IPtables - ports not opened.

SharkBait

SharkBait

Active Member
Joined
Feb 14, 2022
Messages
30
Reaction score
17
Location
Pretoria
I've set up an ubuntu server, because I've started learning iptables.

My first bunch of rules:
Code: 
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A OUTPUT -o lo -j ACCEPT
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp -s 154.xxx.141.xxx/32 --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p all -j DROP
and testing with nmap -v -A 102.xxx.182.xxx -Pn, shows that port 22 is open.
Code: 
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3 (Ubuntu Linux; protocol 2.0)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
So then I add the next rule:
Code: 
sudo iptables -A INPUT -p tcp -s 154.xxx.141.xxx/32 --dport 9090 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
but I cannot connect to the service on that port and nmap does not show that port to be open. I can see that the server is listening on that port though:
Code: 
user@host:~$ sudo lsof -i -P -n | grep LISTEN
systemd     1            root   67u  IPv6  17101      0t0  TCP *:9090 (LISTEN)
systemd-r 578 systemd-resolve   14u  IPv4  18558      0t0  TCP 127.0.0.53:53 (LISTEN)
sshd      792            root    3u  IPv4  19706      0t0  TCP *:22 (LISTEN)
sshd      792            root    4u  IPv6  19708      0t0  TCP *:22 (LISTEN)

Can someone point out what I am doing wrong?

Edit: The iptables list as it is currently:

Code: 
user@host:~$ sudo iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
   94  7383 ACCEPT     all  --  lo     any     anywhere             anywhere
  268 34526 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
   36  2072 ACCEPT     tcp  --  any    any     xxx-141-xxx-154.bitcointernet.co.za  anywhere             tcp dpt:ssh ctstate NEW,ESTABLISHED
 4015  240K DROP       all  --  any    any     anywhere             anywhere
    0     0 ACCEPT     tcp  --  any    any     xxx-141-xxx-154.bitcointernet.co.za  anywhere             tcp dpt:9090 ctstate NEW,ESTABLISHED

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 13 packets, 946 bytes)
 pkts bytes target     prot opt in     out     source               destination
   94  7383 ACCEPT     all  --  any    lo      anywhere             anywhere
  239 36516 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate ESTABLISHED
 
Should have maybe done this first, before just posting on MyBB. :-P
But this still allows for someone to teach me something, else iptables will be a a lot of work...

I had to remove the DROP rule and add it again, so it comes after the new rule:

Code: 
user@host:~$ sudo iptables -L -v
Chain INPUT (policy ACCEPT 1 packets, 44 bytes)
 pkts bytes target     prot opt in     out     source               destination
  102  8259 ACCEPT     all  --  lo     any     anywhere             anywhere
  332 39272 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
   36  2072 ACCEPT     tcp  --  any    any     xxx-141-xxx-154.bitcointernet.co.za  anywhere             tcp dpt:ssh ctstate NEW,ESTABLISHED
    0     0 ACCEPT     tcp  --  any    any     xxx-141-xxx-154.bitcointernet.co.za  anywhere             tcp dpt:9090 ctstate NEW,ESTABLISHED
    0     0 DROP       all  --  any    any     anywhere             anywhere

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 14 packets, 1031 bytes)
 pkts bytes target     prot opt in     out     source               destination
  102  8259 ACCEPT     all  --  any    lo      anywhere             anywhere
  293 44584 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate ESTABLISHED

Now it is working as expected, but isn't there a way to "insert" the new rule before that rule:
Guessing something like sudo iptables -I INPUT, but not sure how to say where to insert it too...?
 
You can list iptables with index numbers
sudo iptables -L --line-numbers

then input on the specific line

sudo iptables -I INPUT 2 -p tcp --dport 443 -j ACCEPT
 
iptables are great, but I thought the world was moving to firewalld?
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X