[SOLVED] Iptables not allowing inbound connections. Can't disable!

qKUqm3wtY4 · 2012-12-19 17:28:33

TL;DR - No inbound connections. Turned firewall off. No data inside /etc/iptables/iptables.rules -- SOLUTION POSTED AT BOTTOM OF THREAD

After a bout with iptables/ufw/gufw, I finally was able to disable the firewall using the following:

$ ufw disable
Firewall stopped and disabled on system startup

However, now I have a persisting problem that I can't pin down primarily because I can't produce any error logs. Conky is showing no inbound connections, and Deluge will not upload or download. I have no hardware firewall up. I am fairly sure this is an iptables problem that I still haven't resolved. However, to be sure, here are my Deluge network settings:

Incoming ports
[X] Use Random Ports (Test Passes)
Outgoing Ports
[X] Use Random Ports
TOS
Peer TOS Byte: [0x00]
Network Extras
[X] UPnP [X] NAT-PMP [X] Peer Exchange
[X] LSD [X] DHT
Encryption
Inbound: [Enabled] Outbound: [Enabled]
Level: [Either] [X] Encrypt entire stream

Here is my iptables status:

$ systemctl status iptables
iptables.service - Packet Filtering Framework
	  Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled)
	  Active: active (exited) since [DATE]; XXmin ago
	 Process: 456 ExecStart=/usr/sbin/iptables-restore /etc/iptables/iptables.rules (code=exited, status=0/SUCCESS)
	  CGroup: name=systemd:/system/iptables.service

[DATE] [LOCALHOST] systemd[1]: Started Packet Filtering Framework.

While in my hour long bout with iptables, I was getting an error message telling me that /etc/iptables/iptables.rules does not exist. So I created an empty file. This resolved the error. This file is still empty.

Any help would be greatly appreciated.

Edit - Problem has been solved. Final post in thread provides complete solution. Thanks to brebs and cfr.

Last edited by qKUqm3wtY4 (2012-12-20 04:21:53)

brebs · 2012-12-19 18:42:05

Reset iptables - this is what I use:

# Reset the default policies in the filter table
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

# Reset the default policies in the nat table
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT

# Reset the default policies in the mangle table
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P OUTPUT ACCEPT

# Flush all the rules in the filter and nat tables
iptables -F
iptables -t nat -F
iptables -t mangle -F

# Erase non-default chains
iptables -X
iptables -t nat -X
iptables -t mangle -X

qKUqm3wtY4 · 2012-12-19 21:41:48

brebs wrote:

Reset iptables - this is what I use. . .

Okay, here is what I've done so far:

$ iptables -P INPUT ACCEPT
$ iptables -P FORWARD ACCEPT
$ iptables -P OUTPUT ACCEPT
$ iptables -t nat -P PREROUTING ACCEPT
$ iptables -t nat -P POSTROUTING ACCEPT
$ iptables -t nat -P OUTPUT ACCEPT
$ iptables -t mangle -P PREROUTING ACCEPT
$ iptables -t mangle -P OUTPUT ACCEPT
$ iptables -F
$ iptables -t nat -F
$ iptables -t mangle -F
$ iptables -X
$ iptables -t nat -X
$ iptables -t mangle -X
$ systemctl disable ufw
$ systemctl disable iptables
$ systemctl stop ufw
$ systemctl stop iptables
$ reboot

NEW DEVELOPMENT: Conky shows inbound connections and Deluge shows peers for about 15 minutes and then they drop off. During this time of showing inbound traffic, I am still getting no upload/download from Deluge.

Edit - Post of progress redacted/revised.

Last edited by qKUqm3wtY4 (2012-12-19 22:39:47)

chris_l · 2012-12-19 22:12:26

qKUqm3wtY4 wrote:

Okay, here is what I've done so far:
...
$ reboot

Once you reboot, you undo what brebs' scripts did.

qKUqm3wtY4 · 2012-12-19 22:22:56

chris_l wrote:

. . .Once you reboot, you undo what brebs' scripts did.

@chris_l: So how do I make the scripts permanent? I am going to try them again without rebooting so see if they have any affect.

The Inbound connections I was getting seem to have stopped for no reason. This is the same behavior that was displayed before. So, the previous post of progress is void. Here is the revised statement: Conky shows inbound connections and Deluge shows peers for about 15 minutes and then they drop off. During this time of showing inbound traffic, I am still getting no upload/download from Deluge.

Edit - Revised statements to better convey issue and to allow the thread to flow.

Last edited by qKUqm3wtY4 (2012-12-19 22:46:16)

cfr · 2012-12-19 22:46:42

https://wiki.archlinux.org/index.php/Ip … mmand_line

https://wiki.archlinux.org/index.php/Ip … ation_file

https://wiki.archlinux.org/index.php/Si … l_Firewall

qKUqm3wtY4 · 2012-12-19 23:00:16

Okay, so I tried the scripts without rebooting. This did not solve the problem.

$ iptables -P INPUT ACCEPT
$ iptables -P FORWARD ACCEPT
$ iptables -P OUTPUT ACCEPT
$ iptables -t nat -P PREROUTING ACCEPT
$ iptables -t nat -P POSTROUTING ACCEPT
$ iptables -t nat -P OUTPUT ACCEPT
$ iptables -t mangle -P PREROUTING ACCEPT
$ iptables -t mangle -P OUTPUT ACCEPT
$ iptables -F
$ iptables -t nat -F
$ iptables -t mangle -F
$ iptables -X
$ iptables -t nat -X
$ iptables -t mangle -X

I then tried turning ufw and iptables off. This did not solve the problem.

$ systemctl stop ufw
$ systemctl stop iptables

Then I tried disconnecting from the internet and reconnecting. I also tried restarting Deluge.

$ ifconfig wlan0 down
$ ifconfig wlan0 up
$ wifi-menu

Problem still unsolved

qKUqm3wtY4 · 2012-12-19 23:06:12

cfr wrote:

https://wiki.archlinux.org/index.php/Ip … mmand_line
https://wiki.archlinux.org/index.php/Ip … ation_file
https://wiki.archlinux.org/index.php/Si … l_Firewall

@cfr: Thank you, I will look closely at these links. Here is my existing ruleset (I have no idea what this means at the moment):

$ iptables -nvL
Chain INPUT (policy ACCEPT 92348 packets, 90M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 61727 packets, 4550K bytes)
 pkts bytes target     prot opt in     out     source               destination

cfr · 2012-12-19 23:30:32

You shouldn't get that result running as a normal user - you should need to be root to view the table.

The output, however, says that iptables is filtering nothing and allowing everything. The default policy for all chains is ACCEPT and there are no rules in any chain.

qKUqm3wtY4 · 2012-12-20 00:36:58

cfr wrote:

You shouldn't get that result running as a normal user - you should need to be root to view the table.

@cfr: I removed sudo from the posts because I figured it would be redundant information.

The output, however, says that iptables is filtering nothing and allowing everything. The default policy for all chains is ACCEPT and there are no rules in any chain.

@cfr: I am stumped. Even though this is my current ruleset, I still am getting no inbound connections. I have no hardware firewall setup on my router. My ISP doesn't block torrent traffic. I use encryption on my torrent streams. How can I produce logs that may shine better light on this issue?

Here is some information that might be pertinent. Ealier today when I was battling this iptables issue, I came across an Ubuntu forum post that suggested the user delete the /etc/iptables/iptables.rules file. This obviously did not work, and actually caused problems. So I replaced the file with a blank one to fix the problem. Here is a dump of the process:

All date, time, hostname, username, and sudo information has been removed.

$ systemctl start iptables.service
Job for iptables.service failed. See 'systemctl status iptables.service' and 'journalctl -xn' for details.

$ systemctl status iptables.service
iptables.service - Packet Filtering Framework
	  Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled)
	  Active: failed (Result: exit-code) since DATE TIME; 3min ago
	 Process: 2962 ExecStart=/usr/sbin/iptables-restore /etc/iptables/iptables.rules (code=exited, status=1/FAILURE)
	  CGroup: name=systemd:/system/iptables.service

DATE TIME HOSTNAME systemd[1]: Starting Packet Filtering Framework...
DATE TIME HOSTNAME iptables-restore[2962]: Can't open /etc/iptables/iptables.rules: No such file or directory
DATE TIME HOSTNAME systemd[1]: iptables.service: main process exited, code=exited, status=1/FAILURE
DATE TIME HOSTNAME systemd[1]: Failed to start Packet Filtering Framework.
DATE TIME HOSTNAME systemd[1]: Unit iptables.service entered failed state

At this point I tried to do journalctl but it said I needed to create some sort of key. I did this, and then saved a backup of what I assume is the hash. Then I was able to run journalctl

$ journalctl -xn
-- Logs begin at DATE TIME, end at DATE TIME. --
DATE TIME HOSTNAME slim[472]: Conky: could not connect to hddtemp host
DATE TIME HOSTNAME slim[472]: Conky: could not connect to hddtemp host
DATE TIME HOSTNAME slim[472]: Conky: statfs64 '/share1': No such file or directory
DATE TIME HOSTNAME slim[472]: Conky: could not connect to hddtemp host
DATE TIME HOSTNAME slim[472]: Conky: statfs64 '/share1': No such file or directory
DATE TIME HOSTNAME slim[472]: Conky: statfs64 '/share1': No such file or directory
DATE TIME HOSTNAME slim[472]: Conky: could not connect to hddtemp host
DATE TIME HOSTNAME slim[472]: Conky: could not connect to hddtemp host
DATE TIME HOSTNAME sudo[2992]: USERNAME : TTY=pts/1 ; PWD=/home/USERNAME ; USER=root ; COMMAND=/usr/bin/journalctl -xn
DATE TIME HOSTNAME sudo[2992]: pam_unix(sudo:session): session opened for user root by USERNAME(uid=0)

What do, fellow Archers?

cfr · 2012-12-20 01:15:06

Why are you trying to start iptables.service if you don't want iptables to filter anything? I'm really not clear why you are so sure it is an iptables issue.

qKUqm3wtY4 · 2012-12-20 01:51:10

cfr wrote:

Why are you trying to start iptables.service if you don't want iptables to filter anything? I'm really not clear why you are so sure it is an iptables issue.

@cfr: At first, I wanted to configure a firewall. I got overzealous and started installing things before I was sure what I was doing. The information provided in my last post were things I did before I started this thread. I've now decided to turn it off so that I can use Deluge (assuming that the firewall was the problem). So now, I have it turned off. If this is not an Iptables issue (which after reading, it doesn't appear to be), then I have no clue what the problem really is. Why else would one be able to send outbound connections, but receive none incoming?

I suppose I could reinstall Arch from scratch but I'd rather fix the problem. I've just begun to get my system where I want it; this is really the last step.

Thank you for your tips, cfr. Regardless of whether or not I solve this problem I've learned quite a bit.

brebs · 2012-12-20 03:17:14

Is there an ADSL router box between your PC and the Internet cabling? That will need configuring too.

qKUqm3wtY4 · 2012-12-20 03:32:07

brebs wrote:

Is there an ADSL router box between your PC and the Internet cabling? That will need configuring too.

@brebs: I have a Motorola Surfboard cable modem which is connected to a Netgear wirless router. I have the wireless router configured to accept UPnP and I have the firewall turned off. I am sure it works because I can download torrents and accept general inbound traffic from my Android. I've just removed Deluge and replaced it with Transmission. I still have the same problem.

This is not a hardware issue. This is not likely to be a torrent application issue (unless it is a dependency package). In fact, I downloaded a few things from Deluge before I caused this issue. It stopped working about the same time I started messing with iptables.

qKUqm3wtY4 · 2012-12-20 03:51:04

I do not know what just happened. Transmission just started working. I suddenly started receiving inbound connections.

I will mark this as solved as per the thread title. Technically if this were an issue of Iptables, it would have been solved by the help I've gotten here. I will create a final post reviewing the advice that was given regarding iptables. Thank you both for your advice.

qKUqm3wtY4 · 2012-12-20 04:15:05

SOLVED!

Helpful Links:
https://wiki.archlinux.org/index.php/Ip … mmand_line
https://wiki.archlinux.org/index.php/Ip … ation_file
https://wiki.archlinux.org/index.php/Si … l_Firewall

Reset the default policies in the filter table

# iptables -P INPUT ACCEPT
# iptables -P FORWARD ACCEPT
# iptables -P OUTPUT ACCEPT

Reset the default policies in the nat table

# iptables -t nat -P PREROUTING ACCEPT
# iptables -t nat -P POSTROUTING ACCEPT
# iptables -t nat -P OUTPUT ACCEPT

Reset the default policies in the mangle table

# iptables -t mangle -P PREROUTING ACCEPT
# iptables -t mangle -P OUTPUT ACCEPT

Flush all the rules in the filter and nat tables

# iptables -F
# iptables -t nat -F
# iptables -t mangle -F

Erase non-default chains

# iptables -X
# iptables -t nat -X
# iptables -t mangle -X

Check to ensure configuration is correct

# iptables -nvL

You should see something like this:

Chain INPUT (policy ACCEPT)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT)
 pkts bytes target     prot opt in     out     source               destination

Save the rules and restart Iptables

# iptables-save > /etc/iptables/iptables.rules
# systemctl restart iptables

Last edited by qKUqm3wtY4 (2012-12-20 04:36:02)

Arch Linux

#1 2012-12-19 17:28:33

[SOLVED] Iptables not allowing inbound connections. Can't disable!

#2 2012-12-19 18:42:05

Re: [SOLVED] Iptables not allowing inbound connections. Can't disable!

#3 2012-12-19 21:41:48

Re: [SOLVED] Iptables not allowing inbound connections. Can't disable!

#4 2012-12-19 22:12:26

Re: [SOLVED] Iptables not allowing inbound connections. Can't disable!

#5 2012-12-19 22:22:56

Re: [SOLVED] Iptables not allowing inbound connections. Can't disable!

#6 2012-12-19 22:46:42

Re: [SOLVED] Iptables not allowing inbound connections. Can't disable!

#7 2012-12-19 23:00:16

Re: [SOLVED] Iptables not allowing inbound connections. Can't disable!

#8 2012-12-19 23:06:12

Re: [SOLVED] Iptables not allowing inbound connections. Can't disable!

#9 2012-12-19 23:30:32

Re: [SOLVED] Iptables not allowing inbound connections. Can't disable!

#10 2012-12-20 00:36:58

Re: [SOLVED] Iptables not allowing inbound connections. Can't disable!

#11 2012-12-20 01:15:06

Re: [SOLVED] Iptables not allowing inbound connections. Can't disable!

#12 2012-12-20 01:51:10

Re: [SOLVED] Iptables not allowing inbound connections. Can't disable!

#13 2012-12-20 03:17:14

Re: [SOLVED] Iptables not allowing inbound connections. Can't disable!

#14 2012-12-20 03:32:07

Re: [SOLVED] Iptables not allowing inbound connections. Can't disable!

#15 2012-12-20 03:51:04

Re: [SOLVED] Iptables not allowing inbound connections. Can't disable!

#16 2012-12-20 04:15:05

Re: [SOLVED] Iptables not allowing inbound connections. Can't disable!

Board footer