Port is open but I am unable to connect

All of lore.kernel.org
 help / color / mirror / Atom feed

* Port is open but I am unable to connect
@ 2004-09-07 19:27 Jacob Friis Larsen
  2004-09-07 19:35 ` Sascha Reissner
                   ` (2 more replies)
  0 siblings, 3 replies; 10+ messages in thread
From: Jacob Friis Larsen @ 2004-09-07 19:27 UTC (permalink / raw)
  To: netfilter

When I add -s 1.2.3.4 I am unable to connect to my server.
nmap shows that the correct ports are open.
Any ideas?

iptables -A INPUT -s 1.2.3.4 -j ACCEPT -p tcp --dport 22 -m state 
--state NEW

This is my script:
<script>
#!/bin/sh

# Modules
modprobe ip_conntrack_ftp

# Defaults
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

# Flush
iptables -t nat -F POSTROUTING
iptables -t nat -F PREROUTING
iptables -t nat -F OUTPUT
iptables -F

# STATE RELATED for router
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Localhost
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Open ports on router for server/services
iptables -A INPUT -s 1.2.3.4 -j ACCEPT -p tcp --dport 20 -m state 
--state NEW
iptables -A INPUT -s 1.2.3.4 -j ACCEPT -p tcp --dport 21 -m state 
--state NEW
iptables -A INPUT -s 1.2.3.4 -j ACCEPT -p tcp --dport 22 -m state 
--state NEW
iptables -A INPUT -j ACCEPT -p tcp --dport 25 -m state --state NEW
iptables -A INPUT -j ACCEPT -p tcp --dport 80 -m state --state NEW
iptables -A INPUT -j ACCEPT -p tcp --dport 143 -m state --state NEW
iptables -A INPUT -j ACCEPT -p tcp --dport 993 -m state --state NEW
</script>

Thanks,
Jacob


^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: Port is open but I am unable to connect
  2004-09-07 19:27 Port is open but I am unable to connect Jacob Friis Larsen
@ 2004-09-07 19:35 ` Sascha Reissner
  2004-09-08  6:34   ` Jacob Friis Larsen
  2004-09-07 20:19 ` Jason Opperisano
  2004-09-07 20:59 ` Aleksandar Milivojevic
  2 siblings, 1 reply; 10+ messages in thread
From: Sascha Reissner @ 2004-09-07 19:35 UTC (permalink / raw)
  To: Jacob Friis Larsen; +Cc: netfilter


just to make sure.. you are certain, that you want -s 1.2.3.4?

this means source ip is 1.2.3.4 (so the ip you connect from, not the ip 
you connect _to_)


Jacob Friis Larsen wrote:
> When I add -s 1.2.3.4 I am unable to connect to my server.
> nmap shows that the correct ports are open.
> Any ideas?
> 
> iptables -A INPUT -s 1.2.3.4 -j ACCEPT -p tcp --dport 22 -m state 
> --state NEW
> 
> This is my script:
> <script>
> #!/bin/sh
> 
> # Modules
> modprobe ip_conntrack_ftp
> 
> # Defaults
> iptables -P INPUT DROP
> iptables -P FORWARD DROP
> iptables -P OUTPUT DROP
> 
> # Flush
> iptables -t nat -F POSTROUTING
> iptables -t nat -F PREROUTING
> iptables -t nat -F OUTPUT
> iptables -F
> 
> # STATE RELATED for router
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> 
> # Localhost
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A OUTPUT -o lo -j ACCEPT
> 
> # Open ports on router for server/services
> iptables -A INPUT -s 1.2.3.4 -j ACCEPT -p tcp --dport 20 -m state 
> --state NEW
> iptables -A INPUT -s 1.2.3.4 -j ACCEPT -p tcp --dport 21 -m state 
> --state NEW
> iptables -A INPUT -s 1.2.3.4 -j ACCEPT -p tcp --dport 22 -m state 
> --state NEW
> iptables -A INPUT -j ACCEPT -p tcp --dport 25 -m state --state NEW
> iptables -A INPUT -j ACCEPT -p tcp --dport 80 -m state --state NEW
> iptables -A INPUT -j ACCEPT -p tcp --dport 143 -m state --state NEW
> iptables -A INPUT -j ACCEPT -p tcp --dport 993 -m state --state NEW
> </script>
> 
> Thanks,
> Jacob
> 
> 



