View Full Version : Opening up ports in firewall not working
Hi,
I have just set up an debian woody server, with an iptables firewall. (script below) Everything works great exept that I can't run teamspeak. That is, I can't connect to the server (the box with the firewall) from my home computer. When I switch the firewall off, I can connect. If I open up all the ports I can connect. If I just open port 8767 (teamspeak server port) I can't connect.
My firewall drops all incoming packets
/sbin/iptables -P INPUT DROP
and then I open up any ports I need for myself
/sbin/iptables -A INPUT -p tcp -s 81.69.68.98 -d 0/0 --dport 22 -j ACCEPT
I have been going trough a lot of forums and guides, and it seems that a lot of apps just initialize a connection trough the assigned port (8767) and then just route all the traffic over another port, to keep the assigned port free. So the connection initialization from the client through port 8767 works just fine, but after that, it can't send data over the other port. This should be fixed by adding this rule:
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
but it doesn't. I'm clueless what to do next?
Here is my entire firewall script:
/sbin/iptables -A INPUT -p tcp -s 80.126.106.155 -d 0/0 --dport 22 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
/sbin/iptables -t nat -F
/sbin/iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -j MASQUERADE
/sbin/iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.0.0/24 -j MASQUERADE
/sbin/iptables -F
/sbin/iptables -P FORWARD DROP
/sbin/iptables -A FORWARD -i eth1 -s 192.168.0.0/24 -j ACCEPT
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -P INPUT DROP
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -i eth1 -s 192.168.0.0/24 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -s 80.126.106.155 -d 0/0 --dport 22 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -s 81.69.68.98 -d 0/0 --dport 22 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 8767 -j ACCEPT
/sbin/iptables -P OUTPUT ACCEPT
Well, you would be correct IF Teamspeak used TCP for the real-time data... which it doesn't.
Also, by setting the default INPUT policy to DROP you effectively blocked the whole ephemeral port range used for client applications.
It's usually between 1024 and 3000, I set it to 4152 to 65535, but that's just personal preferences. You can set the ephemeral range easily with this line of code:
echo "49152 65535" > /proc/sys/net/ipv4/ip_local_port_range
Note this is an entry in the proc FS so you have to renew it after each reboot.
Then you just need to allow this range with these two lines:
IPTABLES -A INPUT -p tcp --dport 49152:65535 -j ACCEPT
IPTABLES -A INPUT -p udp --dport 49152:65535 -j ACCEPT
Also you might want to build up a little filtering for the most common TCP scan attempts. The following are excerpts from my own filters:
# ====================== define portscan drop chain ======================
# create chain PORTSCAN_DROP
iptables -N PORTSCAN_DROP
# log packet header
iptables -A PORTSCAN_DROP -m limit --limit 7200/h -j LOG --log-prefix "PORTSCAN DROP "
# drop packet
iptables -A PORTSCAN_DROP -j DROP
# ==================== build input/output block chains ===================
# create chains BLOCK_INPUT and BLOCK_OUTPUT
iptables -N BLOCK_INPUT
iptables -N BLOCK_OUTPUT
echo "*** Blocking ***"
# block ICMP type 5 (redirect)
iptables -A BLOCK_INPUT -i eth0 -p icmp --icmp-type 5 -j DROP
for i in /proc/sys/net/ipv4/conf/*; do
echo 0 > $i/accept_redirects
done
echo "ICMP Type 5 (redirect) blocked"
