- Posts: 145
- Thank you received: 0
Linux Guarddog & port 8000
18 years 4 months ago #15501
by Ranger24
Patience - the last reserve of the any engineer
Linux Guarddog & port 8000 was created by Ranger24
Hi Guys,
Anyone good with Guarddog (firewall). I have configured it to permit traffic between zones "internet" & "local" on UDP port 8000 (RTP).
But everytime I test this i get the following entry in messages log:
Jul 3 20:21:30 localhost kernel: [17181450.888000] DROPPED IN= OUT=eth0 SRC=192.168.9.32 DST=217.10.79.54 LEN=200 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=8000 DPT=37996 LEN=180
I believe this means UDP traffic on port 8000 is being blocked by guarddog. Can someone confirm this and offer advice.
If I turn Guarddog off all works ok...
Thanks
R
Anyone good with Guarddog (firewall). I have configured it to permit traffic between zones "internet" & "local" on UDP port 8000 (RTP).
But everytime I test this i get the following entry in messages log:
Jul 3 20:21:30 localhost kernel: [17181450.888000] DROPPED IN= OUT=eth0 SRC=192.168.9.32 DST=217.10.79.54 LEN=200 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=8000 DPT=37996 LEN=180
I believe this means UDP traffic on port 8000 is being blocked by guarddog. Can someone confirm this and offer advice.
If I turn Guarddog off all works ok...
Thanks
R
Patience - the last reserve of the any engineer
18 years 4 months ago #15503
by nske
Replied by nske on topic Re: Linux Guarddog & port 8000
I don't know about guarddog's interface, however perhaps I can help if you post the output of
[code:1]iptables -L -v[/code:1]
[code:1]iptables -L -v[/code:1]
18 years 4 months ago #15513
by Ranger24
Patience - the last reserve of the any engineer
Replied by Ranger24 on topic Re: Linux Guarddog & port 8000
Hi Nske,
As requested:[code:1]
root@1[Pete]# iptables -L -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
200 20050 ACCEPT all -- lo any anywhere anywhere
77 11010 ACCEPT all -- eth0 any 192.168.9.32 192.168.9.255
4 160 logaborted tcp -- any any anywhere anywhere state RELATED,ESTABLISHED tcp flags:RST/RST
2075 2296K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- any any anywhere anywhere icmp destination-unreachable
0 0 ACCEPT icmp -- any any anywhere anywhere icmp time-exceeded
0 0 ACCEPT icmp -- any any anywhere anywhere icmp parameter-problem
0 0 nicfilt all -- any any anywhere anywhere
0 0 srcfilt all -- any any anywhere anywhere
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- any any anywhere anywhere icmp destination-unreachable
0 0 ACCEPT icmp -- any any anywhere anywhere icmp time-exceeded
0 0 ACCEPT icmp -- any any anywhere anywhere icmp parameter-problem
0 0 srcfilt all -- any any anywhere anywhere
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
200 20050 ACCEPT all -- any lo anywhere anywhere
1478 133K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- any any anywhere anywhere icmp destination-unreachable
0 0 ACCEPT icmp -- any any anywhere anywhere icmp time-exceeded
0 0 ACCEPT icmp -- any any anywhere anywhere icmp parameter-problem
123 13430 s1 all -- any any anywhere anywhere
Chain f0to1 (3 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- any any anywhere anywhere icmp source-quench
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spts:1024:65535 dpts:6881:6889 state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spts:1024:65535 dpt:ipp state NEW
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:ipp
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:microsoft-ds state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spts:1024:65535 dpt:6969 state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:netbios-ns state NEW
0 0 ACCEPT udp -- any any anywhere anywhere udp spts:1024:65535 dpt:netbios-ns
0 0 ACCEPT udp -- any any anywhere anywhere udp spt:netbios-ns dpt:netbios-ns
0 0 ACCEPT udp -- any any anywhere anywhere udp spts:1024:65535 dpt:netbios-dgm
0 0 ACCEPT udp -- any any anywhere anywhere udp spt:netbios-dgm dpt:netbios-dgm
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:netbios-ssn state NEW
0 0 ACCEPT udp -- any any anywhere anywhere udp spts:1024:65535 dpt:netbios-ssn
0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-reply
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spts:1024:65535 dpts:6881:6889 state NEW
0 0 ACCEPT udp -- any any anywhere anywhere udp dpts:6970:7170
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spts:1024:65535 dpts:3900:3999 state NEW
0 0 ACCEPT udp -- any any anywhere anywhere udp spt:netbios-ns dpts:1024:5999
0 0 ACCEPT udp -- any any anywhere anywhere udp spt:netbios-ns dpt:netbios-ns
0 0 ACCEPT udp -- any any anywhere anywhere udp spt:netbios-dgm dpt:netbios-dgm
0 0 logdrop all -- any any anywhere anywhere
Chain f1to0 (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spts:1024:5999 dpts:6881:6889 state NEW
0 0 ACCEPT udp -- any any anywhere anywhere udp spt:netbios-ns dpts:1024:65535
32 3000 ACCEPT udp -- any any anywhere anywhere udp spt:netbios-ns dpt:netbios-ns
11 2553 ACCEPT udp -- any any anywhere anywhere udp spt:netbios-dgm dpt:netbios-dgm
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:sip
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:gnutella-svc state NEW
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:3478
0 0 ACCEPT icmp -- any any anywhere anywhere icmp source-quench
0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-request
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:8765 state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spts:1024:5999 dpt:pop3 state NEW
0 0 ACCEPT udp -- any any anywhere anywhere udp dpts:33434:33600
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spts:1024:5999 dpt:1863 state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:printer state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spts:1024:5999 dpts:6881:6889 state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spts:1024:5999 dpt:imaps state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spts:1024:5999 dpt:1723 state NEW
0 0 ACCEPT gre -- any any anywhere anywhere
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spts:1024:5999 dpts:5190:5193 state NEW
0 0 ACCEPT udp -- any any anywhere anywhere udp spts:1024:5999 dpts:5190:5193