^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: Port is open but I am unable to connect
  2004-09-07 19:27 Port is open but I am unable to connect Jacob Friis Larsen
  2004-09-07 19:35 ` Sascha Reissner
@ 2004-09-07 20:19 ` Jason Opperisano
  2004-09-08  6:38   ` Jacob Friis Larsen
  2004-09-07 20:59 ` Aleksandar Milivojevic
  2 siblings, 1 reply; 10+ messages in thread
From: Jason Opperisano @ 2004-09-07 20:19 UTC (permalink / raw)
  To: netfilter

On Tue, 2004-09-07 at 15:27, Jacob Friis Larsen wrote:
> When I add -s 1.2.3.4 I am unable to connect to my server.
> nmap shows that the correct ports are open.
> Any ideas?
> 
> iptables -A INPUT -s 1.2.3.4 -j ACCEPT -p tcp --dport 22 -m state 
> --state NEW

i would content that while you believe your source IP is 1.2.3.4 in this
scenario--it; in fact, is not.

try:

  iptables -A INPUT -j LOG --log-prefix "FW DROP INPUT: "

and see what the logs have to say about it.

-j

-- 
Jason Opperisano <opie@817west.com>



^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: Port is open but I am unable to connect
  2004-09-07 19:27 Port is open but I am unable to connect Jacob Friis Larsen
  2004-09-07 19:35 ` Sascha Reissner
  2004-09-07 20:19 ` Jason Opperisano
@ 2004-09-07 20:59 ` Aleksandar Milivojevic
  2004-09-08  6:47   ` Jacob Friis Larsen
  2 siblings, 1 reply; 10+ messages in thread
From: Aleksandar Milivojevic @ 2004-09-07 20:59 UTC (permalink / raw)
  To: netfilter

Jacob Friis Larsen wrote:
> When I add -s 1.2.3.4 I am unable to connect to my server.
> nmap shows that the correct ports are open.
> Any ideas?
> 
> iptables -A INPUT -s 1.2.3.4 -j ACCEPT -p tcp --dport 22 -m state 
> --state NEW
> 
> This is my script:

[snip]

> # STATE RELATED for router
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> 
> # Localhost
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A OUTPUT -o lo -j ACCEPT
> 
> # Open ports on router for server/services
> iptables -A INPUT -s 1.2.3.4 -j ACCEPT -p tcp --dport 20 -m state 
> --state NEW
> iptables -A INPUT -s 1.2.3.4 -j ACCEPT -p tcp --dport 21 -m state 
> --state NEW
> iptables -A INPUT -s 1.2.3.4 -j ACCEPT -p tcp --dport 22 -m state 
> --state NEW
> iptables -A INPUT -j ACCEPT -p tcp --dport 25 -m state --state NEW
> iptables -A INPUT -j ACCEPT -p tcp --dport 80 -m state --state NEW
> iptables -A INPUT -j ACCEPT -p tcp --dport 143 -m state --state NEW
> iptables -A INPUT -j ACCEPT -p tcp --dport 993 -m state --state NEW

All your rules (apart from lo interface) are for INPUT chain.  No rules 
for OUTPUT chain (so all return packets get dropped there).  You are 
missing "-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT" at 
the begginging of your rules (just after similar INPUT line you already 
have).

BTW, what's the point of accepting connections to port 20?  It's FTP 
port used for active data transfers, and connections are made *from* it, 
not *to* it.  Since you have (will have) "just accept anything related I 
don't care" rules, just add "modprobe ip_nat_ftp" line somewhere into 
your script, and FTP will work (you don't need that port 20 line).

-- 
Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7


^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: Port is open but I am unable to connect
  2004-09-07 19:35 ` Sascha Reissner
@ 2004-09-08  6:34   ` Jacob Friis Larsen
  0 siblings, 0 replies; 10+ messages in thread
From: Jacob Friis Larsen @ 2004-09-08  6:34 UTC (permalink / raw)
  To: Sascha Reissner; +Cc: netfilter

> just to make sure.. you are certain, that you want -s 1.2.3.4?

No 1.2.3.4 is just for the example :)
I don't dare to show my real ip, in case of a bad iptables script.

Thanks,
Jacob


^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: Port is open but I am unable to connect
  2004-09-07 20:19 ` Jason Opperisano
@ 2004-09-08  6:38   ` Jacob Friis Larsen
  2004-09-08 11:35     ` Jason Opperisano
  0 siblings, 1 reply; 10+ messages in thread
From: Jacob Friis Larsen @ 2004-09-08  6:38 UTC (permalink / raw)
  To: Jason Opperisano; +Cc: netfilter

> i would content that while you believe your source IP is 1.2.3.4 in this
> scenario--it; in fact, is not.

I know.
1.2.3.4 is just for the example :)

> try:
> 
>   iptables -A INPUT -j LOG --log-prefix "FW DROP INPUT: "
> 
> and see what the logs have to say about it.

This will log all incoming packets?

Thanks,
Jacob


^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: Port is open but I am unable to connect
  2004-09-07 20:59 ` Aleksandar Milivojevic
@ 2004-09-08  6:47   ` Jacob Friis Larsen
  2004-09-09 10:17     ` Jacob Friis Larsen
  0 siblings, 1 reply; 10+ messages in thread
From: Jacob Friis Larsen @ 2004-09-08  6:47 UTC (permalink / raw)
  To: Aleksandar Milivojevic; +Cc: netfilter

 > All your rules (apart from lo interface) are for INPUT chain. No rules
 > for OUTPUT chain (so all return packets get dropped there).  You are
 > missing "-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT" at
 > the begining of your rules (just after similar INPUT line you already
 > have).

Sounds logic. I changed it in the script below, and will try it out 
later when I can get to the server.

 > BTW, what's the point of accepting connections to port 20? It's FTP
 > port used for active data transfers, and connections are made *from*
 > it, not *to* it.  Since you have (will have) "just accept anything
 > related I don't care" rules, just add "modprobe ip_nat_ftp" line
 > somewhere into your script, and FTP will work (you don't need that
 > port 20 line).

OK, I changed that too.

Thanks a lot!
Jacob

>> This is my script:
> 
> [snip]
> 
modprobe ip_nat_ftp

>> # STATE RELATED for router
>> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>>
>> # Localhost
>> iptables -A INPUT -i lo -j ACCEPT
>> iptables -A OUTPUT -o lo -j ACCEPT
>>
>> # Open ports on router for server/services
#iptables -A INPUT -s 1.2.3.4 -j ACCEPT -p tcp --dport 20 -m state
>> --state NEW
>> iptables -A INPUT -s 1.2.3.4 -j ACCEPT -p tcp --dport 21 -m state 
>> --state NEW
>> iptables -A INPUT -s 1.2.3.4 -j ACCEPT -p tcp --dport 22 -m state 
>> --state NEW
>> iptables -A INPUT -j ACCEPT -p tcp --dport 25 -m state --state NEW
>> iptables -A INPUT -j ACCEPT -p tcp --dport 80 -m state --state NEW
>> iptables -A INPUT -j ACCEPT -p tcp --dport 143 -m state --state NEW
>> iptables -A INPUT -j ACCEPT -p tcp --dport 993 -m state --state NEW


^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: Port is open but I am unable to connect
  2004-09-08  6:38   ` Jacob Friis Larsen
@ 2004-09-08 11:35     ` Jason Opperisano
  0 siblings, 0 replies; 10+ messages in thread
From: Jason Opperisano @ 2004-09-08 11:35 UTC (permalink / raw)
  To: netfilter

On Wed, 2004-09-08 at 02:38, Jacob Friis Larsen wrote:
> > i would content that while you believe your source IP is 1.2.3.4 in this
> > scenario--it; in fact, is not.
> 
> I know.
> 1.2.3.4 is just for the example :)
> 
> > try:
> > 
> >   iptables -A INPUT -j LOG --log-prefix "FW DROP INPUT: "
> > 
> > and see what the logs have to say about it.
> 
> This will log all incoming packets?

setting the above as you last rule, in combination with setting the
POLICY of the INPUT chain to DROP, will log all packets dropped by the
INPUT chain.  similarly:

  iptables -A OUTPUT -j LOG --log-prefix "FW DROP OUTPUT: "

will log all packets dropped by the OUTPUT chain; which in your case,
should show you what Aleksandar already pointed out--you don't allow
ESTABLISHED packets out through the OUTPUT chain.

-j

-- 
Jason Opperisano <opie@817west.com>



^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: Port is open but I am unable to connect
  2004-09-08  6:47   ` Jacob Friis Larsen
@ 2004-09-09 10:17     ` Jacob Friis Larsen
  2004-09-09 12:20       ` Jason Opperisano
  0 siblings, 1 reply; 10+ messages in thread
From: Jacob Friis Larsen @ 2004-09-09 10:17 UTC (permalink / raw)
  To: netfilter; +Cc: Aleksandar Milivojevic

With the changes I still can't connect. I also use bonding if that's 
important.

<script>
#!/bin/sh

# Modules
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp

# Defaults
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

# Flush
iptables -t nat -F POSTROUTING
iptables -t nat -F PREROUTING
iptables -t nat -F OUTPUT
iptables -F

# STATE RELATED for router
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Localhost
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Open ports on router for server/services
#iptables -A INPUT -s 1.2.3.4 -j ACCEPT -p tcp --dport 20 -m state 
--state NEW
iptables -A INPUT -s 1.2.3.4 -j ACCEPT -p tcp --dport 21 -m state 
--state NEW
iptables -A INPUT -s 1.2.3.4 -j ACCEPT -p tcp --dport 22 -m state 
--state NEW
iptables -A INPUT -j ACCEPT -p tcp --dport 25 -m state --state NEW
iptables -A INPUT -j ACCEPT -p tcp --dport 80 -m state --state NEW
iptables -A INPUT -j ACCEPT -p tcp --dport 143 -m state --state NEW
iptables -A INPUT -j ACCEPT -p tcp --dport 993 -m state --state NEW
</script>


^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: Port is open but I am unable to connect
  2004-09-09 10:17     ` Jacob Friis Larsen
@ 2004-09-09 12:20       ` Jason Opperisano
  0 siblings, 0 replies; 10+ messages in thread
From: Jason Opperisano @ 2004-09-09 12:20 UTC (permalink / raw)
  To: netfilter

On Thu, 2004-09-09 at 06:17, Jacob Friis Larsen wrote:
> With the changes I still can't connect. I also use bonding if that's 
> important.

dunno about bonding...might be important.

> <script>
> #!/bin/sh
> 
> # Modules
> modprobe ip_conntrack_ftp
> modprobe ip_nat_ftp
> 
> # Defaults
> iptables -P INPUT DROP
> iptables -P FORWARD DROP
> iptables -P OUTPUT DROP
> 
> # Flush
> iptables -t nat -F POSTROUTING
> iptables -t nat -F PREROUTING
> iptables -t nat -F OUTPUT
> iptables -F
> 
> # STATE RELATED for router
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> 
> # Localhost
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A OUTPUT -o lo -j ACCEPT
> 
> # Open ports on router for server/services
> #iptables -A INPUT -s 1.2.3.4 -j ACCEPT -p tcp --dport 20 -m state 
> --state NEW
> iptables -A INPUT -s 1.2.3.4 -j ACCEPT -p tcp --dport 21 -m state 
> --state NEW
> iptables -A INPUT -s 1.2.3.4 -j ACCEPT -p tcp --dport 22 -m state 
> --state NEW
> iptables -A INPUT -j ACCEPT -p tcp --dport 25 -m state --state NEW
> iptables -A INPUT -j ACCEPT -p tcp --dport 80 -m state --state NEW
> iptables -A INPUT -j ACCEPT -p tcp --dport 143 -m state --state NEW
> iptables -A INPUT -j ACCEPT -p tcp --dport 993 -m state --state NEW
> </script>

just to clarify a point--the services your trying to connect to *are*
running locally on the machine running netfilter, correct?  the only
reason i ask, is because the comment "Open ports on router for
server/services" leads me to believe that "router" and "server" are two
different machines.  if "server" is behind "router" you should be using
FORWARD filter rules, not INPUT...

anyways...at this point--i'd recommend:

  iptables -A INPUT -j LOG --log-prefix "FW DROP IN: "
  iptables -A OUTPUT -j LOG --log-prefix "FW DROP OUT: "
  iptables -A FORWARD -j LOG --log-prefix "FW DROP FWD: "

and then "tail -f /var/log/messages" and try to connect.  the logs will
tell you why the firewall is dropping the traffic.

-j

-- 
Jason Opperisano <opie@817west.com>



^ permalink raw reply	[flat|nested] 10+ messages in thread

end of thread, other threads:[~2004-09-09 12:20 UTC | newest]

Thread overview: 10+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-09-07 19:27 Port is open but I am unable to connect Jacob Friis Larsen
2004-09-07 19:35 ` Sascha Reissner
2004-09-08  6:34   ` Jacob Friis Larsen
2004-09-07 20:19 ` Jason Opperisano
2004-09-08  6:38   ` Jacob Friis Larsen
2004-09-08 11:35     ` Jason Opperisano
2004-09-07 20:59 ` Aleksandar Milivojevic
2004-09-08  6:47   ` Jacob Friis Larsen
2004-09-09 10:17     ` Jacob Friis Larsen
2004-09-09 12:20       ` Jason Opperisano

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.