# block LAN broadcasts
iptables -A BLOCK_INPUT -i eth0 -s 255.255.255.255 -j PORTSCAN_DROP
iptables -A BLOCK_OUTPUT -o eth0 -d 255.255.255.255 -j PORTSCAN_DROP
# block incoming packets from private ip adresses (RFC 1918)
iptables -A BLOCK_INPUT -i eth0 -s 127.255.255.255/8 -j PORTSCAN_DROP
iptables -A BLOCK_INPUT -i eth0 -s 10.255.255.255/8 -j PORTSCAN_DROP
iptables -A BLOCK_INPUT -i eth0 -s 172.31.255.255/12 -j PORTSCAN_DROP
iptables -A BLOCK_INPUT -i eth0 -s 192.168.255.255/16 -j PORTSCAN_DROP
# block outgoing packets to private ip addresses (RFC 1918)
iptables -A BLOCK_OUTPUT -o eth0 -d 127.255.255.255/8 -j PORTSCAN_DROP
iptables -A BLOCK_OUTPUT -o eth0 -d 10.255.255.255/8 -j PORTSCAN_DROP
iptables -A BLOCK_OUTPUT -o eth0 -d 172.31.255.255/12 -j PORTSCAN_DROP
iptables -A BLOCK_OUTPUT -o eth0 -d 192.168.255.255/16 -j PORTSCAN_DROP
echo "RFC 1918 addresses on public interface blocked"
# drop corrupt packets
iptables -A BLOCK_INPUT -m state --state INVALID -j PORTSCAN_DROP
iptables -A BLOCK_OUTPUT -m state --state INVALID -j PORTSCAN_DROP
echo "dropping invalid packets"
# -------------- block invalid packets (stealth scans etc) ---------------
echo "Packet drop:"
# no flags set
iptables -A BLOCK_INPUT -p tcp --tcp-flags ALL NONE -j PORTSCAN_DROP
echo " no flags set"
# SYN and FIN set
iptables -A BLOCK_INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j PORTSCAN_DROP
echo " SYN+FIN"
# SYN and RST set
iptables -A BLOCK_INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j PORTSCAN_DROP
echo " SYN+RST"
# FIN and RST set
iptables -A BLOCK_INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j PORTSCAN_DROP
echo " FIN+RST"
# FIN without ACK
iptables -A BLOCK_INPUT -p tcp --tcp-flags ACK,FIN FIN -j PORTSCAN_DROP
echo " FIN without ACK"
# PSH without ACK
iptables -A BLOCK_INPUT -p tcp --tcp-flags ACK,PSH PSH -j PORTSCAN_DROP
echo " PSH without ACK"
# URG without ACK
iptables -A BLOCK_INPUT -p tcp --tcp-flags ACK,URG URG -j PORTSCAN_DROP
echo " URG without ACK"
# ----------------------- block suspicious hosts -------------------------
# Teamspeak phone-home
iptables -A BLOCK_INPUT -s 62.4.81.225 -j DROP
iptables -A BLOCK_OUTPUT -d 62.4.81.225 -j DROP
iptables -A BLOCK_INPUT -s 213.202.254.116 -j DROP
iptables -A BLOCK_OUTPUT -d 213.202.254.116 -j DROP
echo " Teamspeak phone-home: quassel.teamspeak.org"
# Hungarian wanna-be hackers
iptables -A BLOCK_INPUT -s 62.80.64.0/20 -j DROP
iptables -A BLOCK_OUTPUT -d 62.80.64.0/20 -j DROP
echo " Hungarian wanna-be hackers: 62.80.64.0/20"
# block tesha.net (abusive)
iptables -A BLOCK_INPUT -s 216.65.31.201 -j DROP
iptables -A BLOCK_OUTPUT -d 216.65.31.201 -j DROP
echo " tesha.net (abusive): 216.65.31.201"
echo "done suspicious hosts"
And don't forget the well-known spammers:
# ============================= define SPAM drop =========================
# create SPAM_DROP chain
iptables -N SPAM_DROP
# log as recognized spam
#iptables -A SPAM_DROP -m limit --limit 7200/h -j LOG --log-prefix "SPAM DROP "
# drop connection
iptables -A SPAM_DROP -j REJECT
# ============= establish list of known spammers (SPAM_BLOCK) ===========
# create SPAM_BLOCK chain
iptables -N SPAM_BLOCK
# block hosts that shouldn't exist
iptables -A SPAM_BLOCK -s 218.72.221.170 -j SPAM_DROP
iptables -A SPAM_BLOCK -d 218.72.221.170 -j SPAM_DROP
# block 1&1 relay test
#iptables -A SPAM_BLOCK -s 212.227.126.156 -j SPAM_DROP
#iptables -A SPAM_BLOCK -d 212.227.126.156 -j SPAM_DROP
# block transedge.com
iptables -A SPAM_BLOCK -s 64.233.0.0/16 -j SPAM_DROP
iptables -A SPAM_BLOCK -d 64.233.0.0/16 -j SPAM_DROP
# block korean spammers
iptables -A SPAM_BLOCK -s 211.63.0.0/12 -j SPAM_DROP
iptables -A SPAM_BLOCK -d 211.63.0.0/12 -j SPAM_DROP
iptables -A SPAM_BLOCK -s 210.104.0.0/12 -j SPAM_DROP
iptables -A SPAM_BLOCK -d 210.104.0.0/12 -j SPAM_DROP
# block hongkong spammers
iptables -A SPAM_BLOCK -s 202.177.0.0/16 -j SPAM_DROP
iptables -A SPAM_BLOCK -d 202.177.0.0/16 -j SPAM_DROP
# block chinese spammers
iptables -A SPAM_BLOCK -s 61.187.0.0/16 -j SPAM_DROP
iptables -A SPAM_BLOCK -d 61.187.0.0/16 -j SPAM_DROP
iptables -A SPAM_BLOCK -s 218.70.0.0/16 -j SPAM_DROP
iptables -A SPAM_BLOCK -d 218.70.0.0/16 -j SPAM_DROP
iptables -A SPAM_BLOCK -s 219.0.0.0/8 -j SPAM_DROP
iptables -A SPAM_BLOCK -d 219.0.0.0/8 -j SPAM_DROP
# block whole APNIC
iptables -A SPAM_BLOCK -s 221.0.0.0/8 -j SPAM_DROP
iptables -A SPAM_BLOCK -d 221.0.0.0/8 -j SPAM_DROP
# block AT&T spammers
iptables -A SPAM_BLOCK -s 12.65.102.141 -j SPAM_DROP
iptables -A SPAM_BLOCK -d 12.65.102.141 -j SPAM_DROP
# block Comcast Cable spammers
iptables -A SPAM_BLOCK -s 24.128.0.0/16 -j SPAM_DROP
iptables -A SPAM_BLOCK -d 24.128.0.0/16 -j SPAM_DROP
iptables -A SPAM_BLOCK -s 24.91.0.0/16 -j SPAM_DROP
iptables -A SPAM_BLOCK -d 24.91.0.0/16 -j SPAM_DROP
iptables -A SPAM_BLOCK -s 66.31.0.0/16 -j SPAM_DROP
iptables -A SPAM_BLOCK -d 66.31.0.0/16 -j SPAM_DROP
# block mexican spammers
iptables -A SPAM_BLOCK -s 66.139.0.0/16 -j SPAM_DROP
iptables -A SPAM_BLOCK -d 66.139.0.0/16 -j SPAM_DROP
# block taiwanese spammers
iptables -A SPAM_BLOCK -s 218.0.0.0/8 -j SPAM_DROP
iptables -A SPAM_BLOCK -d 218.0.0.0/8 -j SPAM_DROP
# block option1 (yankland)
iptables -A SPAM_BLOCK -s 69.19.128.0/17 -j SPAM_DROP
iptables -A SPAM_BLOCK -d 69.19.128.0/17 -j SPAM_DROP
# block Shaw Communications Inc. (Canada)
iptables -A SPAM_BLOCK -s 24.64.0.0/13 -j SPAM_DROP
iptables -A SPAM_BLOCK -d 24.64.0.0/13 -j SPAM_DROP
# block latin america
#iptables -A SPAM_BLOCK -s 200.0.0.0/8 -j SPAM_DROP
# block hungary
iptables -A SPAM_BLOCK -s 172.144.0.0/16 -j SPAM_DROP
# block part of q-dsl
iptables -A SPAM_BLOCK -s 212.202.0.0/16 -j SPAM_DROP
# block penis enlargement dudes
iptables -A SPAM_BLOCK -s 200.46.208.0/25 -j SPAM_DROP
# block Ralsky Mafia
iptables -A SPAM_BLOCK -s 168.95.0.0/16 -j SPAM_DROP
# block XO Communications
iptables -A SPAM_BLOCK -s 205.158.0.0/16 -j SPAM_DROP
# block CAIS
iptables -A SPAM_BLOCK -s 205.177.0.0/16 -j SPAM_DROP
# return
iptables -A SPAM_BLOCK -j RETURN
You plug them in with those lines:
# Block certain input traffic
iptables -A INPUT -j BLOCK_INPUT
# Block certain output traffic
iptables -A OUTPUT -j BLOCK_OUTPUT
# Block Spam
iptables -A INPUT -p tcp --dport smtp -j SPAM_BLOCK
And just out of curiosity, is this a dedicated server or an old box serving as NAT gateway and TS server for your LAN?
It works fine, thanks!
This box works as both actually. A friend of mine moved in a new appartment, which is a student complex. He has internet from the university, which is a 100Mbit line. So I humbly requested to put down an old box at his place, which would serve as his NAT box, and my dedicated 100Mbit server. It's pretty nice to have a free 100Mbit server for yourself :)
Hello I just recently rented a server and I am trying to set up a TS server. I have it running but I do not know how to open the necessary ports through the iptables. I know nothing about iptables or the commands to add rules. I was wondering if someone could walk me through getting this setup?
Any help would be greatly appreciated.
Look for lines that read something like iptables -A INPUT something or iptables -I INPUT something. Add iptables -A INPUT -p udp --dport 8767 -j ACCEPT after that line.
Thanks for the reply, the problem is I have to do this through ssh as I do not have access to whatever file is needed to add the code. Or at least I am not sure how to get to it. How would I input that with bash commands? Or can you tell me the name of the file I need to add it to?
The name of the file? Perhaps, if I knew your Linux Distro.
Oh, and by the way: try the commands "joe", "nano", "pico" or even "vim" (shudder!). Those are text editors for editing files. :)
Thanks for the reply, the problem is I have to do this through ssh as I do not have access to whatever file is needed to add the code. Or at least I am not sure how to get to it. How would I input that with bash commands? Or can you tell me the name of the file I need to add it to?
Scott, I found the problem. The host opened the port as tcp, instead of udp. He's running IP Tables on Centos. Open putty, at the shell prompt, and type this in. This should straighten it out:
iptables -A INPUT -p udp --dport 8767 -j ACCEPT
ah ok thanks alot, I'll give it a try.
was it suppose to give some kind of response? It just went back to the command prompt. no error or anything. Still cant login. Still getting a No reply from server message. I checked it it says that the ts server is running, I just stopped it and restarted it and still no response.
my server info is WHM 10.8.0 cPanel 10.8.1-R30
CentOS 4.2 i686 - WHM X v3.1.0
If that helps.
Well, we ran the rule on IPTables, and restarted the firewall. While the firewall was down, the Team Speak server was accessible. When the firewall came back up, it was again blocking the TeamSpeak server. Anyone have any other suggestions to get Scott up and running with this?
Here is the iptable list
post edited
Scott, is this a new list? I don't see the port open for 8767 udp. Let me try and run the command to see if I can get it to take, where it shows in the ip tables.
yea, doesnt that rule need to put put into the Chain PORT_ACCEPT area? What is the command to put the rule in a chain?
ACCEPT tcp -- anywhere anywhere tcp dpt:8767
Cough-Cough, it's UDP.
Besides, even though this still would work you might want to put that rule into a chain that is more appropriate. For example PORT_ACCEPT.
The following line would do that:
iptables -A PORT_ACCEPT -p udp --dport 8767 -j ACCEPT
Also:
DROP all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:51234
ACCEPT udp -- anywhere anywhere udp dpt:8767
ACCEPT udp -- anywhere anywhere udp dpts:8767:8768
ACCEPT tcp -- anywhere anywhere tcp dpt:14534
This is bad design. Rather set the policy of your firewall to REJECT (or DROP) instead of ACCEPT and having a DROP all rule at the end. One iptables -F injected and your server is fully accessible from the internet :)
Besides, if you have a DROP all anywhere/anywhere BEFORE accepting rules those accepting rules will never be considered, you know that? Iptables runs through the rules from top to bottom and it will "gosub" (in BASIC terms) to other chains if instructed to.
Thanks Brain. This server is rented from a host, and these rules you see in the list were applied to the iptables by the guy running the host. Scott, you might want to copy a link to him about this. Brain, Scott and I have been racking our brains trying to figure this out to get TS going. We knew it was in the firewall, but neither of us are familiar with writing the bash commands for proper rule writing to do this. We were strugling to get the udp set up. I'd really appreciate your help in setting this firewall up appropriately. Can you please advise how to write the rules out in a bash command form to apply to have this machine the most secure? Or, would this have to be written in a start up script? If so, do you know where to look for the script? If it would help, we can run a new iptable list and post it, or send it to you. We're both eager to learn how to use the iptables, rather than using a gui to interface with it, and would be grateful for your help. Thanks.
O.K., the port is showing in the Chain Port Accept as port 8767 udp. But, still unable to access TS with the firewall up? Do we need to add any other ports, for incoming or outgoing? Or, is this being caused by the Drop All/Anywhere at the beginning? How do we remove that, and insert the rule to drop at the end of the chain?
Sure, it's not that difficult. Unfortunately I'm not really familiar with the structure of CentOS, but I guess you might have a file in /etc/init.d/ calld "network" or "networking" (or perhaps even "firewall" or "iptables") which contains the commands that make up your filtering rules.
I found the iptable file but when I open it in one of the editors the rules look like they are encrypted. The only part of it that is not encrypted is the help information.
AH cool I see someone got it working. I can login to TS now, but only one thing is I still cannot access the Webadmin Interface, it tries to access it then still times out. Does that tcp 14534 need to be added to that chain also?
ok nm I just added the rule to the Port_Accept chain and it works now. Thanks Alot for your help. It is greatly appreciated.
Thanks a lot for your help, Brain. It's running now.
vBulletin® v3.7.3, Copyright ©2000-2009, Jelsoft Enterprises Ltd.