Opening up ports in firewall not working

[Vash]

Hi,

I have just set up an debian woody server, with an iptables firewall. (script below) Everything works great exept that I can't run teamspeak. That is, I can't connect to the server (the box with the firewall) from my home computer. When I switch the firewall off, I can connect. If I open up all the ports I can connect. If I just open port 8767 (teamspeak server port) I can't connect.

My firewall drops all incoming packets

/sbin/iptables -P INPUT DROP

and then I open up any ports I need for myself

/sbin/iptables -A INPUT -p tcp -s 81.69.68.98 -d 0/0 --dport 22 -j ACCEPT

I have been going trough a lot of forums and guides, and it seems that a lot of apps just initialize a connection trough the assigned port (8767) and then just route all the traffic over another port, to keep the assigned port free. So the connection initialization from the client through port 8767 works just fine, but after that, it can't send data over the other port. This should be fixed by adding this rule:

/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

but it doesn't. I'm clueless what to do next?

Here is my entire firewall script:

/sbin/iptables -A INPUT -p tcp -s 80.126.106.155 -d 0/0 --dport 22 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
/sbin/iptables -t nat -F
/sbin/iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -j MASQUERADE
/sbin/iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.0.0/24 -j MASQUERADE
/sbin/iptables -F
/sbin/iptables -P FORWARD DROP
/sbin/iptables -A FORWARD -i eth1 -s 192.168.0.0/24 -j ACCEPT
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -P INPUT DROP
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -i eth1 -s 192.168.0.0/24 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -s 80.126.106.155 -d 0/0 --dport 22 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -s 81.69.68.98 -d 0/0 --dport 22 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 8767 -j ACCEPT
/sbin/iptables -P OUTPUT ACCEPT

[Brain]

Well, you would be correct IF Teamspeak used TCP for the real-time data... which it doesn't.
Also, by setting the default INPUT policy to DROP you effectively blocked the whole ephemeral port range used for client applications.

It's usually between 1024 and 3000, I set it to 4152 to 65535, but that's just personal preferences. You can set the ephemeral range easily with this line of code:

echo "49152 65535" > /proc/sys/net/ipv4/ip_local_port_range

Note this is an entry in the proc FS so you have to renew it after each reboot.
Then you just need to allow this range with these two lines:

IPTABLES -A INPUT -p tcp --dport 49152:65535 -j ACCEPT
IPTABLES -A INPUT -p udp --dport 49152:65535 -j ACCEPT

Also you might want to build up a little filtering for the most common TCP scan attempts. The following are excerpts from my own filters:

Code:

# ====================== define portscan drop chain ======================

# create chain PORTSCAN_DROP
iptables -N PORTSCAN_DROP

# log packet header
iptables -A PORTSCAN_DROP -m limit --limit 7200/h -j LOG --log-prefix "PORTSCAN DROP "

# drop packet
iptables -A PORTSCAN_DROP -j DROP



# ==================== build input/output block chains ===================

# create chains BLOCK_INPUT and BLOCK_OUTPUT
iptables -N BLOCK_INPUT
iptables -N BLOCK_OUTPUT

echo "*** Blocking ***"

# block ICMP type 5 (redirect)
iptables -A BLOCK_INPUT -i eth0 -p icmp --icmp-type 5 -j DROP
for i in /proc/sys/net/ipv4/conf/*; do
    echo 0 > $i/accept_redirects
done
echo "ICMP Type 5 (redirect) blocked"

# block LAN broadcasts
iptables -A BLOCK_INPUT -i eth0 -s 255.255.255.255 -j PORTSCAN_DROP
iptables -A BLOCK_OUTPUT -o eth0 -d 255.255.255.255 -j PORTSCAN_DROP

# block incoming packets from private ip adresses (RFC 1918)
iptables -A BLOCK_INPUT -i eth0 -s 127.255.255.255/8 -j PORTSCAN_DROP
iptables -A BLOCK_INPUT -i eth0 -s 10.255.255.255/8 -j PORTSCAN_DROP
iptables -A BLOCK_INPUT -i eth0 -s 172.31.255.255/12 -j PORTSCAN_DROP
iptables -A BLOCK_INPUT -i eth0 -s 192.168.255.255/16 -j PORTSCAN_DROP

# block outgoing packets to private ip addresses (RFC 1918)
iptables -A BLOCK_OUTPUT -o eth0 -d 127.255.255.255/8 -j PORTSCAN_DROP
iptables -A BLOCK_OUTPUT -o eth0 -d 10.255.255.255/8 -j PORTSCAN_DROP
iptables -A BLOCK_OUTPUT -o eth0 -d 172.31.255.255/12 -j PORTSCAN_DROP
iptables -A BLOCK_OUTPUT -o eth0 -d 192.168.255.255/16 -j PORTSCAN_DROP
echo "RFC 1918 addresses on public interface blocked"

# drop corrupt packets
iptables -A BLOCK_INPUT -m state --state INVALID -j PORTSCAN_DROP
iptables -A BLOCK_OUTPUT -m state --state INVALID -j PORTSCAN_DROP
echo "dropping invalid packets"

# -------------- block invalid packets (stealth scans etc) ---------------

echo "Packet drop:"

# no flags set
iptables -A BLOCK_INPUT -p tcp --tcp-flags ALL NONE -j PORTSCAN_DROP
echo "   no flags set"

# SYN and FIN set
iptables -A BLOCK_INPUT  -p tcp --tcp-flags SYN,FIN SYN,FIN -j PORTSCAN_DROP
echo "   SYN+FIN"

# SYN and RST set
iptables -A BLOCK_INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j PORTSCAN_DROP
echo "   SYN+RST"

# FIN and RST set
iptables -A BLOCK_INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j PORTSCAN_DROP
echo "   FIN+RST"

# FIN without ACK
iptables -A BLOCK_INPUT -p tcp --tcp-flags ACK,FIN FIN -j PORTSCAN_DROP
echo "   FIN without ACK"

# PSH without ACK
iptables -A BLOCK_INPUT -p tcp --tcp-flags ACK,PSH PSH -j PORTSCAN_DROP
echo "   PSH without ACK"

# URG without ACK
iptables -A BLOCK_INPUT -p tcp --tcp-flags ACK,URG URG -j PORTSCAN_DROP
echo "   URG without ACK"

# ----------------------- block suspicious hosts -------------------------


# Teamspeak phone-home
iptables -A BLOCK_INPUT -s 62.4.81.225 -j DROP
iptables -A BLOCK_OUTPUT -d 62.4.81.225 -j DROP
iptables -A BLOCK_INPUT -s 213.202.254.116 -j DROP
iptables -A BLOCK_OUTPUT -d 213.202.254.116 -j DROP
echo "   Teamspeak phone-home: quassel.teamspeak.org"

# Hungarian wanna-be hackers
iptables -A BLOCK_INPUT -s 62.80.64.0/20 -j DROP
iptables -A BLOCK_OUTPUT -d 62.80.64.0/20 -j DROP
echo "   Hungarian wanna-be hackers: 62.80.64.0/20"

# block tesha.net (abusive)
iptables -A BLOCK_INPUT -s 216.65.31.201 -j DROP
iptables -A BLOCK_OUTPUT -d 216.65.31.201 -j DROP
echo "   tesha.net (abusive): 216.65.31.201"

echo "done suspicious hosts"

And don't forget the well-known spammers:

Code:

# ============================= define SPAM drop =========================

# create SPAM_DROP chain
iptables -N SPAM_DROP

# log as recognized spam
#iptables -A SPAM_DROP -m limit --limit 7200/h -j LOG --log-prefix "SPAM DROP "

# drop connection
iptables -A SPAM_DROP -j REJECT



# ============= establish list of known spammers (SPAM_BLOCK)  ===========

# create SPAM_BLOCK chain
iptables -N SPAM_BLOCK

# block hosts that shouldn't exist
iptables -A SPAM_BLOCK -s 218.72.221.170 -j SPAM_DROP
iptables -A SPAM_BLOCK -d 218.72.221.170 -j SPAM_DROP

# block 1&1 relay test
#iptables -A SPAM_BLOCK -s 212.227.126.156 -j SPAM_DROP
#iptables -A SPAM_BLOCK -d 212.227.126.156 -j SPAM_DROP

# block transedge.com
iptables -A SPAM_BLOCK -s 64.233.0.0/16 -j SPAM_DROP
iptables -A SPAM_BLOCK -d 64.233.0.0/16 -j SPAM_DROP

# block korean spammers
iptables -A SPAM_BLOCK -s 211.63.0.0/12 -j SPAM_DROP
iptables -A SPAM_BLOCK -d 211.63.0.0/12 -j SPAM_DROP
iptables -A SPAM_BLOCK -s 210.104.0.0/12 -j SPAM_DROP
iptables -A SPAM_BLOCK -d 210.104.0.0/12 -j SPAM_DROP

# block hongkong spammers
iptables -A SPAM_BLOCK -s 202.177.0.0/16 -j SPAM_DROP
iptables -A SPAM_BLOCK -d 202.177.0.0/16 -j SPAM_DROP

# block chinese spammers
iptables -A SPAM_BLOCK -s 61.187.0.0/16 -j SPAM_DROP
iptables -A SPAM_BLOCK -d 61.187.0.0/16 -j SPAM_DROP
iptables -A SPAM_BLOCK -s 218.70.0.0/16 -j SPAM_DROP
iptables -A SPAM_BLOCK -d 218.70.0.0/16 -j SPAM_DROP
iptables -A SPAM_BLOCK -s 219.0.0.0/8 -j SPAM_DROP
iptables -A SPAM_BLOCK -d 219.0.0.0/8 -j SPAM_DROP

# block whole APNIC
iptables -A SPAM_BLOCK -s 221.0.0.0/8 -j SPAM_DROP
iptables -A SPAM_BLOCK -d 221.0.0.0/8 -j SPAM_DROP

# block AT&T spammers
iptables -A SPAM_BLOCK -s 12.65.102.141 -j SPAM_DROP
iptables -A SPAM_BLOCK -d 12.65.102.141 -j SPAM_DROP

# block Comcast Cable spammers
iptables -A SPAM_BLOCK -s 24.128.0.0/16 -j SPAM_DROP
iptables -A SPAM_BLOCK -d 24.128.0.0/16 -j SPAM_DROP
iptables -A SPAM_BLOCK -s 24.91.0.0/16 -j SPAM_DROP
iptables -A SPAM_BLOCK -d 24.91.0.0/16 -j SPAM_DROP
iptables -A SPAM_BLOCK -s 66.31.0.0/16 -j SPAM_DROP
iptables -A SPAM_BLOCK -d 66.31.0.0/16 -j SPAM_DROP

# block mexican spammers
iptables -A SPAM_BLOCK -s 66.139.0.0/16 -j SPAM_DROP
iptables -A SPAM_BLOCK -d 66.139.0.0/16 -j SPAM_DROP

# block taiwanese spammers
iptables -A SPAM_BLOCK -s 218.0.0.0/8 -j SPAM_DROP
iptables -A SPAM_BLOCK -d 218.0.0.0/8 -j SPAM_DROP

# block option1 (yankland)
iptables -A SPAM_BLOCK -s 69.19.128.0/17 -j SPAM_DROP
iptables -A SPAM_BLOCK -d 69.19.128.0/17 -j SPAM_DROP

# block Shaw Communications Inc. (Canada)
iptables -A SPAM_BLOCK -s 24.64.0.0/13 -j SPAM_DROP
iptables -A SPAM_BLOCK -d 24.64.0.0/13 -j SPAM_DROP

