Port is open but I am unable to connect

Port is open but I am unable to connect

[Jacob Friis Larsen]

When I add -s 1.2.3.4 I am unable to connect to my server.
nmap shows that the correct ports are open.
Any ideas?

iptables -A INPUT -s 1.2.3.4 -j ACCEPT -p tcp --dport 22 -m state 
--state NEW

This is my script:
<script>
#!/bin/sh

# Modules
modprobe ip_conntrack_ftp

# Defaults
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

# Flush
iptables -t nat -F POSTROUTING
iptables -t nat -F PREROUTING
iptables -t nat -F OUTPUT
iptables -F

# STATE RELATED for router
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Localhost
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Open ports on router for server/services
iptables -A INPUT -s 1.2.3.4 -j ACCEPT -p tcp --dport 20 -m state 
--state NEW
iptables -A INPUT -s 1.2.3.4 -j ACCEPT -p tcp --dport 21 -m state 
--state NEW
iptables -A INPUT -s 1.2.3.4 -j ACCEPT -p tcp --dport 22 -m state 
--state NEW
iptables -A INPUT -j ACCEPT -p tcp --dport 25 -m state --state NEW
iptables -A INPUT -j ACCEPT -p tcp --dport 80 -m state --state NEW
iptables -A INPUT -j ACCEPT -p tcp --dport 143 -m state --state NEW
iptables -A INPUT -j ACCEPT -p tcp --dport 993 -m state --state NEW
</script>

Thanks,
Jacob

Re: Port is open but I am unable to connect

[Sascha Reissner]

just to make sure.. you are certain, that you want -s 1.2.3.4?

this means source ip is 1.2.3.4 (so the ip you connect from, not the ip 
you connect _to_)


Jacob Friis Larsen wrote:
> When I add -s 1.2.3.4 I am unable to connect to my server.
> nmap shows that the correct ports are open.
> Any ideas?
> 
> iptables -A INPUT -s 1.2.3.4 -j ACCEPT -p tcp --dport 22 -m state 
> --state NEW
> 
> This is my script:
> <script>
> #!/bin/sh
> 
> # Modules
> modprobe ip_conntrack_ftp
> 
> # Defaults
> iptables -P INPUT DROP
> iptables -P FORWARD DROP
> iptables -P OUTPUT DROP
> 
> # Flush
> iptables -t nat -F POSTROUTING
> iptables -t nat -F PREROUTING
> iptables -t nat -F OUTPUT
> iptables -F
> 
> # STATE RELATED for router
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> 
> # Localhost
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A OUTPUT -o lo -j ACCEPT
> 
> # Open ports on router for server/services
> iptables -A INPUT -s 1.2.3.4 -j ACCEPT -p tcp --dport 20 -m state 
> --state NEW
> iptables -A INPUT -s 1.2.3.4 -j ACCEPT -p tcp --dport 21 -m state 
> --state NEW
> iptables -A INPUT -s 1.2.3.4 -j ACCEPT -p tcp --dport 22 -m state 
> --state NEW
> iptables -A INPUT -j ACCEPT -p tcp --dport 25 -m state --state NEW
> iptables -A INPUT -j ACCEPT -p tcp --dport 80 -m state --state NEW
> iptables -A INPUT -j ACCEPT -p tcp --dport 143 -m state --state NEW
> iptables -A INPUT -j ACCEPT -p tcp --dport 993 -m state --state NEW
> </script>
> 
> Thanks,
> Jacob
> 
> 

Re: Port is open but I am unable to connect

[Jacob Friis Larsen]

> just to make sure.. you are certain, that you want -s 1.2.3.4?

No 1.2.3.4 is just for the example :)
I don't dare to show my real ip, in case of a bad iptables script.

Thanks,
Jacob

Re: Port is open but I am unable to connect

[Jason Opperisano]

On Tue, 2004-09-07 at 15:27, Jacob Friis Larsen wrote:
> When I add -s 1.2.3.4 I am unable to connect to my server.
> nmap shows that the correct ports are open.
> Any ideas?
> 
> iptables -A INPUT -s 1.2.3.4 -j ACCEPT -p tcp --dport 22 -m state 
> --state NEW

i would content that while you believe your source IP is 1.2.3.4 in this
scenario--it; in fact, is not.

try:

  iptables -A INPUT -j LOG --log-prefix "FW DROP INPUT: "

and see what the logs have to say about it.

-j

-- 
Jason Opperisano <opie@817west.com>

Re: Port is open but I am unable to connect

[Jacob Friis Larsen]

> i would content that while you believe your source IP is 1.2.3.4 in this
> scenario--it; in fact, is not.

I know.
1.2.3.4 is just for the example :)

> try:
> 
>   iptables -A INPUT -j LOG --log-prefix "FW DROP INPUT: "
> 
> and see what the logs have to say about it.

This will log all incoming packets?

Thanks,
Jacob

Re: Port is open but I am unable to connect

[Jason Opperisano]

On Wed, 2004-09-08 at 02:38, Jacob Friis Larsen wrote:
> > i would content that while you believe your source IP is 1.2.3.4 in this
> > scenario--it; in fact, is not.
> 
> I know.
> 1.2.3.4 is just for the example :)
> 
> > try:
> > 
> >   iptables -A INPUT -j LOG --log-prefix "FW DROP INPUT: "
> > 
> > and see what the logs have to say about it.
> 
> This will log all incoming packets?

setting the above as you last rule, in combination with setting the
POLICY of the INPUT chain to DROP, will log all packets dropped by the
INPUT chain.  similarly:

  iptables -A OUTPUT -j LOG --log-prefix "FW DROP OUTPUT: "

will log all packets dropped by the OUTPUT chain; which in your case,
should show you what Aleksandar already pointed out--you don't allow
ESTABLISHED packets out through the OUTPUT chain.

-j

-- 
Jason Opperisano <opie@817west.com>

Re: Port is open but I am unable to connect

[Aleksandar Milivojevic]

Jacob Friis Larsen wrote:
> When I add -s 1.2.3.4 I am unable to connect to my server.
> nmap shows that the correct ports are open.
> Any ideas?
> 
> iptables -A INPUT -s 1.2.3.4 -j ACCEPT -p tcp --dport 22 -m state 
> --state NEW
> 
> This is my script:

[snip]

> # STATE RELATED for router
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> 
> # Localhost
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A OUTPUT -o lo -j ACCEPT
> 
> # Open ports on router for server/services
> iptables -A INPUT -s 1.2.3.4 -j ACCEPT -p tcp --dport 20 -m state 
> --state NEW
> iptables -A INPUT -s 1.2.3.4 -j ACCEPT -p tcp --dport 21 -m state 
> --state NEW
> iptables -A INPUT -s 1.2.3.4 -j ACCEPT -p tcp --dport 22 -m state 
> --state NEW
> iptables -A INPUT -j ACCEPT -p tcp --dport 25 -m state --state NEW
> iptables -A INPUT -j ACCEPT -p tcp --dport 80 -m state --state NEW
> iptables -A INPUT -j ACCEPT -p tcp --dport 143 -m state --state NEW
> iptables -A INPUT -j ACCEPT -p tcp --dport 993 -m state --state NEW

All your rules (apart from lo interface) are for INPUT chain.  No rules 
for OUTPUT chain (so all return packets get dropped there).  You are 
missing "-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT" at 
the begginging of your rules (just after similar INPUT line you already 
have).

BTW, what's the point of accepting connections to port 20?  It's FTP 
port used for active data transfers, and connections are made *from* it, 
not *to* it.  Since you have (will have) "just accept anything related I 
don't care" rules, just add "modprobe ip_nat_ftp" line somewhere into 
your script, and FTP will work (you don't need that port 20 line).

-- 
Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7

Re: Port is open but I am unable to connect

[Jacob Friis Larsen]

 > All your rules (apart from lo interface) are for INPUT chain. No rules
 > for OUTPUT chain (so all return packets get dropped there).  You are
 > missing "-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT" at
 > the begining of your rules (just after similar INPUT line you already
 > have).

Sounds logic. I changed it in the script below, and will try it out 
later when I can get to the server.

 > BTW, what's the point of accepting connections to port 20? It's FTP
 > port used for active data transfers, and connections are made *from*
 > it, not *to* it.  Since you have (will have) "just accept anything
 > related I don't care" rules, just add "modprobe ip_nat_ftp" line
 > somewhere into your script, and FTP will work (you don't need that
 > port 20 line).

OK, I changed that too.

Thanks a lot!
Jacob

>> This is my script:
> 
> [snip]
> 
modprobe ip_nat_ftp

>> # STATE RELATED for router
>> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>>
>> # Localhost
>> iptables -A INPUT -i lo -j ACCEPT
>> iptables -A OUTPUT -o lo -j ACCEPT
>>
>> # Open ports on router for server/services
#iptables -A INPUT -s 1.2.3.4 -j ACCEPT -p tcp --dport 20 -m state
>> --state NEW
>> iptables -A INPUT -s 1.2.3.4 -j ACCEPT -p tcp --dport 21 -m state 
>> --state NEW
>> iptables -A INPUT -s 1.2.3.4 -j ACCEPT -p tcp --dport 22 -m state 
>> --state NEW
>> iptables -A INPUT -j ACCEPT -p tcp --dport 25 -m state --state NEW
>> iptables -A INPUT -j ACCEPT -p tcp --dport 80 -m state --state NEW
>> iptables -A INPUT -j ACCEPT -p tcp --dport 143 -m state --state NEW
>> iptables -A INPUT -j ACCEPT -p tcp --dport 993 -m state --state NEW

Re: Port is open but I am unable to connect

[Jacob Friis Larsen]

With the changes I still can't connect. I also use bonding if that's 
important.

<script>
#!/bin/sh

# Modules
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp

# Defaults
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

# Flush
iptables -t nat -F POSTROUTING
iptables -t nat -F PREROUTING
iptables -t nat -F OUTPUT
iptables -F

# STATE RELATED for router
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Localhost
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Open ports on router for server/services
#iptables -A INPUT -s 1.2.3.4 -j ACCEPT -p tcp --dport 20 -m state 
--state NEW
iptables -A INPUT -s 1.2.3.4 -j ACCEPT -p tcp --dport 21 -m state 
--state NEW
iptables -A INPUT -s 1.2.3.4 -j ACCEPT -p tcp --dport 22 -m state 
--state NEW
iptables -A INPUT -j ACCEPT -p tcp --dport 25 -m state --state NEW
iptables -A INPUT -j ACCEPT -p tcp --dport 80 -m state --state NEW
iptables -A INPUT -j ACCEPT -p tcp --dport 143 -m state --state NEW
iptables -A INPUT -j ACCEPT -p tcp --dport 993 -m state --state NEW
</script>

Re: Port is open but I am unable to connect

[Jason Opperisano]

On Thu, 2004-09-09 at 06:17, Jacob Friis Larsen wrote:
> With the changes I still can't connect. I also use bonding if that's 
> important.

dunno about bonding...might be important.

> <script>
> #!/bin/sh
> 
> # Modules
> modprobe ip_conntrack_ftp
> modprobe ip_nat_ftp
> 
> # Defaults
> iptables -P INPUT DROP
> iptables -P FORWARD DROP
> iptables -P OUTPUT DROP
> 
> # Flush
> iptables -t nat -F POSTROUTING
> iptables -t nat -F PREROUTING
> iptables -t nat -F OUTPUT
> iptables -F
> 
> # STATE RELATED for router
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> 
> # Localhost
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A OUTPUT -o lo -j ACCEPT
> 
> # Open ports on router for server/services
> #iptables -A INPUT -s 1.2.3.4 -j ACCEPT -p tcp --dport 20 -m state 
> --state NEW
> iptables -A INPUT -s 1.2.3.4 -j ACCEPT -p tcp --dport 21 -m state 
> --state NEW
> iptables -A INPUT -s 1.2.3.4 -j ACCEPT -p tcp --dport 22 -m state 
> --state NEW
> iptables -A INPUT -j ACCEPT -p tcp --dport 25 -m state --state NEW
> iptables -A INPUT -j ACCEPT -p tcp --dport 80 -m state --state NEW
> iptables -A INPUT -j ACCEPT -p tcp --dport 143 -m state --state NEW
> iptables -A INPUT -j ACCEPT -p tcp --dport 993 -m state --state NEW
> </script>

just to clarify a point--the services your trying to connect to *are*
running locally on the machine running netfilter, correct?  the only
reason i ask, is because the comment "Open ports on router for
server/services" leads me to believe that "router" and "server" are two
different machines.  if "server" is behind "router" you should be using
FORWARD filter rules, not INPUT...

anyways...at this point--i'd recommend:

  iptables -A INPUT -j LOG --log-prefix "FW DROP IN: "
  iptables -A OUTPUT -j LOG --log-prefix "FW DROP OUT: "
  iptables -A FORWARD -j LOG --log-prefix "FW DROP FWD: "

and then "tail -f /var/log/messages" and try to connect.  the logs will
tell you why the firewall is dropping the traffic.

-j

-- 
Jason Opperisano <opie@817west.com>