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spts:1024:5999 dpt:5050 state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spts:1024:5999 dpt:telnet state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spts:1024:5999 dpts:5000:5001 state NEW
0 0 ACCEPT udp -- any any anywhere anywhere udp spts:1024:5999 dpt:5000
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spts:1024:5999 dpt:dict state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:domain state NEW
2 132 ACCEPT udp -- any any anywhere anywhere udp dpt:domain
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spts:1024:5999 dpt:pop3s state NEW
5 260 ACCEPT tcp -- any any anywhere anywhere tcp spts:1024:5999 dpt:imap2 state NEW
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:imap2
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:kerberos state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spts:1024:5999 dpts:6660:6669 state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spts:1024:5999 dpt:ssh state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spts:0:1023 dpt:ssh state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spts:1024:5999 dpt:whois state NEW
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:43
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spts:1024:5999 dpt:rsync state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spts:1024:5999 dpt:hkp state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spts:1024:5999 dpt:nntp state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spts:1024:5999 dpt:xmpp-client state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spts:1024:5999 dpt:5223 state NEW
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:ntp
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spts:1024:5999 dpt:ntp state NEW
1 52 ACCEPT tcp -- any any anywhere anywhere tcp spts:1024:5999 dpt:https state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:3030 state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spts:1024:5999 dpt:ipp state NEW
34 5457 ACCEPT udp -- any any anywhere anywhere udp dpt:ipp
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ldap state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:522 state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:1503 state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:1720 state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:1731 state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spts:1024:5999 dpts:1024:65535 state NEW
0 0 ACCEPT udp -- any any anywhere anywhere udp spts:1024:5999 dpts:1024:65535
38 1976 ACCEPT tcp -- any any anywhere anywhere tcp spts:1024:5999 dpt:www state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spts:1024:5999 dpt:webcache state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spts:1024:5999 dpt:8008 state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spts:1024:5999 dpt:8000 state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spts:1024:5999 dpt:8888 state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:rtsp state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:7070 state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:microsoft-ds state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:7741 state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spts:1024:5999 dpt:smtp state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:1755 state NEW
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:1755
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spts:1024:5999 dpt:6969 state NEW
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:5190
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spts:1024:65535 dpts:1024:65535 state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spts:1024:5999 dpt:ftp state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:netbios-ns state NEW
0 0 ACCEPT udp -- any any anywhere anywhere udp spts:1024:5999 dpt:netbios-ns
0 0 ACCEPT udp -- any any anywhere anywhere udp spt:netbios-ns dpt:netbios-ns
0 0 ACCEPT udp -- any any anywhere anywhere udp spts:1024:5999 dpt:netbios-dgm
0 0 ACCEPT udp -- any any anywhere anywhere udp spt:netbios-dgm dpt:netbios-dgm
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:netbios-ssn state NEW
0 0 ACCEPT udp -- any any anywhere anywhere udp spts:1024:5999 dpt:netbios-ssn
0 0 logdrop all -- any any anywhere anywhere
Chain logaborted (1 references)
pkts bytes target prot opt in out source destination
4 160 logaborted2 all -- any any anywhere anywhere limit: avg 1/sec burst 10
0 0 LOG all -- any any anywhere anywhere limit: avg 2/min burst 1 LOG level warning prefix `LIMITED '
Chain logaborted2 (1 references)
pkts bytes target prot opt in out source destination
4 160 LOG all -- any any anywhere anywhere LOG level warning tcp-sequence tcp-options ip-options prefix `ABORTED '
4 160 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
Chain logdrop (4 references)
pkts bytes target prot opt in out source destination
0 0 logdrop2 all -- any any anywhere anywhere
Chain logdrop2 (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- any any anywhere anywhere
Chain logreject (0 references)
pkts bytes target prot opt in out source destination
0 0 logreject2 all -- any any anywhere anywhere
Chain logreject2 (1 references)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- any any anywhere anywhere reject-with tcp-reset
0 0 REJECT udp -- any any anywhere anywhere reject-with icmp-port-unreachable
0 0 DROP all -- any any anywhere anywhere
Chain nicfilt (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- eth0 any anywhere anywhere
0 0 RETURN all -- eth0 any anywhere anywhere
0 0 RETURN all -- lo any anywhere anywhere
0 0 logdrop all -- any any anywhere anywhere
Chain s0 (1 references)
pkts bytes target prot opt in out source destination
0 0 f0to1 all -- any any anywhere 192.168.9.32
0 0 f0to1 all -- any any anywhere 192.168.9.255
0 0 f0to1 all -- any any anywhere localhost.localdomain
0 0 logdrop all -- any any anywhere anywhere
Chain s1 (1 references)
pkts bytes target prot opt in out source destination
123 13430 f1to0 all -- any any anywhere anywhere
Chain srcfilt (2 references)
pkts bytes target prot opt in out source destination
0 0 s0 all -- any any anywhere anywhere[/quote][/code:1]
Hope this makes sense!