# block latin america
#iptables -A SPAM_BLOCK -s 200.0.0.0/8 -j SPAM_DROP

# block hungary
iptables -A SPAM_BLOCK -s 172.144.0.0/16 -j SPAM_DROP

# block part of q-dsl
iptables -A SPAM_BLOCK -s 212.202.0.0/16 -j SPAM_DROP

# block penis enlargement dudes
iptables -A SPAM_BLOCK -s 200.46.208.0/25 -j SPAM_DROP

# block Ralsky Mafia
iptables -A SPAM_BLOCK -s 168.95.0.0/16 -j SPAM_DROP

# block XO Communications
iptables -A SPAM_BLOCK -s 205.158.0.0/16 -j SPAM_DROP

# block CAIS
iptables -A SPAM_BLOCK -s 205.177.0.0/16 -j SPAM_DROP


# return
iptables -A SPAM_BLOCK -j RETURN

You plug them in with those lines:

Code:

# Block certain input traffic
iptables -A INPUT -j BLOCK_INPUT

# Block certain output traffic
iptables -A OUTPUT -j BLOCK_OUTPUT

# Block Spam
iptables -A INPUT -p tcp --dport smtp -j SPAM_BLOCK

And just out of curiosity, is this a dedicated server or an old box serving as NAT gateway and TS server for your LAN?

[Vash]

It works fine, thanks!

This box works as both actually. A friend of mine moved in a new appartment, which is a student complex. He has internet from the university, which is a 100Mbit line. So I humbly requested to put down an old box at his place, which would serve as his NAT box, and my dedicated 100Mbit server. It's pretty nice to have a free 100Mbit server for yourself

[Scott_]

Hello I just recently rented a server and I am trying to set up a TS server. I have it running but I do not know how to open the necessary ports through the iptables. I know nothing about iptables or the commands to add rules. I was wondering if someone could walk me through getting this setup?

Any help would be greatly appreciated.

[Brain]

Look for lines that read something like iptables -A INPUT something or iptables -I INPUT something. Add iptables -A INPUT -p udp --dport 8767 -j ACCEPT after that line.

[Scott_]

Thanks for the reply, the problem is I have to do this through ssh as I do not have access to whatever file is needed to add the code. Or at least I am not sure how to get to it. How would I input that with bash commands? Or can you tell me the name of the file I need to add it to?

[Brain]

The name of the file? Perhaps, if I knew your Linux Distro.

Oh, and by the way: try the commands "joe", "nano", "pico" or even "vim" (shudder!). Those are text editors for editing files.

[KeithH]

Thanks for the reply, the problem is I have to do this through ssh as I do not have access to whatever file is needed to add the code. Or at least I am not sure how to get to it. How would I input that with bash commands? Or can you tell me the name of the file I need to add it to?

Scott, I found the problem. The host opened the port as tcp, instead of udp. He's running IP Tables on Centos. Open putty, at the shell prompt, and type this in. This should straighten it out:

iptables -A INPUT -p udp --dport 8767 -j ACCEPT

[Scott_]

ah ok thanks alot, I'll give it a try.

[Scott_]

was it suppose to give some kind of response? It just went back to the command prompt. no error or anything. Still cant login. Still getting a No reply from server message. I checked it it says that the ts server is running, I just stopped it and restarted it and still no response.

my server info is WHM 10.8.0 cPanel 10.8.1-R30
CentOS 4.2 i686 - WHM X v3.1.0

If that helps.

[KeithH]

Well, we ran the rule on IPTables, and restarted the firewall. While the firewall was down, the Team Speak server was accessible. When the firewall came back up, it was again blocking the TeamSpeak server. Anyone have any other suggestions to get Scott up and running with this?

[Scott_]

Here is the iptable list

post edited

[KeithH]

Scott, is this a new list? I don't see the port open for 8767 udp. Let me try and run the command to see if I can get it to take, where it shows in the ip tables.

[Scott_]

yea, doesnt that rule need to put put into the Chain PORT_ACCEPT area? What is the command to put the rule in a chain?

[Scott_]

post edited