-03-04
Posts: 182
Website

Re: iptables -port not opening!

Thanks!I will try now.but...whitelisting :roll: what's that?

Offline

#5 2008-05-01 13:00:58

kezar
Member
Registered: 2007-08-14
Posts: 61

Re: iptables -port not opening!

You only allow what you want to use and drop all the rest.
This is the opposite of blacklisting where you drop what you don't want and allow everything else.

Offline

#6 2008-05-01 13:13:35

praka123
Member
From: Kerala,India
Registered: 2008-03-04
Posts: 182
Website

Re: iptables -port not opening!

thanks for clarifiying.I am just learning some basic things about iptables .

Offline

#7 2008-05-01 13:45:27

kezar
Member
Registered: 2007-08-14
Posts: 61

Re: iptables -port not opening!

Here is a little example of iptables configuration.
There are lots of tutorials of you want to know more.

################################### ROUTING ####################################
*mangle
:PREROUTING ACCEPT [335:155368]
:INPUT ACCEPT [335:155368]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [370:42229]
:POSTROUTING ACCEPT [370:42229]
COMMIT
*nat
:PREROUTING ACCEPT [17:3128]
:POSTROUTING ACCEPT [33:1993]
:OUTPUT ACCEPT [33:1993]
COMMIT
###############################################################################



################################### FIREWALL ##################################

##### Filtres #################################################################
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:check_tcp - [0:0]
:check_icmp - [0:0]
:eth0_est - [0:0]
:eth0_in - [0:0]
:eth0_out - [0:0]
:log_scan - [0:0]
:log_icmp - [0:0]
:log_in - [0:0]
:log_out - [0:0]

##### In

## BANLIST
-A INPUT -d 255.255.255.255 -j DROP
#######
-A INPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -p tcp -m tcp -j check_tcp
-A INPUT -p icmp -j check_icmp
-A INPUT -j eth0_in

##### Out
-A OUTPUT  -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP 
-A OUTPUT -p icmp -j check_icmp
-A OUTPUT -j eth0_out
###############################################################################


##### Incoming check (antiscan) #########################################################
-A check_tcp -f -j log_scan
-A check_tcp -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j log_scan
-A check_tcp -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j log_scan
-A check_tcp -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j log_scan
-A check_tcp -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j log_scan
-A check_tcp -m state --state INVALID -j log_scan 

-A check_icmp -s [your_ip] -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A check_icmp -d [your_ip] -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A check_icmp -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A check_icmp -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A check_icmp -p icmp -m icmp --icmp-type 3 -j ACCEPT
## Send everything else to log
-A check_icmp -j log_icmp
###############################################################################


##### Allow established connections ######################################################
-A eth0_est -m state --state ESTABLISHED -j ACCEPT
-A eth0_est -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m state --state RELATED -j ACCEPT
###############################################################################


##### Process incoming packets #########################################################
## Established connections
-A eth0_in -j eth0_est
## Place here what you want to accept, for example:
## HTTP
-A eth0_in -s 127.0.0.1 -p tcp -m tcp --dport 80 -j ACCEPT
-A eth0_in -p tcp -m tcp --dport 80 -j ACCEPT
## MySQL
-A eth0_in -s 127.0.0.1 -p tcp -m tcp --dport 3306 -j ACCEPT

## Send everything else to log
-A eth0_in -j log_in
###############################################################################


##### Process outgoing packets #########################################################
## Established connections
-A eth0_out -j eth0_est
## Local
-A eth0_out -d 127.0.0.1 -j ACCEPT
## DNS (replace it by yours if you don't want to use opendns)
-A eth0_out -d 208.67.220.220 -p udp -m udp --dport 53 -j ACCEPT
## Add here what you want to allow, for example:
## SSH
-A eth0_out -p tcp -m tcp --dport 22 -j ACCEPT
## HTTP
-A eth0_out -p tcp -m tcp --dport 80 -j ACCEPT
-A eth0_out -p tcp -m tcp --sport 80 -j ACCEPT
## FTP
-A eth0_out -p tcp -m tcp --dport 21 -j ACCEPT
## MySQL
-A eth0_out -p tcp -m tcp --dport 3306 -j ACCEPT
## WHOIS
-A eth0_out -p tcp -m tcp --dport 43 -j ACCEPT
## SVN
-A eth0_out -p tcp -m tcp --dport 3690 -j ACCEPT

## Send everything else to log
-A eth0_out -j log_out
###############################################################################

###############################################################################



#################################### LOGS #####################################

##### Portscan log ############################################################
-A log_scan -m limit --limit 5/min -j LOG --log-prefix "SCAN : " --log-level 6
-A log_scan -j DROP
###############################################################################


##### ICMP log ################################################################
-A log_icmp -m limit --limit 5/min -j LOG --log-prefix "ICMP : " --log-level 6
-A log_icmp -j DROP
###############################################################################


##### Incoming log #############################################################
-A log_in -m limit --limit 5/min -j LOG --log-prefix "_IN_ : " --log-level 6
-A log_in -j DROP
###############################################################################


##### Outgoing log #############################################################
-A log_out -m limit --limit 5/min -j LOG --log-prefix "_OUT_ : " --log-level 6
-A log_out -j DROP
###############################################################################

###############################################################################



COMMIT

Last edited by kezar (2008-05-01 13:46:30)

Offline

#8 2008-05-01 22:43:33

praka123
Member
From: Kerala,India
Registered: 2008-03-04
Posts: 182
Website

Re: iptables -port not opening!

thanks.yes,for dynamic IP based ISP's some changes are needed?

Offline

#9 2008-05-02 03:45:15

kezar
Member
Registered: 2007-08-14
Posts: 61

Re: iptables -port not opening!

Then you shouldn't block icmp requests or you won't be able to use them yourself. Configure the other rules to suit your needs, your ip is only used when you call it (and as it's dynamic you shouldn't).

Offline

Pages: 1

Board footer

Powered by FluxBB