Find the answer to your Linux question:
Results 1 to 5 of 5
Hello. I'm running RH 9 with kernel 2.4.8-20. I need to open ports 8000 and 8001 for a SHOUTcast streaming server. I have successfully used this server on the same ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    May 2004
    Posts
    4

    Iptables seem configured properly, but still can't open port


    Hello. I'm running RH 9 with kernel 2.4.8-20.

    I need to open ports 8000 and 8001 for a SHOUTcast streaming server. I have successfully used this server on the same IP address over Windows and Mac, so I know the network is not the problem.

    My iptables seem configured properly, unless someone can please tell me of any errors here that might be causing the problem. Notice that ports 8000 and 8001 are set to "ACCEPT". There's also an additional filter suggested by a fellow SHOUTcast broadcaster designed specifically to open 8000 and 8001:

    # Firewall configuration written by lokkit
    # Manual customization of this file is not recommended.
    # Note: ifup-post will punch the current nameservers through the
    # firewall; such entries will *not* be listed here.
    *filter
    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    :RH-Lokkit-0-50-INPUT - [0:0]
    -A INPUT -j RH-Lokkit-0-50-INPUT
    -A FORWARD -j RH-Lokkit-0-50-INPUT
    -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 7998 --syn -j ACCEPT
    -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 7999 --syn -j ACCEPT
    -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 8000 --syn -j ACCEPT
    -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 8001 --syn -j ACCEPT
    -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT
    -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 23 --syn -j ACCEPT
    -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 25 --syn -j ACCEPT
    -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT
    -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 21 --syn -j ACCEPT
    -A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
    -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:1023 --syn -j REJECT
    -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2049 --syn -j REJECT
    -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0:1023 -j REJECT
    -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 2049 -j REJECT
    -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 6000:6009 --syn -j REJECT
    -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 7100 --syn -j REJECT
    COMMIT
    *filter
    :INPUT DROP [16986:724916]
    :FORWARD DROP [0:0]
    :OUTPUT DROP [409:31084]
    :SERVICES - [0:0]
    -A INPUT -d xxx.xxx.xxx.xxx -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -i lo -j ACCEPT
    -A INPUT -j SERVICES
    -A OUTPUT -s xxx.xxx.xxx.xxx -o eth0 -j ACCEPT
    -A OUTPUT -o lo -j ACCEPT
    -A OUTPUT -j LOG --log-prefix "[FILTER/OUTPUT] "
    -A SERVICES -d xxx.xxx.xxx.xxx -i eth0 -p tcp --dport 8000 -j ACCEPT
    -A SERVICES -d xxx.xxx.xxx.xxx -i eth0 -p tcp --dport 8001 -j ACCEPT
    -A SERVICES -d xxx.xxx.xxx.xxx -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
    COMMIT

    Despite the apparent settings in iptables, I still do not see ports 8000 and 8001 when I run "nmap -v" or "nmap -sT". Here's what it shows:

    Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
    No tcp,udp, or ICMP scantype specified, assuming SYN Stealth scan. Use -sP if you really don't want to portscan (and just want to see what hosts are up).
    Host (xxx.xxx.xxx.xxx) appears to be up ... good.
    Initiating SYN Stealth Scan against (xxx.xxx.xxx.xxx)
    Adding open port 6000/tcp
    Adding open port 111/tcp
    Adding open port 22/tcp
    The SYN Stealth Scan took 2 seconds to scan 1601 ports.
    Interesting ports on (xxx.xxx.xxx.xxx):
    (The 1598 ports scanned but not shown below are in state: closed)
    Port State Service
    22/tcp open ssh
    111/tcp open sunrpc
    6000/tcp open X11

    And here's what the SC server tells me:

    ************************************************** *****************************
    ** SHOUTcast Distributed Network Audio Server
    ** Copyright (C) 1998-2004 Nullsoft, Inc. All Rights Reserved.
    ** Use "sc_serv filename.ini" to specify an ini file.
    ************************************************** *****************************

    Event log:
    <05/16/04@17:33:42> [SHOUTcast] DNAS/Linux v1.9.4 (Mar 17 2004) starting up...
    <05/16/04@17:33:42> [main] pid: 17423
    <05/16/04@17:33:42> [main] loaded config from sc_serv.conf
    <05/16/04@17:33:42> [main] initializing (usermax:100 portbase:8000)...
    <05/16/04@17:33:42> [main] No ban file found (sc_serv.ban)
    <05/16/04@17:33:42> [main] No rip file found (sc_serv.rip)
    <05/16/04@17:33:42> [main] relay thread starting
    <05/16/04@17:33:42> [source] creating relay socket
    <05/16/04@17:33:42> [main] opening client socket
    <05/16/04@17:33:42> [main] Client Stream thread [0] starting
    <05/16/04@17:33:42> [main] client main thread starting
    <05/16/04@17:33:42> [source] relay host gave success (ICY 200 OK)
    <05/16/04@17:33:42> [source] relay from 165.132.194.122 established.
    <05/16/04@17:33:42> [source] icy-name:RADIO MACONDO: Pura Salsa, Puro Son...El Canal Salsero de ORSRADIO ; icy-genre:World Latin Salsa
    <05/16/04@17:33:42> [source] icy-pub:1 ; icy-br:96 ; icy-url:http://homepage.mac.com/jslmg/radiomacondo/english.htm
    <05/16/04@17:33:42> [source] icy-irc:N/A ; icy-icq:N/A ; icy-aim:N/A
    <05/16/04@17:33:54> [yp_add] yp.shoutcast.com gave error (nak)
    <05/16/04@17:33:54> [yp_add] yp.shoutcast.com gave extended error (Cannot see your station/computer (IP: xxx.xxx.xxx.xxx:8000) from the Internet, disable Internet Sharing/NAT/firewall/ISP cache (Connection timed out))

    Is there anything else I can do to open these ports?

  2. #2
    Linux Guru
    Join Date
    Apr 2003
    Location
    London, UK
    Posts
    3,284
    if you run:

    Code:
    netstat -ant | grep LISTEN
    do you actually see port 8000 open? (0.0.0.0:8000 or 127.0.0.1:8000).

  3. #3
    Just Joined!
    Join Date
    May 2004
    Posts
    4
    Yes, I ran netstat grep and saw 0.0.0.0:8000 LISTEN.

    Still getting the error from the SC server, though.

  4. #4
    Linux Newbie
    Join Date
    Apr 2004
    Posts
    158
    Hi,

    Maybe you need the udp protocoll aswell?

    just copy/paste the lines in you iptables config and change tcp to udp...

    Good luck

    Jonas

  5. #5
    Just Joined!
    Join Date
    May 2004
    Posts
    4
    Thanks, Jonas, that was certainly worth trying. My guess has been all along that these servers don't need udp, but still, it seemed right to make sure all ports had both TCP and UDP, just in case.

    Actually, what happened after I put in the UDP lines was that the IP Tables began failing to load. I don't know why that happened. Finally, I just deleted the entire LOKKIT-created filter, so I was left with only the filter recommended by the SHOUTcast broadcaster. That filter loaded fully, including the new UPD lines.

    But still, I get the same error message from the SC server, so no dice.

    Please, everyone, keep your suggestions coming! Jonas' was a fine one.

    Any definitive solutions would be most welcome

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •