Find the answer to your Linux question:
Results 1 to 8 of 8
I'm trying to set up routing / forwarding. I have a bridging system with 5 NICs which appears to work ok but if I try to open or close a ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Sep 2009
    Posts
    5

    iptables ignored?


    I'm trying to set up routing / forwarding. I have a bridging system with 5 NICs which appears to work ok but if I try to open or close a port on the server using iptables nothing happens.

    for example:

    > iptables -A OUTPUT -d 127.0.0.1 -p tcp --dport 139 -j DROP

    > iptables -A INPUT -d 127.0.0.1 -p tcp --dport 139 -j DROP

    Appears to make no difference as netstat -ntulp says :

    tcp 0 0 127.0.0.1:139 0.0.0.0:* LISTEN 4365/smbd

    so it looks like the port is still open. So, what am I doing wrong?

    Thanks.ip

  2. #2
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Remove the -d 127.0.0.1 from the rules.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  3. #3
    Linux Guru
    Join Date
    Nov 2007
    Posts
    1,752
    but if I try to open or close a port on the server using iptables nothing happens
    The firewall (iptables) blocks/allows connections to network ports. It does *NOT* start or stop services. If the service is running, netstat will show the port in use by the process. That does not have any bearing on whether iptables is allowing traffic to reach that port.

  4. #4
    Just Joined!
    Join Date
    Sep 2009
    Posts
    5
    Quote Originally Posted by Lazydog View Post
    Remove the -d 127.0.0.1 from the rules.
    Thanks for the quick reply. Tried that and it didn't make any difference.

  5. #5
    Just Joined!
    Join Date
    Sep 2009
    Posts
    5
    Thanks for the reply.

    Quote Originally Posted by HROAdmin26 View Post
    That does not have any bearing on whether iptables is allowing traffic to reach that port.
    Ok, but I also check it from an external site port checking site which said the port is in stelth mode and registers no change when I run the iptables commands.

    Perhaps I can check if iptables is not being ignored another way?

  6. #6
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    First ensure that iptables is running. Maybe it would be best if you could post your rules so that we can get an idea of what you are trying to do.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  7. #7
    Linux Guru
    Join Date
    Nov 2007
    Posts
    1,752
    Lazydog is correct - what are you trying to do?

    1) First you implied you expected to see some change in netstat after running iptables commands. (Wrong)

    2) The iptables commands you posted would block only traffic from the local machine (127.0.0.1.) If you connect from a remote machine, the destination IP would NOT be 127.0.0.1. So the "test" you did was again irrelevant.

    3) Back to what Lazydog said - the *whole* ruleset has to be taken into consideration. What is the default policy? ACCEPT or DROP?

    Code:
    iptables -A OUTPUT -d 127.0.0.1 -p tcp --dport 139 -j DROP
    What this means: When I (the local machine) send packets out and the destination is 127.0.0.1 (me - my loopback address) and port 139, iptables will drop the packets.

    ???

    Let's also note that if smbd is *only* listening on IP 127.0.0.1, it will not be reachable by other machines. Unless there is another LISTEN port tied to a routable IP (or "any IP = 0.0.0.0:139), the smbd service is only available to the local machine.

  8. #8
    Just Joined!
    Join Date
    Sep 2009
    Posts
    5
    Thanks all for your help so far.

    In the end, I'm trying to get a mind craft server working but I keep gettign "failed to connect" errors which appears to result from failure to forward.

    I have a PC acting as gateway / router / bridge with 5 NICs. Eth0 connected to the internet and eth1-4 connected to computers internally. All appears to work except when I try to open ports / forwarding. So, I tried experimenting a bit to see if I could open or close any port but all the tests I do show no change regardless I what I do.

    Here's my iptables script:

    #!/bin/sh
    echo "managing ports ...."
    EXTIP="`/sbin/ifconfig eth0 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"
    echo "Ex IP address ... " $EXTIP

    EXTIF="eth0"

    /sbin/iptables -F


    /sbin/iptables -X
    /sbin/iptables -t nat -F
    /sbin/iptables -t nat -X
    /sbin/iptables -t mangle -F
    /sbin/iptables -t mangle -X
    /sbin/iptables -P INPUT ACCEPT
    /sbin/iptables -P FORWARD ACCEPT
    /sbin/iptables -P OUTPUT ACCEPT
    echo "here"
    INTIF="mueb"
    INTNET="192.168.0.0/24"
    INTIP="192.168.0.2/24"

    echo " Enabling IP forwarding..."
    echo "1" > /proc/sys/net/ipv4/ip_forward
    echo "1" > /proc/sys/net/ipv4/ip_dynaddr


    UNIVERSE="0.0.0.0/0"

    # Clear any existing rules and setting default policy to DROP
    /sbin/iptables -P INPUT DROP
    /sbin/iptables -F INPUT
    /sbin/iptables -P OUTPUT DROP
    /sbin/iptables -F OUTPUT
    /sbin/iptables -P FORWARD DROP
    /sbin/iptables -F FORWARD
    /sbin/iptables -F -t nat


    # Flush the user chain.. if it exists
    if [ "`iptables -L | grep drop-and-log-it`" ]; then
    /sbin/iptables -F drop-and-log-itecho "here"
    fi

    # Delete all User-specified chains
    /sbin/iptables -X

    # Reset all IPTABLES counters
    /sbin/iptables -Z

    # Creating a DROP chain
    /sbin/iptables -N drop-and-log-it
    /sbin/iptables -A drop-and-log-it -j LOG --log-level info
    /sbin/iptables -A drop-and-log-it -j REJECT


    #/sbin/iptables -I FORWARD -i $EXTIF -o $INTIF -p tcp --dport 25565 -j ACCEPT
    /sbin/iptables -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 25565 -j ACCEPT
    /sbin/iptables -A OUTPUT -p tcp --dport 25565 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 25565 -j ACCEPT

    /sbin/iptables -A INPUT -p tcp --dport 139 -j DROP
    /sbin/iptables -A INPUT -p udp --dport 139 -j DROP

    echo -e " - Loading INPUT rulesets"


    ################################################## #####################
    # INPUT: Incoming traffic from various interfaces. All rulesets are
    # already flushed and set to a default policy of DROP.
    #

    # loopback interfaces are valid.
    #/sbin/iptables -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT

    /sbin/iptables -A INPUT -i lo -j ACCEPT

    # local interface, local machines, going anywhere is validecho "here"
    /sbin/iptables -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT

    # remote interface, claiming to be local machines, IP spoofing, get lost
    /sbin/iptables -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it

    # remote interface, any source, going to permanent PPP address is valid
    /sbin/iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j ACCEPT

    # Allow any related traffic coming back to the MASQ server in
    /sbin/iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state ESTABLISHED,RELATED -j ACCEPT


    echo -e " - Loading OUTPUT rulesets"

    ################################################## #####################
    # OUTPUT: Outgoing traffic from various interfaces. All rulesets are
    # already flushed and set to a default policy of DROP.
    #

    # loopback interface is valid.
    /sbin/iptables -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT

    # local interfaces, any source going to local net is valid
    /sbin/iptables -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT

    # local interface, any source going to local net is valid
    /sbin/iptables -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT

    # outgoing to local net on remote interface, stuffed routing, deny
    /sbin/iptables -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j drop-and-log-it

    # anything else outgoing on remote interface is valid
    /sbin/iptables -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT

    # Catch all rule, all other outgoing is denied and logged.
    /sbin/iptables -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it

    echo -e " - Loading FORWARD rulesets"

    ################################################## #####################
    # FORWARD: Enable Forwarding and thus IPMASQ
    # Allow all connections OUT and only existing/related IN

    /sbin/iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
    /sbin/iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT

    # Catch all rule, all other forwarding is denied and logged.
    /sbin/iptables -A FORWARD -j drop-and-log-it

    # Enable SNAT (MASQUERADE) functionality on $EXTIF
    /sbin/iptables -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP


    /usr/local/sbin/ebtables -A FORWARD -j ACCEPT
    /usr/local/sbin/ebtables -A INPUT -j ACCEPT
    /usr/local/sbin/ebtables -A OUTPUT -j ACCEPT


    echo -e " Firewall server rule loading complete\n\n"






    Here's the script I use to set up the bridge :


    #! /bin/bash
    #
    # /sbin/init.d/bridge
    #

    #. /etc/rc.config

    #return=$rc_done
    case "$1" in

    start)
    echo "Starting service bridge mueb"
    brctl addbr mueb || return=$rc_failed
    brctl setbridgeprio mueb 0 || return=$rc_failed
    brctl addif mueb eth0 || return=$rc_failed
    brctl addif mueb eth1 || return=$rc_failed
    brctl addif mueb eth2 || return=$rc_failed
    brctl addif mueb eth3 || return=$rc_failed
    brctl addif mueb eth4 || return=$rc_failed
    ifconfig eth0 0.0.0.0 || return=$rc_failed
    ifconfig eth1 0.0.0.0 || return=$rc_failed
    ifconfig eth2 0.0.0.0 || return=$rc_failed
    ifconfig eth3 0.0.0.0 || return=$rc_failed
    ifconfig eth4 0.0.0.0 || return=$rc_failed
    brctl sethello mueb 1 || return=$rc_failed
    brctl setmaxage mueb 4 || return=$rc_failed
    brctl setfd mueb 4 || return=$rc_failed
    ifconfig mueb 192.168.0.2 netmask 255.255.255.0 up
    echo -e "$return"
    ;;

