iptables ignored?

[isenhand]

I'm trying to set up routing / forwarding. I have a bridging system with 5 NICs which appears to work ok but if I try to open or close a port on the server using iptables nothing happens.

for example:

> iptables -A OUTPUT -d 127.0.0.1 -p tcp --dport 139 -j DROP

> iptables -A INPUT -d 127.0.0.1 -p tcp --dport 139 -j DROP

Appears to make no difference as netstat -ntulp says :

tcp 0 0 127.0.0.1:139 0.0.0.0:* LISTEN 4365/smbd

so it looks like the port is still open. So, what am I doing wrong?

Thanks.ip

[Lazydog]

Remove the -d 127.0.0.1 from the rules.

[HROAdmin26]

but if I try to open or close a port on the server using iptables nothing happens

The firewall (iptables) blocks/allows connections to network ports. It does *NOT* start or stop services. If the service is running, netstat will show the port in use by the process. That does not have any bearing on whether iptables is allowing traffic to reach that port.

[isenhand]

Remove the -d 127.0.0.1 from the rules.

Thanks for the quick reply. Tried that and it didn't make any difference.

[isenhand]

Thanks for the reply.

That does not have any bearing on whether iptables is allowing traffic to reach that port.

Ok, but I also check it from an external site port checking site which said the port is in stelth mode and registers no change when I run the iptables commands.

Perhaps I can check if iptables is not being ignored another way?

[Lazydog]

First ensure that iptables is running. Maybe it would be best if you could post your rules so that we can get an idea of what you are trying to do.

[HROAdmin26]

Lazydog is correct - what are you trying to do?

1) First you implied you expected to see some change in netstat after running iptables commands. (Wrong)

2) The iptables commands you posted would block only traffic from the local machine (127.0.0.1.) If you connect from a remote machine, the destination IP would NOT be 127.0.0.1. So the "test" you did was again irrelevant.

3) Back to what Lazydog said - the *whole* ruleset has to be taken into consideration. What is the default policy? ACCEPT or DROP?

Code:

iptables -A OUTPUT -d 127.0.0.1 -p tcp --dport 139 -j DROP

What this means: When I (the local machine) send packets out and the destination is 127.0.0.1 (me - my loopback address) and port 139, iptables will drop the packets.

???

Let's also note that if smbd is *only* listening on IP 127.0.0.1, it will not be reachable by other machines. Unless there is another LISTEN port tied to a routable IP (or "any IP = 0.0.0.0:139), the smbd service is only available to the local machine.

[isenhand]

Thanks all for your help so far.

In the end, I'm trying to get a mind craft server working but I keep gettign "failed to connect" errors which appears to result from failure to forward.

I have a PC acting as gateway / router / bridge with 5 NICs. Eth0 connected to the internet and eth1-4 connected to computers internally. All appears to work except when I try to open ports / forwarding. So, I tried experimenting a bit to see if I could open or close any port but all the tests I do show no change regardless I what I do.

Here's my iptables script:

#!/bin/sh
echo "managing ports ...."
EXTIP="`/sbin/ifconfig eth0 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"
echo "Ex IP address ... " $EXTIP

EXTIF="eth0"

/sbin/iptables -F


/sbin/iptables -X
/sbin/iptables -t nat -F
/sbin/iptables -t nat -X
/sbin/iptables -t mangle -F
/sbin/iptables -t mangle -X
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT
/sbin/iptables -P OUTPUT ACCEPT
echo "here"
INTIF="mueb"
INTNET="192.168.0.0/24"
INTIP="192.168.0.2/24"

echo " Enabling IP forwarding..."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr


UNIVERSE="0.0.0.0/0"

# Clear any existing rules and setting default policy to DROP
/sbin/iptables -P INPUT DROP
/sbin/iptables -F INPUT
/sbin/iptables -P OUTPUT DROP
/sbin/iptables -F OUTPUT
/sbin/iptables -P FORWARD DROP
/sbin/iptables -F FORWARD
/sbin/iptables -F -t nat


# Flush the user chain.. if it exists
if [ "`iptables -L | grep drop-and-log-it`" ]; then
/sbin/iptables -F drop-and-log-itecho "here"
fi

# Delete all User-specified chains
/sbin/iptables -X

# Reset all IPTABLES counters
/sbin/iptables -Z

# Creating a DROP chain
/sbin/iptables -N drop-and-log-it
/sbin/iptables -A drop-and-log-it -j LOG --log-level info
/sbin/iptables -A drop-and-log-it -j REJECT


#/sbin/iptables -I FORWARD -i $EXTIF -o $INTIF -p tcp --dport 25565 -j ACCEPT
/sbin/iptables -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 25565 -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp --dport 25565 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 25565 -j ACCEPT

/sbin/iptables -A INPUT -p tcp --dport 139 -j DROP
/sbin/iptables -A INPUT -p udp --dport 139 -j DROP

echo -e " - Loading INPUT rulesets"


################################################## #####################
# INPUT: Incoming traffic from various interfaces. All rulesets are
# already flushed and set to a default policy of DROP.
#

# loopback interfaces are valid.
#/sbin/iptables -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT

/sbin/iptables -A INPUT -i lo -j ACCEPT

# local interface, local machines, going anywhere is validecho "here"
/sbin/iptables -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT

# remote interface, claiming to be local machines, IP spoofing, get lost
/sbin/iptables -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it

# remote interface, any source, going to permanent PPP address is valid
/sbin/iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j ACCEPT

# Allow any related traffic coming back to the MASQ server in
/sbin/iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state ESTABLISHED,RELATED -j ACCEPT


echo -e " - Loading OUTPUT rulesets"

################################################## #####################
# OUTPUT: Outgoing traffic from various interfaces. All rulesets are
# already flushed and set to a default policy of DROP.
#

# loopback interface is valid.
/sbin/iptables -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT

# local interfaces, any source going to local net is valid
/sbin/iptables -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT

# local interface, any source going to local net is valid
/sbin/iptables -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT

# outgoing to local net on remote interface, stuffed routing, deny
/sbin/iptables -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j drop-and-log-it

# anything else outgoing on remote interface is valid
/sbin/iptables -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT

# Catch all rule, all other outgoing is denied and logged.
/sbin/iptables -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it

echo -e " - Loading FORWARD rulesets"

################################################## #####################
# FORWARD: Enable Forwarding and thus IPMASQ
# Allow all connections OUT and only existing/related IN

/sbin/iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT

# Catch all rule, all other forwarding is denied and logged.
/sbin/iptables -A FORWARD -j drop-and-log-it

# Enable SNAT (MASQUERADE) functionality on $EXTIF
/sbin/iptables -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP


/usr/local/sbin/ebtables -A FORWARD -j ACCEPT
/usr/local/sbin/ebtables -A INPUT -j ACCEPT
/usr/local/sbin/ebtables -A OUTPUT -j ACCEPT


echo -e " Firewall server rule loading complete\n\n"






Here's the script I use to set up the bridge :


#! /bin/bash
#
# /sbin/init.d/bridge
#

#. /etc/rc.config

#return=$rc_done
case "$1" in

start)
echo "Starting service bridge mueb"
brctl addbr mueb || return=$rc_failed
brctl setbridgeprio mueb 0 || return=$rc_failed
brctl addif mueb eth0 || return=$rc_failed
brctl addif mueb eth1 || return=$rc_failed
brctl addif mueb eth2 || return=$rc_failed
brctl addif mueb eth3 || return=$rc_failed
brctl addif mueb eth4 || return=$rc_failed
ifconfig eth0 0.0.0.0 || return=$rc_failed
ifconfig eth1 0.0.0.0 || return=$rc_failed
ifconfig eth2 0.0.0.0 || return=$rc_failed
ifconfig eth3 0.0.0.0 || return=$rc_failed
ifconfig eth4 0.0.0.0 || return=$rc_failed
brctl sethello mueb 1 || return=$rc_failed
brctl setmaxage mueb 4 || return=$rc_failed
brctl setfd mueb 4 || return=$rc_failed
ifconfig mueb 192.168.0.2 netmask 255.255.255.0 up
echo -e "$return"
;;

stop)
echo "Shutting down service bridge mueb"
brctl delif mueb eth4 || return=$rc_failed
brctl delif mueb eth3 || return=$rc_failed
brctl delif mueb eth2 || return=$rc_failed
brctl delif mueb eth1 || return=$rc_failed
brctl delif mueb eth0 || return=$rc_failed
brctl delbr mueb || return=$rc_failed
rmmod bridge || return=$rc_failed

echo -e "$return"
;;

status)
#ifconfig mueb 192.168.0.2 netmask 255.255.255.0 up
brctl showbr mueb
#ifconfig mueb 192.168.0.2 netmask 255.255.255.0 up
;;

restart)
$0 stop && $0 start || return=$rc_failed
;;

*)
echo "Usage: $0 {start|stop|status|restart}"
exit 1
esac

test "$return" = "$rc_done" || exit 1
exit 0



Here's what ifconfig has to say :

eth0 Link encap:Ethernet HWaddr <hw address>
inet addr:<ex ip addrss> Bcast:<broad cast address> Mask:255.255.255.0
inet6 addr:<ipv6 address> Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:15041 errors:0 dropped:0 overruns:0 frame:0
TX packets:14416 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:15868910 (15.1 MiB) TX bytes:2146796 (2.0 MiB)
Interrupt:11

eth0:0 Link encap:Ethernet HWaddr <hw address>
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:11

eth1 Link encap:Ethernet HWaddr <hw address>
inet addr:192.168.1.101 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::204:75ff:fece:429e/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:10869 errors:0 dropped:0 overruns:0 frame:0
TX packets:11577 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1494612 (1.4 MiB) TX bytes:12621879 (12.0 MiB)
Interrupt:11 Base address:0x2000

eth2 Link encap:Ethernet HWaddr <hw address>
inet addr:192.168.2.102 Bcast:192.168.2.255 Mask:255.255.255.0
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Interrupt:11 Base address:0xdc00

eth3 Link encap:Ethernet HWaddr <hw address>
inet addr:192.168.3.103 Bcast:192.168.3.255 Mask:255.255.255.0
inet6 addr: fe80::250:fcff:fef5:75e0/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:125 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:17853 (17.4 KiB)
Interrupt:11 Base address:0xe400

eth4 Link encap:Ethernet HWaddr <hw address>
inet addr:192.168.4.104 Bcast:192.168.4.255 Mask:255.255.255.0
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Interrupt:11 Base address:0xd400

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:370 errors:0 dropped:0 overruns:0 frame:0
TX packets:370 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:89965 (87.8 KiB) TX bytes:89965 (87.8 KiB)

mueb Link encap:Ethernet HWaddr <hw address>
inet addr:192.168.0.2 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::204:75ff:fece:429e/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:10869 errors:0 dropped:0 overruns:0 frame:0
TX packets:11575 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1341732 (1.2 MiB) TX bytes:12620641 (12.0 MiB)