Unable to open ports using iptables

razvan_stanciu · Post by **razvan_stanciu** » 2020/07/18 11:41:48

Hi there,

I am trying to open two ports, let's call them X and Y (ports over 4000). For that I have run the following commands:

sudo iptables -A INPUT -p tcp --dport X -j ACCEPT
sudo iptables -A INPUT -p tcp --dport Y -j ACCEPT
systemctl save iptables
systemctl restart iptables

I can see the two rules listed when using iptables -L but the ports are still not available from outside.

Please note that there are 2 services listening on these ports (I have used netstat -na | grep X to check that), so we can exclude that. I even tried to restart these services and the ports are still not accessible.

Here is a screenshot of my iptables --list

I would highly appreciate any help. Thanks!

Post by **TrevorH** » 2020/07/18 12:14:59

Could you post the output from iptables-save please as it's about 100 times easier to read that the format you've used.

razvan_stanciu · Post by **razvan_stanciu** » 2020/07/18 12:58:23

Thank you for your reply. Sure, here is the iptables-save command output:

Ports of interest are marked with MY_X_PORT_HERE and MY_Y_PORT_HERE.

Code: Select all

# Generated by iptables-save v1.4.21 on Sat Jul 18 15:51:37 2020
*filter
:INPUT ACCEPT [22194:3361365]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [23057:2277755]
:PING_OF_DEATH - [0:0]
:f2b-sshd - [0:0]
:port-scanning - [0:0]
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
-A INPUT -p tcp -m connlimit --connlimit-above 111 --connlimit-mask 32 --connlimit-saddr -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/sec --limit-burst 2 -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags RST RST -j DROP
-A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/sec --limit-burst 20 -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -j PING_OF_DEATH
-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource
-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 --name DEFAULT --mask 255.255.255.255 --rsource -j DROP
-A INPUT -p tcp -m tcp --dport MY_X_PORT_HERE -j ACCEPT
-A INPUT -p tcp -m tcp --dport MY_Y_PORT_HERE-j ACCEPT
-A PING_OF_DEATH -p icmp -m icmp --icmp-type 8 -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name t_PING_OF_DEATH --hashlimit-htable-expire 300000 -j RETURN
-A PING_OF_DEATH -j DROP
-A f2b-sshd -s 85.209.0.103/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 74.122.1.212/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 68.2.87.13/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 23.242.58.2/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 190.154.39.99/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 1.172.204.76/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -j RETURN
-A port-scanning -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec --limit-burst 2 -j RETURN
-A port-scanning -j DROP
COMMIT
# Completed on Sat Jul 18 15:51:37 2020
# Generated by iptables-save v1.4.21 on Sat Jul 18 15:51:37 2020
*raw
:PREROUTING ACCEPT [43075:6271437]
:OUTPUT ACCEPT [41384:4186839]
COMMIT
# Completed on Sat Jul 18 15:51:37 2020
# Generated by iptables-save v1.4.21 on Sat Jul 18 15:51:37 2020
*mangle
:PREROUTING ACCEPT [42440:6245903]
:INPUT ACCEPT [42440:6245903]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [41384:4186839]
:POSTROUTING ACCEPT [41384:4186839]
-A PREROUTING -m conntrack --ctstate INVALID -j DROP
-A PREROUTING -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j DROP
-A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags PSH,ACK PSH -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
-A PREROUTING -s 224.0.0.0/3 -j DROP
-A PREROUTING -s 169.254.0.0/16 -j DROP
-A PREROUTING -s 172.16.0.0/12 -j DROP
-A PREROUTING -s 192.0.2.0/24 -j DROP
-A PREROUTING -s 192.168.0.0/16 -j DROP
-A PREROUTING -s 10.0.0.0/8 -j DROP
-A PREROUTING -s 0.0.0.0/8 -j DROP
-A PREROUTING -s 240.0.0.0/5 -j DROP
-A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP
-A PREROUTING -p icmp -j DROP
-A PREROUTING -f -j DROP
COMMIT
# Completed on Sat Jul 18 15:51:37 2020
# Generated by iptables-save v1.4.21 on Sat Jul 18 15:51:37 2020
*nat
:PREROUTING ACCEPT [217:16226]
:INPUT ACCEPT [216:16166]
:OUTPUT ACCEPT [1968:121568]
:POSTROUTING ACCEPT [1968:121568]

Post by **TrevorH** » 2020/07/18 13:30:05

I don't think your rules do what you think they do.

What do you think these two are doing?

Code: Select all

-A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/sec --limit-burst 20 -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW -j DROP

To me that looks like it says: limit all new connections from any ip address to 60 per second and if that ip is not hitting the limit on NEW connections then accept the packet regardless of what port it's destined for. Anything that matches that first rule will immediately be accepted and the subsequent rules will never be looked at. And if any ip address exceeds that limit and drops through to the next rule then it will be dropped. I'd suggest using iptables -nvL --lin to examine the packet hit counts on all those rules and see which ones are being used and whether anything after those two rules is ever being hit. I didn't read much further than that rule since it might explain all sorts of weird stuff.

razvan_stanciu · Post by **razvan_stanciu** » 2020/07/18 13:47:09

TrevorH wrote: ↑
2020/07/18 13:30:05
I don't think your rules do what you think they do.

What do you think these two are doing?
Code: Select all
-A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/sec --limit-burst 20 -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW -j DROP
To me that looks like it says: limit all new connections from any ip address to 60 per second and if that ip is not hitting the limit on NEW connections then accept the packet regardless of what port it's destined for. Anything that matches that first rule will immediately be accepted and the subsequent rules will never be looked at. And if any ip address exceeds that limit and drops through to the next rule then it will be dropped. I'd suggest using iptables -nvL --lin to examine the packet hit counts on all those rules and see which ones are being used and whether anything after those two rules is ever being hit. I didn't read much further than that rule since it might explain all sorts of weird stuff.

You are right, they limit the new TCP connections that a client can establish per second. This can be useful against connection attacks, but not so much against SYN floods because the usually use an endless amount of different spoofed source IPs.

My vps provider suggested setting up these rules for better anti-ddos protection.

When running iptables -nvL --lin I noticed the following packets being processed by those 2 rules:

Code: Select all

Chain INPUT (policy ACCEPT 32881 packets, 5263K bytes)
num   pkts bytes target     prot opt in     out     source               destination
5     2457  145K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW limit: avg 60/sec burst 20
6        0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW

No traffic reaches my rules that are listed below those rules. I have tried using the syntax

Code: Select all

sudo iptables -I chain [rule-number] firewall-rule

to move my rules on top of the INPUT chain but it says invalid rule number. Any hints?

Post by **TrevorH** » 2020/07/18 14:05:55

Your rules look massively overcomplex to me but you should be able to insert rules with iptables -I INPUT $number $whatever ....

CentOS

Unable to open ports using iptables

Unable to open ports using iptables

Re: Unable to open ports using iptables

Re: Unable to open ports using iptables

Re: Unable to open ports using iptables

Re: Unable to open ports using iptables

Re: Unable to open ports using iptables