    stop)
    echo "Shutting down service bridge mueb"
    brctl delif mueb eth4 || return=$rc_failed
    brctl delif mueb eth3 || return=$rc_failed
    brctl delif mueb eth2 || return=$rc_failed
    brctl delif mueb eth1 || return=$rc_failed
    brctl delif mueb eth0 || return=$rc_failed
    brctl delbr mueb || return=$rc_failed
    rmmod bridge || return=$rc_failed

    echo -e "$return"
    ;;

    status)
    #ifconfig mueb 192.168.0.2 netmask 255.255.255.0 up
    brctl showbr mueb
    #ifconfig mueb 192.168.0.2 netmask 255.255.255.0 up
    ;;

    restart)
    $0 stop && $0 start || return=$rc_failed
    ;;

    *)
    echo "Usage: $0 {start|stop|status|restart}"
    exit 1
    esac

    test "$return" = "$rc_done" || exit 1
    exit 0



    Here's what ifconfig has to say :

    eth0 Link encap:Ethernet HWaddr <hw address>
    inet addr:<ex ip addrss> Bcast:<broad cast address> Mask:255.255.255.0
    inet6 addr:<ipv6 address> Scope:Link
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:15041 errors:0 dropped:0 overruns:0 frame:0
    TX packets:14416 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:15868910 (15.1 MiB) TX bytes:2146796 (2.0 MiB)
    Interrupt:11

    eth0:0 Link encap:Ethernet HWaddr <hw address>
    inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    Interrupt:11

    eth1 Link encap:Ethernet HWaddr <hw address>
    inet addr:192.168.1.101 Bcast:192.168.1.255 Mask:255.255.255.0
    inet6 addr: fe80::204:75ff:fece:429e/64 Scope:Link
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:10869 errors:0 dropped:0 overruns:0 frame:0
    TX packets:11577 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:1494612 (1.4 MiB) TX bytes:12621879 (12.0 MiB)
    Interrupt:11 Base address:0x2000

    eth2 Link encap:Ethernet HWaddr <hw address>
    inet addr:192.168.2.102 Bcast:192.168.2.255 Mask:255.255.255.0
    UP BROADCAST MULTICAST MTU:1500 Metric:1
    RX packets:0 errors:0 dropped:0 overruns:0 frame:0
    TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
    Interrupt:11 Base address:0xdc00

    eth3 Link encap:Ethernet HWaddr <hw address>
    inet addr:192.168.3.103 Bcast:192.168.3.255 Mask:255.255.255.0
    inet6 addr: fe80::250:fcff:fef5:75e0/64 Scope:Link
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:0 errors:0 dropped:0 overruns:0 frame:0
    TX packets:125 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:0 (0.0 b) TX bytes:17853 (17.4 KiB)
    Interrupt:11 Base address:0xe400

    eth4 Link encap:Ethernet HWaddr <hw address>
    inet addr:192.168.4.104 Bcast:192.168.4.255 Mask:255.255.255.0
    UP BROADCAST MULTICAST MTU:1500 Metric:1
    RX packets:0 errors:0 dropped:0 overruns:0 frame:0
    TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
    Interrupt:11 Base address:0xd400

    lo Link encap:Local Loopback
    inet addr:127.0.0.1 Mask:255.0.0.0
    inet6 addr: ::1/128 Scope:Host
    UP LOOPBACK RUNNING MTU:16436 Metric:1
    RX packets:370 errors:0 dropped:0 overruns:0 frame:0
    TX packets:370 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:89965 (87.8 KiB) TX bytes:89965 (87.8 KiB)

    mueb Link encap:Ethernet HWaddr <hw address>
    inet addr:192.168.0.2 Bcast:192.168.0.255 Mask:255.255.255.0
    inet6 addr: fe80::204:75ff:fece:429e/64 Scope:Link
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:10869 errors:0 dropped:0 overruns:0 frame:0
    TX packets:11575 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:1341732 (1.2 MiB) TX bytes:12620641 (12.0 MiB)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •