Gentoo Forums :: View topic - iptables won't open inbound tcp ports

iptables won't open inbound tcp ports

View unanswered posts
View posts from last 24 hours

Gentoo Forums Forum Index

Networking & Security

View previous topic :: View next topic

Author

Message

Rael86
n00b
n00b

Joined: 13 Oct 2007
Posts: 2

Posted: Sat Oct 13, 2007 11:24 am Post subject: iptables won't open inbound tcp ports

Hello, i configured a script to filtering my network traffic and sharing my connection using the gentoo-wiki. This is the result:

Code:

#!bin/bash
# External interface
EXTIF=ppp0
# Internal interface
INTIF1=eth0
# Loop device/localhost
LPDIF=lo
LPDIP=127.0.0.1
LPDMSK=255.0.0.0
LPDNET="$LPDIP/$LPDMSK"
# Text tools variables
IPT='/sbin/iptables'
IFC='/sbin/ifconfig'
G='/bin/grep'
SED='/bin/sed'
# Default policy
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
# Flush all existing chains and erase personal chains
CHAINS=`cat /proc/net/ip_tables_names 2>/dev/null`
for i in $CHAINS;
do
$IPT -t $i -F
done
for i in $CHAINS;
do
$IPT -t $i -X
done
# Setting up external interface environment variables
EXTIP="`$IFC $EXTIF|$G addr:|$SED 's/.*addr:$[^ ]*$ .*/\1/'`"
EXTBC="255.255.255.255"
EXTMSK="`$IFC $EXTIF|$G Mask:|$SED 's/.*Mask:$[^ ]*$/\1/'`"
EXTNET="$EXTIP/$EXTMSK"
echo "EXTIP=$EXTIP EXTBC=$EXTBC EXTMSK=$EXTMSK EXTNET=$EXTNET"
# Setting up environment variables for internal interface one
INTIP1="`$IFC $INTIF1|$G addr:|$SED 's/.*addr:$[^ ]*$ .*/\1/'`"
INTBC1="`$IFC $INTIF1|$G Bcast:|$SED 's/.*Bcast:$[^ ]*$ .*/\1/'`"
INTMSK1="`$IFC $INTIF1|$G Mask:|$SED 's/.*Mask:$[^ ]*$/\1/'`"
INTNET1="$INTIP1/$INTMSK1"
echo "INTIP1=$INTIP1 INTBC1=$INTBC1 INTMSK1=$INTMSK1 INTNET1=$INTNET1"
# Logging chains
$IPT -N DROPl 2> /dev/null
$IPT -A DROPl -j LOG --log-prefix 'DROPl:'
$IPT -A DROPl -j DROP
$IPT -N REJECTl 2> /dev/null
$IPT -A REJECTl -j LOG --log-prefix 'REJECTl:'
$IPT -A REJECTl -j REJECT
# Invalid packets
$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROPl
$IPT -A OUTPUT -p tcp ! --syn -m state --state NEW -j REJECTl
$IPT -A FORWARD -p tcp ! --syn -m state --state NEW -j DROPl
$IPT -A INPUT -m state --state INVALID -j DROPl
$IPT -A OUTPUT -m state --state INVALID -j REJECTl
$IPT -A FORWARD -m state --state INVALID -j DROPl
# loopback device
$IPT -A INPUT -i ! $LPDIF -s $LPDIP -j DROPl
$IPT -A INPUT -i ! $LPDIF -d $LPDIP -j DROPl
$IPT -A OUTPUT -o ! $LPDIF -s $LPDIP -j REJECTl
$IPT -A OUTPUT -o ! $LPDIF -d $LPDIP -j REJECTl
$IPT -A INPUT -i $LPDIF -j ACCEPT
$IPT -A OUTPUT -o $LPDIF -j ACCEPT
# Defining some common p2p clients.
BT=6881:6889
# Defining some common chat clients.
IRC='ircd'
MSN=1863
# We have to sync!!
PORTAGE='rsync'
OpenPGP_HTTP_Keyserver=11371
# All services ports are read from /etc/services
TCPSERV="domain ssh http https ftp ftp-data pop3 smtp time $PORTAGE $BT $IRC $MSN $OpenPGP_HTTP_Keyserver"
UDPSERV="domain time"
echo -n "FW: Allowing inside systems to use service:"
for i in $TCPSERV;
do
echo -n "$i "
$IPT -A OUTPUT -o $EXTIF -p tcp -s $EXTIP --dport $i --syn -m state --state NEW -j ACCEPT
$IPT -A FORWARD -i $INTIF1 -p tcp -s $INTNET1 --dport $i --syn -m state --state NEW -j ACCEPT
done
echo ""
echo -n "FW: Allowing inside systems to use service:"
for i in $UDPSERV;
do
echo -n "$i "
$IPT -A OUTPUT -o $EXTIF -p udp -s $EXTIP --dport $i -m state --state NEW -j ACCEPT
$IPT -A FORWARD -i $INTIF1 -p udp -s $INTNET1 --dport $i -m state --state NEW -j ACCEPT
done
echo ""
echo -n "FW: Allowing outside systems to use service:"
echo -n "$BT"
$IPT -A INPUT -i $EXTIF -p tcp --dport $BT -m state --state NEW -j ACCEPT
echo ""
# Allow some icmp services
$IPT -A OUTPUT -o $EXTIF -p icmp -s $EXTIP --icmp-type echo-request -m state --state NEW    -j ACCEPT
$IPT -A OUTPUT -o $EXTIF -p icmp -s $EXTIP --icmp-type time-exceeded -m state --state NEW    -j ACCEPT
$IPT -A OUTPUT -o $EXTIF -p icmp -s $EXTIP --icmp-type destination-unreachable -m state --state NEW -j ACCEPT
$IPT -A OUTPUT -o $INTIF1 -p icmp -s $INTNET1 --icmp-type echo-request -m state --state NEW    -j ACCEPT
$IPT -A OUTPUT -o $INTIF1 -p icmp -s $INTNET1 --icmp-type time-exceeded -m state --state NEW    -j ACCEPT
$IPT -A OUTPUT -o $INTIF1 -p icmp -s $INTNET1 --icmp-type destination-unreachable -m state --state NEW -j ACCEPT
$IPT -A FORWARD -i $INTIF1 -p icmp -s $INTNET1 --icmp-type echo-request -m state --state NEW    -j ACCEPT
$IPT -A FORWARD -i $INTIF1 -p icmp -s $INTNET1 --icmp-type time-exceeded -m state --state NEW    -j ACCEPT
$IPT -A FORWARD -i $INTIF1 -p icmp -s $INTNET1 --icmp-type destination-unreachable -m state --state NEW -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type echo-reply -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type time-exceeded -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type destination-unreachable -m state --state NEW,ESTABLISHED -j ACCEPT
# NAT
$IPT -t nat -A PREROUTING -j ACCEPT
$IPT -t nat -A POSTROUTING -o $EXTIF -s $INTNET1 -j MASQUERADE
$IPT -t nat -A POSTROUTING -j ACCEPT
$IPT -t nat -A OUTPUT -j ACCEPT
# Started connections
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Block and log everything else
$IPT -A INPUT -j DROPl
$IPT -A OUTPUT -j REJECTl
$IPT -A FORWARD -j DROPl

The output ports i need are open and work very good, the input one (bittorrent) are closed instead. I tried also with other ports but the result is the same, iptables closes the ports instead of opens them.

This is my lsmod about iptables:

Code:

xt_tcpudp 2944 36
xt_state 1984 54
ipt_LOG 5632 2
ipt_REJECT 3456 1
ipt_MASQUERADE 2496 1
iptable_nat 5380 1
nf_nat 14252 2 ipt_MASQUERADE,iptable_nat
nf_conntrack_ipv4 12620 56 iptable_nat
nf_conntrack 48920 5 xt_state,ipt_MASQUERADE,iptable_nat,nf_nat,nf_conntrack_ipv4
iptable_filter 2304 1
ip_tables 9544 2 iptable_nat,iptable_filter
x_tables 11140 10 ipt_ECN,xt_multiport,xt_tcpudp,xt_state,xt_limit,ipt_LOG,ipt_REJECT,ipt_MASQUERADE,iptable_nat,ip_tables

I use a usb modem and the script is loaded when the connection start (i putted it in /etc/ppp/ip-down.d). My isp uses the PPPoA protocol if it can help.
I would be very grate if you could help me. Thanks

pteppic
l33t
l33t

Joined: 28 Nov 2005
Posts: 781

Posted: Sat Oct 13, 2007 11:29 am Post subject:

Code:

echo -n "FW: Allowing outside systems to use service:"
echo -n "$BT"
$IPT -A INPUT -i $EXTIF -p tcp --dport $BT -m state --state NEW -j ACCEPT
echo ""

Unless your torrent client is running on the iptables machine, you need

Code:

$IPT -A FORWARD -i $EXTIF -p tcp --dport $BT -m state --state NEW -j ACCEPT

and you need to DNAT it.
_________________
Current Project Thread (myth2avi)

Rael86
n00b
n00b

Joined: 13 Oct 2007
Posts: 2

Posted: Sat Oct 13, 2007 11:33 am Post subject:

my torrent client is running on the iptables machine

Display posts from previous:

	Gentoo Forums Forum Index Networking & Security	All times are GMT
Page 1 of 1

Jump to:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy