iptables configuration - only one port is open

**groob** · 11-08-2010, 00:33

Hello!

I went through a lot of tutorials and posts here, but still no luck in solving my problem. So I decided to ask you for help.

I'd like to achieve two things - have SSH available from WAN as well as a range of ports for rtorrent. This means port 22 and i.e. 51777-51800 ports to be open.

My current post-firewall file is:

Code:

#!/bin/sh
iptables -D INPUT -j DROP
iptables -A INPUT -p tcp --syn -i "$1" --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 51777:51800 -j ACCEPT
iptables -A INPUT -j DROP

Unfortunately (when testing with http://ping.eu/port-chk/) I can confirm only 22 port to be open. The next line is for some reason ignored.

Could anyone tell me what is wrong here?

**Tamadite** · 12-08-2010, 21:46

Is the router the device where you run rtorrent?

**groob** · 12-08-2010, 21:57

Yes, rtorrent is launched there.

**Tamadite** · 12-08-2010, 22:06

Run

Code:

iptables -L INPUT -n -v

and check if the rule is there. The first column will tell you the number of packets that have matched the rule.

**groob** · 12-08-2010, 22:09

The output tells me nothing, so I'm pasting it here:

Code:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    2   112 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0          state INVALID
  13M 2098M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
16608  995K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0          state NEW
55370   18M ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0          state NEW
    0     0 ACCEPT     2    --  *      *       0.0.0.0/0            224.0.0.0/4
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            224.0.0.0/4        udp dpt:!1900
54315 4182K SECURITY   all  --  vlan1  *       0.0.0.0/0            0.0.0.0/0          state NEW
  139 45592 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0          udp spt:67 dpt:68
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.1.1        tcp dpt:80
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp dpt:21
  118  7099 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
 4016  240K ACCEPT     tcp  --  vlan1  *       0.0.0.0/0            0.0.0.0/0          tcp dpt:22 flags:0x16/0x02
49000 3770K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

**Tamadite** · 14-08-2010, 15:55

Originally Posted by groob

The output tells me nothing, so I'm pasting it here:

Code:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    2   112 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0          state INVALID
  13M 2098M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
16608  995K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0          state NEW
55370   18M ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0          state NEW
    0     0 ACCEPT     2    --  *      *       0.0.0.0/0            224.0.0.0/4
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            224.0.0.0/4        udp dpt:!1900
54315 4182K SECURITY   all  --  vlan1  *       0.0.0.0/0            0.0.0.0/0          state NEW
  139 45592 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0          udp spt:67 dpt:68
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.1.1        tcp dpt:80
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp dpt:21
  118  7099 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
 4016  240K ACCEPT     tcp  --  vlan1  *       0.0.0.0/0            0.0.0.0/0          tcp dpt:22 flags:0x16/0x02
49000 3770K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

try:

Code:

iptables -I INPUT -p tcp --dport 51777:51800 -j ACCEPT

**groob** · 14-08-2010, 16:04

I'm afraid nothing has changed...
Still only 22 is open.

This is how iptables looks now:

Code:

iptables -D INPUT -j DROP

iptables -A INPUT -p tcp --syn -i "$1" --dport 22 -j ACCEPT
iptables -I INPUT -p tcp --dport 51777:51800 -j ACCCEPT

iptables -A INPUT -j DROP

**Tamadite** · 14-08-2010, 17:03

Given the INPUT table you showed you should run just the command I gave you. That's why I quoted the INPUT table.

**groob** · 14-08-2010, 17:08

I may not understand you clearly.
Do you want me to leave only one coomand in my post-firewall file?

**Tamadite** · 14-08-2010, 17:34

Do what it takes to get again the INPUT table you showed on your previous post and then try the command I gave you.

**groob** · 14-08-2010, 17:47

Ok, so now I have this:

Code:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp dpts:51777:51800
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0          state INVALID
1028K 1136M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
  553 33180 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0          state NEW
 4153 1286K ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0          state NEW
    0     0 ACCEPT     2    --  *      *       0.0.0.0/0            224.0.0.0/4
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            224.0.0.0/4        udp dpt:!1900
  678 74677 SECURITY   all  --  vlan1  *       0.0.0.0/0            0.0.0.0/0          state NEW
    2   656 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0          udp spt:67 dpt:68
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.1.1        tcp dpt:80
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp dpt:21
    6   364 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    1    60 ACCEPT     tcp  --  vlan1  *       0.0.0.0/0            0.0.0.0/0          tcp dpt:22 flags:0x16/0x02
  563 64703 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

**Tamadite** · 14-08-2010, 18:14

Originally Posted by groob

Ok, so now I have this:

Code:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp dpts:51777:51800
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0          state INVALID
1028K 1136M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
  553 33180 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0          state NEW
 4153 1286K ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0          state NEW
    0     0 ACCEPT     2    --  *      *       0.0.0.0/0            224.0.0.0/4
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            224.0.0.0/4        udp dpt:!1900
  678 74677 SECURITY   all  --  vlan1  *       0.0.0.0/0            0.0.0.0/0          state NEW
    2   656 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0          udp spt:67 dpt:68
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.1.1        tcp dpt:80
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp dpt:21
    6   364 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    1    60 ACCEPT     tcp  --  vlan1  *       0.0.0.0/0            0.0.0.0/0          tcp dpt:22 flags:0x16/0x02
  563 64703 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

As it is now, TCP traffic coming into the WAN port with destination ports 51777 to 51800 will be accepted to reach the router on LAN router's IP. You should see fields pkts and bytes increasing a long as it already has happened on the SSH port (1 pkts 60 bytes). If this does not happen it means you are not getting TCP traffic on the WAN port with destination ports 51777 to 51800.

**groob** · 14-08-2010, 18:18

Thank you! You are right, it is increasing. Currently I see:

Code:

    9   836 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp dpts:51777:51800

Now I need to ask a question - how to make this condition pernament?

BTW - why port test keeps reporting any of 51777:51800 as closed?

Thread: iptables configuration - only one port is open

Thread Tools

Rate This Thread

Display

iptables configuration - only one port is open

Similar Threads

wl-700ge + kamikaze/x-wrt: wie ports für emule/bittorrent freigeben

MSN blocking

Tags for this Thread

Posting Permissions