You are not logged in.
- Topics: Active | Unanswered
#1 2011-01-19 04:35:07
- tsr-nc
- Member
- Registered: 2009-02-07
- Posts: 40
[solved] Iptables - open port still gets rejected
I am trying to open 2 ports in my firewall,5582 udp and 61185 udp and tcp. However after reading up on iptables and following this guide (https://wiki.archlinux.org/index.php/Si … l_firewall) these ports are still being blocked. I am new to iptables, and I've gone over the rules but still not seeing what is rejecting it. Note that 61185 gets rejected not dropped at lest the tcp. All other tested tcp ports are dropping. I have not yet been able to test udp but i assume that its not working ether. Here's my iptables rules.
# Generated by iptables-save v1.4.10 on Tue Jan 18 15:37:23 2011
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [2235:279476]
:TCP - [0:0]
:UDP - [0:0]
-A INPUT -s 127.0.0.0/8 -i wlan0 -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A UDP -p udp -m udp --dport 5582 -j ACCEPT
-A UDP -p udp -m udp --dport 61185 -j ACCEPT
-A TCP -p tcp -m tcp --dport 61185 -j ACCEPT
-A INPUT -p udp -m state --state NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j TCP
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
COMMIT
# Completed on Tue Jan 18 15:37:23 2011
# Generated by iptables-save v1.4.10 on Tue Jan 18 15:37:23 2011
*nat
:PREROUTING ACCEPT [1765:224576]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [2859:262280]
:POSTROUTING ACCEPT [2860:262320]
COMMIT
# Completed on Tue Jan 18 15:37:23 2011
Last edited by tsr-nc (2011-01-22 01:06:44)
Offline
#2 2011-01-19 11:39:25
- fukawi2
- Ex-Administratorino
- From: .vic.au
- Registered: 2007-09-28
- Posts: 6,224
- Website
Re: [solved] Iptables - open port still gets rejected
That should work... Give us the output of the following:
iptables -nvL
netstat -tunlpAre you familiar with our Forum Rules, and How To Ask Questions The Smart Way?
BlueHackers // fscanary // resticctl
Offline
#3 2011-01-19 16:30:22
- R00KIE
- Forum Fellow
- From: Between a computer and a chair
- Registered: 2008-09-14
- Posts: 4,734
Re: [solved] Iptables - open port still gets rejected
I believe this
-A UDP -p udp -m udp --dport 5582 -j ACCEPT
-A UDP -p udp -m udp --dport 61185 -j ACCEPT
-A TCP -p tcp -m tcp --dport 61185 -j ACCEPTshould be more like this:
-A INPUT -p udp -m udp --dport 5582 -j ACCEPT
-A INPUT -p udp -m udp --dport 61185 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 61185 -j ACCEPT Also your rules with target TCP and UDP (-j TCP and -j UDP) are not valid rules, check the iptables manual for the valid targets (ACCEPT,DROP, .... ).
R00KIE
Tm90aGluZyB0byBzZWUgaGVyZSwgbW92ZSBhbG9uZy4K
Offline
#4 2011-01-19 16:42:54
- Damnshock
- Member
- From: Barcelona
- Registered: 2006-09-13
- Posts: 414
Re: [solved] Iptables - open port still gets rejected
I agree with Rookie
Regards,
Damnshock
My blog: blog.marcdeop.com
Jabber ID: damnshock@jabber.org
Offline
#5 2011-01-19 18:55:25
- Leonid.I
- Member
- From: Aethyr
- Registered: 2009-03-22
- Posts: 999
Re: [solved] Iptables - open port still gets rejected
Also your rules with target TCP and UDP (-j TCP and -j UDP) are not valid rules, check the iptables manual for the valid targets (ACCEPT,DROP, .... ).
No, UDP and TCP are custom-defined chains. They are OK.
@tsr-nc,
Try changing
-A INPUT -p udp -m state --state NEW -j UDPto
-A INPUT -p udp -m udp -j UDPbecause it may be that kernel does not see the packets as "NEW"...
Also, I have been having a modification of your TCP rule:
-A INPUT -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-resetin my iptables.rules for a long time and noticed, after reading your OP, that SYNACK packets never get rejected (counters are 0), but dropped by the default policy... quite puzzling 
Last edited by Leonid.I (2011-01-19 18:56:20)
Arch Linux is more than just GNU/Linux -- it's an adventure
pkill -9 systemd
Offline
#6 2011-01-19 20:13:09
- tsr-nc
- Member
- Registered: 2009-02-07
- Posts: 40
Re: [solved] Iptables - open port still gets rejected
Thanks you all for your help, but nether of those suggestions helped. I should mention that i am behind a firewall, but i believe that port forwarding is set up correctly because default behavior of router is to drop packets. Thinking about the problem i was wondering if all pings would be rejected, or only ones on closed ports. I have modified /etc/sysctl.conf to block all pings. I assumed that open ports would be exempted but i may be wrong there. When i disable iptables and set my computer to DMZ on router all ports are being Rejected witch makes me think the problem may lie somewhere else. Also, Leonid.I, I don't quite understand what you mean by "SYNACK packets never get rejected (counters are 0), but dropped by the default policy".
Here's the output requested by fukawi2
###### iptables -nvL
Chain INPUT (policy ACCEPT 31882 packets, 9887K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 32015 packets, 7556K bytes)
pkts bytes target prot opt in out source destination
###### netstat -tunlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:9876 0.0.0.0:* LISTEN 31044/gmpc
tcp 0 0 127.0.0.1:8118 0.0.0.0:* LISTEN 21887/privoxy
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 4066/cupsd
tcp 0 0 0.0.0.0:3128 0.0.0.0:* LISTEN 19183/(squid)
tcp 0 0 127.0.0.1:9050 0.0.0.0:* LISTEN 4061/tor
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 4061/tor
tcp 0 0 127.0.0.1:58846 0.0.0.0:* LISTEN 14487/python2
tcp 0 0 0.0.0.0:9030 0.0.0.0:* LISTEN 4061/tor
tcp 0 0 ::1:631 :::* LISTEN 4066/cupsd
tcp 0 0 :::6600 :::* LISTEN 2589/mpd
udp 0 0 192.168.1.109:37322 0.0.0.0:* 14487/python2
udp 0 0 0.0.0.0:631 0.0.0.0:* 4066/cupsd
udp 0 0 0.0.0.0:4827 0.0.0.0:* 19183/(squid)
udp 0 0 127.0.0.1:41941 0.0.0.0:* 14487/python2
udp 0 0 0.0.0.0:3130 0.0.0.0:* 19183/(squid)
udp 0 0 0.0.0.0:48443 0.0.0.0:* 14487/python2
udp 0 0 0.0.0.0:3401 0.0.0.0:* 19183/(squid)
udp 0 0 0.0.0.0:56797 0.0.0.0:* 19183/(squid)
udp 0 0 192.168.1.109:1900 0.0.0.0:* 14487/python2
udp 0 0 127.0.0.1:1900 0.0.0.0:* 14487/python2
udp 0 0 0.0.0.0:1900 0.0.0.0:* 14487/python2
udp 0 0 0.0.0.0:55652 0.0.0.0:* 14487/python2
######## Here is my /etc/sysctl.conf
kernel.sysrq = 0
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_rfc1337 = 1
net.ipv4.tcp_timestamps = 0
net.ipv4.conf.all.rp_filter = 1
net.ipv4.ip_forward = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
####### Specifically This , ignore all echo requests
net.ipv4.icmp_echo_ignore_all = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 1
Last edited by tsr-nc (2011-01-19 20:19:43)
Offline
#7 2011-01-19 20:25:14
- Leonid.I
- Member
- From: Aethyr
- Registered: 2009-03-22
- Posts: 999
Re: [solved] Iptables - open port still gets rejected
Also, Leonid.I, I don't quite understand what you mean by "SYNACK packets never get rejected (counters are 0), but dropped by the default policy".
What I meand is that putting --tcp-flags and -m state --state NEW together didn't work for me either. The packets with both SYN and ACK field set should be rejected per my rule, instead they are dropped at the end of the chain, because the rule is never executed.
Here's the output requested by fukawi2
###### iptables -nvL
Chain INPUT (policy ACCEPT 31882 packets, 9887K bytes)
pkts bytes target prot opt in out source destinationChain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destinationChain OUTPUT (policy ACCEPT 32015 packets, 7556K bytes)
pkts bytes target prot opt in out source destination
This is odd. Your iptables.rules isn't sourced, because the ruleset is empty! For example, look at the default policy of INPUT: it should be DROP, instead of ACCEPT. Then, I don't understand why anything at all gets rejected. Please revert /etc/sysctl.conf to its default state.
Arch Linux is more than just GNU/Linux -- it's an adventure
pkill -9 systemd
Offline
#8 2011-01-19 22:01:25
- fukawi2
- Ex-Administratorino
- From: .vic.au
- Registered: 2007-09-28
- Posts: 6,224
- Website
Re: [solved] Iptables - open port still gets rejected
(Please wrap quoted output like this in code tags in future 
)
###### iptables -nvL Chain INPUT (policy ACCEPT 31882 packets, 9887K bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 32015 packets, 7556K bytes) pkts bytes target prot opt in out source destination
As mentioned, your iptables rules aren't actually being put in place for some reason. Do you have iptables in your DAEMONS array?
That's not going to be causing the problem though -- since the default is to ACCEPT anyway, it just means you're more open that you expect 
###### netstat -tunlp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:9876 0.0.0.0:* LISTEN 31044/gmpc tcp 0 0 127.0.0.1:8118 0.0.0.0:* LISTEN 21887/privoxy tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 4066/cupsd tcp 0 0 0.0.0.0:3128 0.0.0.0:* LISTEN 19183/(squid) tcp 0 0 127.0.0.1:9050 0.0.0.0:* LISTEN 4061/tor tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 4061/tor tcp 0 0 127.0.0.1:58846 0.0.0.0:* LISTEN 14487/python2 tcp 0 0 0.0.0.0:9030 0.0.0.0:* LISTEN 4061/tor tcp 0 0 ::1:631 :::* LISTEN 4066/cupsd tcp 0 0 :::6600 :::* LISTEN 2589/mpd udp 0 0 192.168.1.109:37322 0.0.0.0:* 14487/python2 udp 0 0 0.0.0.0:631 0.0.0.0:* 4066/cupsd udp 0 0 0.0.0.0:4827 0.0.0.0:* 19183/(squid) udp 0 0 127.0.0.1:41941 0.0.0.0:* 14487/python2 udp 0 0 0.0.0.0:3130 0.0.0.0:* 19183/(squid) udp 0 0 0.0.0.0:48443 0.0.0.0:* 14487/python2 udp 0 0 0.0.0.0:3401 0.0.0.0:* 19183/(squid) udp 0 0 0.0.0.0:56797 0.0.0.0:* 19183/(squid) udp 0 0 192.168.1.109:1900 0.0.0.0:* 14487/python2 udp 0 0 127.0.0.1:1900 0.0.0.0:* 14487/python2 udp 0 0 0.0.0.0:1900 0.0.0.0:* 14487/python2 udp 0 0 0.0.0.0:55652 0.0.0.0:* 14487/python2
Your original post said you are trying to open UDP 5582 and TCP+UDP 61185, however there is nothing on your computer listening for these ports, so you are getting the connection rejected messages because iptables is allowing the packet, but the kernel has nowhere to send the packet (ie, a listening application process) so the kernel closes the connection attempt.
And /etc/sysctl.conf has little to do with port-specific rules in iptables, so you can put that back how it was and ignore it for now.
Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?
BlueHackers // fscanary // resticctl
Offline
#9 2011-01-19 23:18:21
- tsr-nc
- Member
- Registered: 2009-02-07
- Posts: 40
Re: [solved] Iptables - open port still gets rejected
yes iptables is part of my DAEMONS array.I have reset my /etc/sysctl.conf.
sorry my previous post i ran those commands with iptables disabled and my receiving program off.
Your original post said you are trying to open UDP 5582 and TCP+UDP 61185, however there is nothing on your computer listening for these ports, so you are getting the connection rejected messages because iptables is allowing the packet, but the kernel has nowhere to send the packet (ie, a listening application process) so the kernel closes the connection attempt.
Thank you i didn't understand that before
updated
iptables -nvL
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- wlan0 * 127.0.0.0/8 0.0.0.0/0
5449 1026K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
1 40 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
953 400K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
60 8029 UDP udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW
21 924 TCP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 state NEW
80 8909 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-proto-unreachable
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 6682 packets, 1176K bytes)
pkts bytes target prot opt in out source destination
Chain TCP (1 references)
pkts bytes target prot opt in out source destination
1 44 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:61185
Chain UDP (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:5582
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:61185netstat -tunlp
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:8118 0.0.0.0:* LISTEN 4042/privoxy
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 4073/cupsd
tcp 0 0 0.0.0.0:3128 0.0.0.0:* LISTEN 25380/(squid)
tcp 0 0 127.0.0.1:9050 0.0.0.0:* LISTEN 4071/tor
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 4071/tor
tcp 0 0 127.0.0.1:58846 0.0.0.0:* LISTEN 5472/python2
tcp 0 0 127.0.0.1:32000 0.0.0.0:* LISTEN 30205/java
tcp 0 0 0.0.0.0:9030 0.0.0.0:* LISTEN 4071/tor
tcp 0 0 ::1:631 :::* LISTEN 4073/cupsd
tcp 0 0 ::1:8888 :::* LISTEN 30205/java
tcp 0 0 ::ffff:127.0.0.1:8888 :::* LISTEN 30205/java
tcp 0 0 ::ffff:192.168.1.1:8058 :::* LISTEN 30205/java
tcp 0 0 fe80::215:afff:fe0:8058 :::* LISTEN 30205/java
tcp 0 0 :::6600 :::* LISTEN 4022/mpd
tcp 0 0 ::1:9481 :::* LISTEN 30205/java
tcp 0 0 ::ffff:127.0.0.1:9481 :::* LISTEN 30205/java
udp 0 0 0.0.0.0:51774 0.0.0.0:* 5472/python2
udp 0 0 0.0.0.0:631 0.0.0.0:* 4073/cupsd
udp 0 0 0.0.0.0:4827 0.0.0.0:* 25380/(squid)
udp 0 0 0.0.0.0:43802 0.0.0.0:* 25380/(squid)
udp 0 0 0.0.0.0:3130 0.0.0.0:* 25380/(squid)
udp 0 0 0.0.0.0:3401 0.0.0.0:* 25380/(squid)
udp 0 0 0.0.0.0:44777 0.0.0.0:* 5472/python2
udp 0 0 :::56760 :::* 30205/java
udp 0 0 :::5582 :::* 30205/java
udp 0 0 :::8008 :::* 30205/java
udp 0 0 :::8008 :::* 30205/java
udp 0 0 :::1900 :::* 30205/java
udp 0 0 :::1900 :::* 30205/javaOffline
#10 2011-01-20 02:54:53
- tsr-nc
- Member
- Registered: 2009-02-07
- Posts: 40
Re: [solved] Iptables - open port still gets rejected
SOLVED
Thanks for all your help
Offline
#11 2011-01-20 12:38:49
- denisfalqueto
- Member
- From: ES, Brazil
- Registered: 2006-03-24
- Posts: 197
Re: [solved] Iptables - open port still gets rejected
Two things: update the thread title with [SOLVED] and explain how it was solved. Maybe someone in the future can use that information.
Satisfied users don't rant, so you'll never know how many of us there are.
Offline
#12 2011-01-22 01:08:55
- tsr-nc
- Member
- Registered: 2009-02-07
- Posts: 40
Re: [solved] Iptables - open port still gets rejected
Sorry i cant help with what fixed it, I just reinstalled arch and bam it worked.
Offline