Hi there,
I am trying to open two ports, let's call them X and Y (ports over 4000). For that I have run the following commands:
sudo iptables -A INPUT -p tcp --dport X -j ACCEPT
sudo iptables -A INPUT -p tcp --dport Y -j ACCEPT
systemctl save iptables
systemctl restart iptables
I can see the two rules listed when using iptables -L but the ports are still not available from outside.
Please note that there are 2 services listening on these ports (I have used netstat -na | grep X to check that), so we can exclude that. I even tried to restart these services and the ports are still not accessible.
Here is a screenshot of my iptables --list
I would highly appreciate any help. Thanks!
Unable to open ports using iptables
Re: Unable to open ports using iptables
Could you post the output from iptables-save please as it's about 100 times easier to read that the format you've used.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
-
- Posts: 3
- Joined: 2020/07/18 11:30:55
Re: Unable to open ports using iptables
Thank you for your reply. Sure, here is the iptables-save command output:
Ports of interest are marked with MY_X_PORT_HERE and MY_Y_PORT_HERE.
Ports of interest are marked with MY_X_PORT_HERE and MY_Y_PORT_HERE.
Code: Select all
# Generated by iptables-save v1.4.21 on Sat Jul 18 15:51:37 2020
*filter
:INPUT ACCEPT [22194:3361365]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [23057:2277755]
:PING_OF_DEATH - [0:0]
:f2b-sshd - [0:0]
:port-scanning - [0:0]
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
-A INPUT -p tcp -m connlimit --connlimit-above 111 --connlimit-mask 32 --connlimit-saddr -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/sec --limit-burst 2 -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags RST RST -j DROP
-A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/sec --limit-burst 20 -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -j PING_OF_DEATH
-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource
-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 --name DEFAULT --mask 255.255.255.255 --rsource -j DROP
-A INPUT -p tcp -m tcp --dport MY_X_PORT_HERE -j ACCEPT
-A INPUT -p tcp -m tcp --dport MY_Y_PORT_HERE-j ACCEPT
-A PING_OF_DEATH -p icmp -m icmp --icmp-type 8 -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name t_PING_OF_DEATH --hashlimit-htable-expire 300000 -j RETURN
-A PING_OF_DEATH -j DROP
-A f2b-sshd -s 85.209.0.103/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 74.122.1.212/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 68.2.87.13/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 23.242.58.2/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 190.154.39.99/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 1.172.204.76/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -j RETURN
-A port-scanning -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec --limit-burst 2 -j RETURN
-A port-scanning -j DROP
COMMIT
# Completed on Sat Jul 18 15:51:37 2020
# Generated by iptables-save v1.4.21 on Sat Jul 18 15:51:37 2020
*raw
:PREROUTING ACCEPT [43075:6271437]
:OUTPUT ACCEPT [41384:4186839]
COMMIT
# Completed on Sat Jul 18 15:51:37 2020
# Generated by iptables-save v1.4.21 on Sat Jul 18 15:51:37 2020
*mangle
:PREROUTING ACCEPT [42440:6245903]
:INPUT ACCEPT [42440:6245903]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [41384:4186839]
:POSTROUTING ACCEPT [41384:4186839]
-A PREROUTING -m conntrack --ctstate INVALID -j DROP
-A PREROUTING -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j DROP
-A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags PSH,ACK PSH -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
-A PREROUTING -s 224.0.0.0/3 -j DROP
-A PREROUTING -s 169.254.0.0/16 -j DROP
-A PREROUTING -s 172.16.0.0/12 -j DROP
-A PREROUTING -s 192.0.2.0/24 -j DROP
-A PREROUTING -s 192.168.0.0/16 -j DROP
-A PREROUTING -s 10.0.0.0/8 -j DROP
-A PREROUTING -s 0.0.0.0/8 -j DROP
-A PREROUTING -s 240.0.0.0/5 -j DROP
-A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP
-A PREROUTING -p icmp -j DROP
-A PREROUTING -f -j DROP
COMMIT
# Completed on Sat Jul 18 15:51:37 2020
# Generated by iptables-save v1.4.21 on Sat Jul 18 15:51:37 2020
*nat
:PREROUTING ACCEPT [217:16226]
:INPUT ACCEPT [216:16166]
:OUTPUT ACCEPT [1968:121568]
:POSTROUTING ACCEPT [1968:121568]
Re: Unable to open ports using iptables
I don't think your rules do what you think they do.
What do you think these two are doing?
To me that looks like it says: limit all new connections from any ip address to 60 per second and if that ip is not hitting the limit on NEW connections then accept the packet regardless of what port it's destined for. Anything that matches that first rule will immediately be accepted and the subsequent rules will never be looked at. And if any ip address exceeds that limit and drops through to the next rule then it will be dropped. I'd suggest using iptables -nvL --lin to examine the packet hit counts on all those rules and see which ones are being used and whether anything after those two rules is ever being hit. I didn't read much further than that rule since it might explain all sorts of weird stuff.
What do you think these two are doing?
Code: Select all
-A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/sec --limit-burst 20 -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW -j DROP
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
-
- Posts: 3
- Joined: 2020/07/18 11:30:55
Re: Unable to open ports using iptables
You are right, they limit the new TCP connections that a client can establish per second. This can be useful against connection attacks, but not so much against SYN floods because the usually use an endless amount of different spoofed source IPs.TrevorH wrote: ↑2020/07/18 13:30:05I don't think your rules do what you think they do.
What do you think these two are doing?
To me that looks like it says: limit all new connections from any ip address to 60 per second and if that ip is not hitting the limit on NEW connections then accept the packet regardless of what port it's destined for. Anything that matches that first rule will immediately be accepted and the subsequent rules will never be looked at. And if any ip address exceeds that limit and drops through to the next rule then it will be dropped. I'd suggest using iptables -nvL --lin to examine the packet hit counts on all those rules and see which ones are being used and whether anything after those two rules is ever being hit. I didn't read much further than that rule since it might explain all sorts of weird stuff.Code: Select all
-A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/sec --limit-burst 20 -j ACCEPT -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP
My vps provider suggested setting up these rules for better anti-ddos protection.
When running iptables -nvL --lin I noticed the following packets being processed by those 2 rules:
Code: Select all
Chain INPUT (policy ACCEPT 32881 packets, 5263K bytes)
num pkts bytes target prot opt in out source destination
5 2457 145K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW limit: avg 60/sec burst 20
6 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
Code: Select all
sudo iptables -I chain [rule-number] firewall-rule
Re: Unable to open ports using iptables
Your rules look massively overcomplex to me but you should be able to insert rules with iptables -I INPUT $number $whatever ....
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke