Community Forums Today's Posts     Member List     Archive    
Page 1 of 2 12 LastLast
Results 1 to 15 of 24
  1. #1
    Join Date
    Aug 2003
    Location
    Netherlands Rotterdam
    Posts
    4

    Opening up ports in firewall not working

    Hi,

    I have just set up an debian woody server, with an iptables firewall. (script below) Everything works great exept that I can't run teamspeak. That is, I can't connect to the server (the box with the firewall) from my home computer. When I switch the firewall off, I can connect. If I open up all the ports I can connect. If I just open port 8767 (teamspeak server port) I can't connect.

    My firewall drops all incoming packets

    /sbin/iptables -P INPUT DROP

    and then I open up any ports I need for myself

    /sbin/iptables -A INPUT -p tcp -s 81.69.68.98 -d 0/0 --dport 22 -j ACCEPT

    I have been going trough a lot of forums and guides, and it seems that a lot of apps just initialize a connection trough the assigned port (8767) and then just route all the traffic over another port, to keep the assigned port free. So the connection initialization from the client through port 8767 works just fine, but after that, it can't send data over the other port. This should be fixed by adding this rule:

    /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

    but it doesn't. I'm clueless what to do next?

    Here is my entire firewall script:

    /sbin/iptables -A INPUT -p tcp -s 80.126.106.155 -d 0/0 --dport 22 -j ACCEPT
    echo 1 > /proc/sys/net/ipv4/ip_forward
    /sbin/iptables -t nat -F
    /sbin/iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -j MASQUERADE
    /sbin/iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.0.0/24 -j MASQUERADE
    /sbin/iptables -F
    /sbin/iptables -P FORWARD DROP
    /sbin/iptables -A FORWARD -i eth1 -s 192.168.0.0/24 -j ACCEPT
    /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
    /sbin/iptables -P INPUT DROP
    /sbin/iptables -A INPUT -i lo -j ACCEPT
    /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    /sbin/iptables -A INPUT -i eth1 -s 192.168.0.0/24 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp -s 80.126.106.155 -d 0/0 --dport 22 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp -s 81.69.68.98 -d 0/0 --dport 22 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 8767 -j ACCEPT
    /sbin/iptables -P OUTPUT ACCEPT

  2. #2
    Join Date
    Jan 2003
    Location
    Germany
    Posts
    4,140
    Well, you would be correct IF Teamspeak used TCP for the real-time data... which it doesn't.
    Also, by setting the default INPUT policy to DROP you effectively blocked the whole ephemeral port range used for client applications.

    It's usually between 1024 and 3000, I set it to 4152 to 65535, but that's just personal preferences. You can set the ephemeral range easily with this line of code:

    echo "49152 65535" > /proc/sys/net/ipv4/ip_local_port_range

    Note this is an entry in the proc FS so you have to renew it after each reboot.
    Then you just need to allow this range with these two lines:

    IPTABLES -A INPUT -p tcp --dport 49152:65535 -j ACCEPT
    IPTABLES -A INPUT -p udp --dport 49152:65535 -j ACCEPT

    Also you might want to build up a little filtering for the most common TCP scan attempts. The following are excerpts from my own filters:
    Code:
    # ====================== define portscan drop chain ======================
    
    # create chain PORTSCAN_DROP
    iptables -N PORTSCAN_DROP
    
    # log packet header
    iptables -A PORTSCAN_DROP -m limit --limit 7200/h -j LOG --log-prefix "PORTSCAN DROP "
    
    # drop packet
    iptables -A PORTSCAN_DROP -j DROP
    
    
    
    # ==================== build input/output block chains ===================
    
    # create chains BLOCK_INPUT and BLOCK_OUTPUT
    iptables -N BLOCK_INPUT
    iptables -N BLOCK_OUTPUT
    
    echo "*** Blocking ***"
    
    # block ICMP type 5 (redirect)
    iptables -A BLOCK_INPUT -i eth0 -p icmp --icmp-type 5 -j DROP
    for i in /proc/sys/net/ipv4/conf/*; do
        echo 0 > $i/accept_redirects
    done
    echo "ICMP Type 5 (redirect) blocked"
    
    # block LAN broadcasts
    iptables -A BLOCK_INPUT -i eth0 -s 255.255.255.255 -j PORTSCAN_DROP
    iptables -A BLOCK_OUTPUT -o eth0 -d 255.255.255.255 -j PORTSCAN_DROP
    
    # block incoming packets from private ip adresses (RFC 1918)
    iptables -A BLOCK_INPUT -i eth0 -s 127.255.255.255/8 -j PORTSCAN_DROP
    iptables -A BLOCK_INPUT -i eth0 -s 10.255.255.255/8 -j PORTSCAN_DROP
    iptables -A BLOCK_INPUT -i eth0 -s 172.31.255.255/12 -j PORTSCAN_DROP
    iptables -A BLOCK_INPUT -i eth0 -s 192.168.255.255/16 -j PORTSCAN_DROP
    
    # block outgoing packets to private ip addresses (RFC 1918)
    iptables -A BLOCK_OUTPUT -o eth0 -d 127.255.255.255/8 -j PORTSCAN_DROP
    iptables -A BLOCK_OUTPUT -o eth0 -d 10.255.255.255/8 -j PORTSCAN_DROP
    iptables -A BLOCK_OUTPUT -o eth0 -d 172.31.255.255/12 -j PORTSCAN_DROP
    iptables -A BLOCK_OUTPUT -o eth0 -d 192.168.255.255/16 -j PORTSCAN_DROP
    echo "RFC 1918 addresses on public interface blocked"
    
    # drop corrupt packets
    iptables -A BLOCK_INPUT -m state --state INVALID -j PORTSCAN_DROP
    iptables -A BLOCK_OUTPUT -m state --state INVALID -j PORTSCAN_DROP
    echo "dropping invalid packets"
    
    # -------------- block invalid packets (stealth scans etc) ---------------
    
    echo "Packet drop:"
    
    # no flags set
    iptables -A BLOCK_INPUT -p tcp --tcp-flags ALL NONE -j PORTSCAN_DROP
    echo "   no flags set"
    
    # SYN and FIN set
    iptables -A BLOCK_INPUT  -p tcp --tcp-flags SYN,FIN SYN,FIN -j PORTSCAN_DROP
    echo "   SYN+FIN"
    
    # SYN and RST set
    iptables -A BLOCK_INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j PORTSCAN_DROP
    echo "   SYN+RST"
    
    # FIN and RST set
    iptables -A BLOCK_INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j PORTSCAN_DROP
    echo "   FIN+RST"
    
    # FIN without ACK
    iptables -A BLOCK_INPUT -p tcp --tcp-flags ACK,FIN FIN -j PORTSCAN_DROP
    echo "   FIN without ACK"
    
    # PSH without ACK
    iptables -A BLOCK_INPUT -p tcp --tcp-flags ACK,PSH PSH -j PORTSCAN_DROP
    echo "   PSH without ACK"
    
    # URG without ACK
    iptables -A BLOCK_INPUT -p tcp --tcp-flags ACK,URG URG -j PORTSCAN_DROP
    echo "   URG without ACK"
    
    # ----------------------- block suspicious hosts -------------------------
    
    
    # Teamspeak phone-home
    iptables -A BLOCK_INPUT -s 62.4.81.225 -j DROP
    iptables -A BLOCK_OUTPUT -d 62.4.81.225 -j DROP
    iptables -A BLOCK_INPUT -s 213.202.254.116 -j DROP
    iptables -A BLOCK_OUTPUT -d 213.202.254.116 -j DROP
    echo "   Teamspeak phone-home: quassel.teamspeak.org"
    
    # Hungarian wanna-be hackers
    iptables -A BLOCK_INPUT -s 62.80.64.0/20 -j DROP
    iptables -A BLOCK_OUTPUT -d 62.80.64.0/20 -j DROP
    echo "   Hungarian wanna-be hackers: 62.80.64.0/20"
    
    # block tesha.net (abusive)
    iptables -A BLOCK_INPUT -s 216.65.31.201 -j DROP
    iptables -A BLOCK_OUTPUT -d 216.65.31.201 -j DROP
    echo "   tesha.net (abusive): 216.65.31.201"
    
    echo "done suspicious hosts"
    And don't forget the well-known spammers:
    Code:
    # ============================= define SPAM drop =========================
    
    # create SPAM_DROP chain
    iptables -N SPAM_DROP
    
    # log as recognized spam
    #iptables -A SPAM_DROP -m limit --limit 7200/h -j LOG --log-prefix "SPAM DROP "
    
    # drop connection
    iptables -A SPAM_DROP -j REJECT
    
    
    
    # ============= establish list of known spammers (SPAM_BLOCK)  ===========
    
    # create SPAM_BLOCK chain
    iptables -N SPAM_BLOCK
    
    # block hosts that shouldn't exist
    iptables -A SPAM_BLOCK -s 218.72.221.170 -j SPAM_DROP
    iptables -A SPAM_BLOCK -d 218.72.221.170 -j SPAM_DROP
    
    # block 1&1 relay test
    #iptables -A SPAM_BLOCK -s 212.227.126.156 -j SPAM_DROP
    #iptables -A SPAM_BLOCK -d 212.227.126.156 -j SPAM_DROP
    
    # block transedge.com
    iptables -A SPAM_BLOCK -s 64.233.0.0/16 -j SPAM_DROP
    iptables -A SPAM_BLOCK -d 64.233.0.0/16 -j SPAM_DROP
    
    # block korean spammers
    iptables -A SPAM_BLOCK -s 211.63.0.0/12 -j SPAM_DROP
    iptables -A SPAM_BLOCK -d 211.63.0.0/12 -j SPAM_DROP
    iptables -A SPAM_BLOCK -s 210.104.0.0/12 -j SPAM_DROP
    iptables -A SPAM_BLOCK -d 210.104.0.0/12 -j SPAM_DROP
    
    # block hongkong spammers
    iptables -A SPAM_BLOCK -s 202.177.0.0/16 -j SPAM_DROP
    iptables -A SPAM_BLOCK -d 202.177.0.0/16 -j SPAM_DROP
    
    # block chinese spammers
    iptables -A SPAM_BLOCK -s 61.187.0.0/16 -j SPAM_DROP
    iptables -A SPAM_BLOCK -d 61.187.0.0/16 -j SPAM_DROP
    iptables -A SPAM_BLOCK -s 218.70.0.0/16 -j SPAM_DROP
    iptables -A SPAM_BLOCK -d 218.70.0.0/16 -j SPAM_DROP
    iptables -A SPAM_BLOCK -s 219.0.0.0/8 -j SPAM_DROP
    iptables -A SPAM_BLOCK -d 219.0.0.0/8 -j SPAM_DROP
    
    # block whole APNIC
    iptables -A SPAM_BLOCK -s 221.0.0.0/8 -j SPAM_DROP
    iptables -A SPAM_BLOCK -d 221.0.0.0/8 -j SPAM_DROP
    
    # block AT&T spammers
    iptables -A SPAM_BLOCK -s 12.65.102.141 -j SPAM_DROP
    iptables -A SPAM_BLOCK -d 12.65.102.141 -j SPAM_DROP
    
    # block Comcast Cable spammers
    iptables -A SPAM_BLOCK -s 24.128.0.0/16 -j SPAM_DROP
    iptables -A SPAM_BLOCK -d 24.128.0.0/16 -j SPAM_DROP
    iptables -A SPAM_BLOCK -s 24.91.0.0/16 -j SPAM_DROP
    iptables -A SPAM_BLOCK -d 24.91.0.0/16 -j SPAM_DROP
    iptables -A SPAM_BLOCK -s 66.31.0.0/16 -j SPAM_DROP
    iptables -A SPAM_BLOCK -d 66.31.0.0/16 -j SPAM_DROP
    
    # block mexican spammers
    iptables -A SPAM_BLOCK -s 66.139.0.0/16 -j SPAM_DROP
    iptables -A SPAM_BLOCK -d 66.139.0.0/16 -j SPAM_DROP
    
    # block taiwanese spammers
    iptables -A SPAM_BLOCK -s 218.0.0.0/8 -j SPAM_DROP
    iptables -A SPAM_BLOCK -d 218.0.0.0/8 -j SPAM_DROP
    
    # block option1 (yankland)
    iptables -A SPAM_BLOCK -s 69.19.128.0/17 -j SPAM_DROP
    iptables -A SPAM_BLOCK -d 69.19.128.0/17 -j SPAM_DROP
    
    # block Shaw Communications Inc. (Canada)
    iptables -A SPAM_BLOCK -s 24.64.0.0/13 -j SPAM_DROP
    iptables -A SPAM_BLOCK -d 24.64.0.0/13 -j SPAM_DROP
    
    # block latin america
    #iptables -A SPAM_BLOCK -s 200.0.0.0/8 -j SPAM_DROP
    
    # block hungary
    iptables -A SPAM_BLOCK -s 172.144.0.0/16 -j SPAM_DROP
    
    # block part of q-dsl
    iptables -A SPAM_BLOCK -s 212.202.0.0/16 -j SPAM_DROP
    
    # block penis enlargement dudes
    iptables -A SPAM_BLOCK -s 200.46.208.0/25 -j SPAM_DROP
    
    # block Ralsky Mafia
    iptables -A SPAM_BLOCK -s 168.95.0.0/16 -j SPAM_DROP
    
    # block XO Communications
    iptables -A SPAM_BLOCK -s 205.158.0.0/16 -j SPAM_DROP
    
    # block CAIS
    iptables -A SPAM_BLOCK -s 205.177.0.0/16 -j SPAM_DROP
    
    
    # return
    iptables -A SPAM_BLOCK -j RETURN

    You plug them in with those lines:
    Code:
    # Block certain input traffic
    iptables -A INPUT -j BLOCK_INPUT
    
    # Block certain output traffic
    iptables -A OUTPUT -j BLOCK_OUTPUT
    
    # Block Spam
    iptables -A INPUT -p tcp --dport smtp -j SPAM_BLOCK

    And just out of curiosity, is this a dedicated server or an old box serving as NAT gateway and TS server for your LAN?

  3. #3
    Join Date
    Aug 2003
    Location
    Netherlands Rotterdam
    Posts
    4
    It works fine, thanks!

    This box works as both actually. A friend of mine moved in a new appartment, which is a student complex. He has internet from the university, which is a 100Mbit line. So I humbly requested to put down an old box at his place, which would serve as his NAT box, and my dedicated 100Mbit server. It's pretty nice to have a free 100Mbit server for yourself

  4. #4
    Join Date
    Jan 2006
    Location
    Illinois, USA
    Posts
    10

    Hello

    Hello I just recently rented a server and I am trying to set up a TS server. I have it running but I do not know how to open the necessary ports through the iptables. I know nothing about iptables or the commands to add rules. I was wondering if someone could walk me through getting this setup?

    Any help would be greatly appreciated.

  5. #5
    Join Date
    Jan 2003
    Location
    Germany
    Posts
    4,140
    Look for lines that read something like iptables -A INPUT something or iptables -I INPUT something. Add iptables -A INPUT -p udp --dport 8767 -j ACCEPT after that line.

  6. #6
    Join Date
    Jan 2006
    Location
    Illinois, USA
    Posts
    10
    Thanks for the reply, the problem is I have to do this through ssh as I do not have access to whatever file is needed to add the code. Or at least I am not sure how to get to it. How would I input that with bash commands? Or can you tell me the name of the file I need to add it to?

  7. #7
    Join Date
    Jan 2003
    Location
    Germany
    Posts
    4,140
    The name of the file? Perhaps, if I knew your Linux Distro.

    Oh, and by the way: try the commands "joe", "nano", "pico" or even "vim" (shudder!). Those are text editors for editing files.

  8. #8
    Join Date
    Jan 2006
    Location
    Florida
    Posts
    6
    Quote Originally Posted by Scott_
    Thanks for the reply, the problem is I have to do this through ssh as I do not have access to whatever file is needed to add the code. Or at least I am not sure how to get to it. How would I input that with bash commands? Or can you tell me the name of the file I need to add it to?
    Scott, I found the problem. The host opened the port as tcp, instead of udp. He's running IP Tables on Centos. Open putty, at the shell prompt, and type this in. This should straighten it out:

    iptables -A INPUT -p udp --dport 8767 -j ACCEPT

  9. #9
    Join Date
    Jan 2006
    Location
    Illinois, USA
    Posts
    10
    ah ok thanks alot, I'll give it a try.

  10. #10
    Join Date
    Jan 2006
    Location
    Illinois, USA
    Posts
    10
    was it suppose to give some kind of response? It just went back to the command prompt. no error or anything. Still cant login. Still getting a No reply from server message. I checked it it says that the ts server is running, I just stopped it and restarted it and still no response.

    my server info is WHM 10.8.0 cPanel 10.8.1-R30
    CentOS 4.2 i686 - WHM X v3.1.0

    If that helps.

  11. #11
    Join Date
    Jan 2006
    Location
    Florida
    Posts
    6
    Well, we ran the rule on IPTables, and restarted the firewall. While the firewall was down, the Team Speak server was accessible. When the firewall came back up, it was again blocking the TeamSpeak server. Anyone have any other suggestions to get Scott up and running with this?

  12. #12
    Join Date
    Jan 2006
    Location
    Illinois, USA
    Posts
    10
    Here is the iptable list

    post edited
    Last edited by Scott_; 09-01-2006 at 00:10.

  13. #13
    Join Date
    Jan 2006
    Location
    Florida
    Posts
    6
    Scott, is this a new list? I don't see the port open for 8767 udp. Let me try and run the command to see if I can get it to take, where it shows in the ip tables.

  14. #14
    Join Date
    Jan 2006
    Location
    Illinois, USA
    Posts
    10
    yea, doesnt that rule need to put put into the Chain PORT_ACCEPT area? What is the command to put the rule in a chain?

  15. #15
    Join Date
    Jan 2006
    Location
    Illinois, USA
    Posts
    10
    post edited
    Last edited by Scott_; 09-01-2006 at 00:10.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. How to configure a Firewall with client/server ports and TCP/UDP ports (like Sygate)
    By Rick_Hunter2 in forum [TeamSpeak 2] Server Support
    Replies: 3
    Last Post: 08-05-2004, 19:00
  2. fowarded ports not working
    By Foxfire2b in forum [TeamSpeak 2] Server Support
    Replies: 3
    Last Post: 23-12-2003, 22:46
  3. Firewall Ports.
    By wolfster in forum [TeamSpeak 2] Client Support
    Replies: 7
    Last Post: 05-11-2003, 23:36
  4. Please Help Me!!! Opening Ports On a Dlink 504
    By XenShocker in forum [TeamSpeak 2] Server Support
    Replies: 4
    Last Post: 27-03-2003, 08:29

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •