[SOLVED] Stupid questions on opening ports in Arch

Ranguvar · 2009-04-02 05:36:02

I've forwarded a series of ports on my router. I know I'm doing this part right, because when I used Windows, it reported the ports were open.

I'd like to open these ports on Arch, for torrenting. Even with the router forwarding, the ports are not seen as open yet (that's good, but I'd like to open them). What is the preferred method of doing so? Is this accomplished through /etc/hosts.allow/deny, or through iptables? What do those two files _really_ do? And lastly, is there a way to open those ports only for a specific application (in this case, my torrent app)?

Any side info on networking would be much appreciated--I know little about it compared to other things, but I'd like to know more. Thanks

Last edited by Ranguvar (2009-04-02 23:01:43)

fukawi2 · 2009-04-02 06:34:32

Ranguvar wrote:

What do those two files _really_ do?

iptables is purely an inspection and filtering (mostly) application within the kernel that works at a TCP/IP level. hosts.allow is a tcpwrapper and works on the application being accessed, but can only work with applications that support tcpwrappers. (ie, the program has to ask the tcpwrapper who's allowed to connect before accepting the connection)

Ranguvar wrote:

And lastly, is there a way to open those ports only for a specific application (in this case, my torrent app)?

If you can find a torrent client that supports tcpwrappers, then yes, otherwise you're pretty much stuck with just opening the ports.

A (hack) semi-alternative would be to use the 'owner' module for iptables, although this only works for outbound packets, not inbound (but if something connects inbound to User X, and you only allow outbound from User Y then they won't get a reply)

Either way, you will have to open it in iptables, it's just a matter of whether you can find a tcpwrapper-enabled torrent client to supplement iptables.

Last edited by fukawi2 (2009-04-02 06:36:01)

archlinuxsagi · 2009-04-02 07:31:33

What server application are you running beside torrents? If iptable is NOT running and port-forwarding is setup properly, the outside world should be able to see your ports and your router should be able to specify the range of ports.

If torrents clients are trying to connect to your torrent workstation, I believe /etc/hosts.allow/deny will block ip addresses which is what you don't want to do..

If you for example, using transmission for torrent downloads, you can open up a single port at your router for port forwarding purposes based on transmission configuration.

Last edited by archlinuxsagi (2009-04-02 07:44:47)

R00KIE · 2009-04-02 12:46:08

I don't have iptables running and I have not changed anything else just did the port-forward in the router and configured deluge to use the forwarded ports and it works ..... maybe your isp is to blame for the port blocking .... try to forward another port (maybe port 22 (ssh)) and ask a trusted friend to try to connect to your pc, I guess that will make it a little easier to find the problem.

archlinuxsagi · 2009-04-02 13:11:21

R00KIE wrote:

try to forward another port (maybe port 22 (ssh)) and ask a trusted friend to try to connect to your pc, I guess that will make it a little easier to find the problem.

You can always register an account with dyndns.org and connect to your home linux server from the URL through SSH.
That's what I always do.

R00KIE · 2009-04-02 16:37:45

archlinuxsagi wrote:

R00KIE wrote:
try to forward another port (maybe port 22 (ssh)) and ask a trusted friend to try to connect to your pc, I guess that will make it a little easier to find the problem.
You can always register an account with dyndns.org and connect to your home linux server from the URL through SSH.
That's what I always do.

Oh yeah I forgot about that, you need to know your external IP (dyndns will do a great job there ) but the port forward is always needed.
I said to try with an ssh server because it may "speak" a little bit more than a torrent client so it may be easier to see what is going wrong.

Nezmer · 2009-04-02 17:20:50

Ranguvar wrote:

I'd like to open these ports on Arch, for torrenting. Even with the router forwarding, the ports are not seen as open yet

As already mentioned , forwarding the ports from the router should be enough .
How did you conclude that the ports are not open yet ?

fukawi2 · 2009-04-02 21:42:48

Just because the forwarding is in place guys, doesn't mean the ports will appear as open. If iptables is blocking the connections, or the torrent client isn't running then they will still appear to be closed.

Ranguvar · 2009-04-02 23:00:39

Okay, it seems that forwarding the ports on the router *was* enough. Websites still report my port as closed, but I installed Deluge and its checker says everything's fine. De-forwarding the ports makes it complain. I tried setting some basic iptables settings to allow those ports and running it, but that didn't change website checkers.

Then I re-read fukawi2's last post, tried a web port checker when Deluge was running, and it's open

Thanks, all, especially fukawi2 for your explanatory first post (I meant those files as in hosts.allow and hosts.deny, but I understand now) Solved.

Last edited by Ranguvar (2009-04-02 23:01:33)

peets · 2009-04-02 23:17:11

A port is open if 1. There's an application listening in on it and 2. it isn't being blocked by a firewall or some such. You need to have the torrent client running for your port to be seen as "open"!

BTW, is it possible to have a port which is actually open but appears closed? I mean, I'd have an application that's listening on some port, but it would only reply to very specific requests, and deny all other packets (esp. the ones that just ask "is anyone home?").

fukawi2 · 2009-04-03 00:02:39

peets wrote:

BTW, is it possible to have a port which is actually open but appears closed? I mean, I'd have an application that's listening on some port, but it would only reply to very specific requests, and deny all other packets (esp. the ones that just ask "is anyone home?").

No -- in order to determine the 'very specific' request, it has to accept at least a small portion of the traffic, enough for someone to determine that it's open. You can 'block' it based on other criteria, such as source address (ie, this port is closed unless you're connection from address 12.23.34.45).

You could use a port knocking setup to only open the port after a specific set of ports have already been 'contacted'. http://en.wikipedia.org/wiki/Port_knocking

Last edited by fukawi2 (2009-04-03 00:03:38)

fukawi2 · 2009-04-03 00:04:54

Ranguvar wrote:

Thanks, all, especially fukawi2 for your explanatory first post (I meant those files as in hosts.allow and hosts.deny, but I understand now) Solved.

You're welcome

stryder · 2009-04-03 02:40:47

I use shorewall as my firewall and I have been opening specific ports whenever I want to torrent and closing them when I have finished. Does the fact that ports are "open" only when a program is listening there mean that there is actually no need for me to close those ports whenever I am not torrenting? Is there any danger of intrusion from the net if ports are open but no services are available?

fukawi2 · 2009-04-03 05:04:17

stryder wrote:

Does the fact that ports are "open" only when a program is listening there mean that there is actually no need for me to close those ports whenever I am not torrenting?

Correct.

stryder wrote:

Is there any danger of intrusion from the net if ports are open but no services are available?

Extremely negligable -- small enough to not bother with closing the ports.

stryder · 2009-04-03 06:17:03

Thanks fukawi2. Good to know. :-)

Arch Linux

#1 2009-04-02 05:36:02

[SOLVED] Stupid questions on opening ports in Arch

#2 2009-04-02 06:34:32

Re: [SOLVED] Stupid questions on opening ports in Arch

#3 2009-04-02 07:31:33

Re: [SOLVED] Stupid questions on opening ports in Arch

#4 2009-04-02 12:46:08

Re: [SOLVED] Stupid questions on opening ports in Arch

#5 2009-04-02 13:11:21

Re: [SOLVED] Stupid questions on opening ports in Arch

#6 2009-04-02 16:37:45

Re: [SOLVED] Stupid questions on opening ports in Arch

#7 2009-04-02 17:20:50

Re: [SOLVED] Stupid questions on opening ports in Arch

#8 2009-04-02 21:42:48

Re: [SOLVED] Stupid questions on opening ports in Arch

#9 2009-04-02 23:00:39

Re: [SOLVED] Stupid questions on opening ports in Arch

#10 2009-04-02 23:17:11

Re: [SOLVED] Stupid questions on opening ports in Arch

#11 2009-04-03 00:02:39

Re: [SOLVED] Stupid questions on opening ports in Arch

#12 2009-04-03 00:04:54

Re: [SOLVED] Stupid questions on opening ports in Arch

#13 2009-04-03 02:40:47

Re: [SOLVED] Stupid questions on opening ports in Arch

#14 2009-04-03 05:04:17

Re: [SOLVED] Stupid questions on opening ports in Arch

#15 2009-04-03 06:17:03

Re: [SOLVED] Stupid questions on opening ports in Arch

Board footer