R
As requested:[code:1]
root@1[Pete]# iptables -L -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
200 20050 ACCEPT all -- lo any anywhere anywhere
77 11010 ACCEPT all -- eth0 any 192.168.9.32 192.168.9.255
4 160 logaborted tcp -- any any anywhere anywhere state RELATED,ESTABLISHED tcp flags:RST/RST
2075 2296K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- any any anywhere anywhere icmp destination-unreachable
0 0 ACCEPT icmp -- any any anywhere anywhere icmp time-exceeded
0 0 ACCEPT icmp -- any any anywhere anywhere icmp parameter-problem
0 0 nicfilt all -- any any anywhere anywhere
0 0 srcfilt all -- any any anywhere anywhere
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- any any anywhere anywhere icmp destination-unreachable
0 0 ACCEPT icmp -- any any anywhere anywhere icmp time-exceeded
0 0 ACCEPT icmp -- any any anywhere anywhere icmp parameter-problem
0 0 srcfilt all -- any any anywhere anywhere
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
200 20050 ACCEPT all -- any lo anywhere anywhere
1478 133K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- any any anywhere anywhere icmp destination-unreachable
0 0 ACCEPT icmp -- any any anywhere anywhere icmp time-exceeded
0 0 ACCEPT icmp -- any any anywhere anywhere icmp parameter-problem
123 13430 s1 all -- any any anywhere anywhere
Chain f0to1 (3 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- any any anywhere anywhere icmp source-quench
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spts:1024:65535 dpts:6881:6889 state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spts:1024:65535 dpt:ipp state NEW
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:ipp
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:microsoft-ds state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spts:1024:65535 dpt:6969 state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:netbios-ns state NEW
0 0 ACCEPT udp -- any any anywhere anywhere udp spts:1024:65535 dpt:netbios-ns
0 0 ACCEPT udp -- any any anywhere anywhere udp spt:netbios-ns dpt:netbios-ns
0 0 ACCEPT udp -- any any anywhere anywhere udp spts:1024:65535 dpt:netbios-dgm
0 0 ACCEPT udp -- any any anywhere anywhere udp spt:netbios-dgm dpt:netbios-dgm
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:netbios-ssn state NEW
0 0 ACCEPT udp -- any any anywhere anywhere udp spts:1024:65535 dpt:netbios-ssn
0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-reply
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spts:1024:65535 dpts:6881:6889 state NEW
0 0 ACCEPT udp -- any any anywhere anywhere udp dpts:6970:7170
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spts:1024:65535 dpts:3900:3999 state NEW
0 0 ACCEPT udp -- any any anywhere anywhere udp spt:netbios-ns dpts:1024:5999
0 0 ACCEPT udp -- any any anywhere anywhere udp spt:netbios-ns dpt:netbios-ns
0 0 ACCEPT udp -- any any anywhere anywhere udp spt:netbios-dgm dpt:netbios-dgm
0 0 logdrop all -- any any anywhere anywhere
Chain f1to0 (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spts:1024:5999 dpts:6881:6889 state NEW
0 0 ACCEPT udp -- any any anywhere anywhere udp spt:netbios-ns dpts:1024:65535
32 3000 ACCEPT udp -- any any anywhere anywhere udp spt:netbios-ns dpt:netbios-ns
11 2553 ACCEPT udp -- any any anywhere anywhere udp spt:netbios-dgm dpt:netbios-dgm
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:sip
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:gnutella-svc state NEW
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:3478
0 0 ACCEPT icmp -- any any anywhere anywhere icmp source-quench
0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-request
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:8765 state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spts:1024:5999 dpt:pop3 state NEW
0 0 ACCEPT udp -- any any anywhere anywhere udp dpts:33434:33600
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spts:1024:5999 dpt:1863 state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:printer state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spts:1024:5999 dpts:6881:6889 state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spts:1024:5999 dpt:imaps state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spts:1024:5999 dpt:1723 state NEW
0 0 ACCEPT gre -- any any anywhere anywhere
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spts:1024:5999 dpts:5190:5193 state NEW
0 0 ACCEPT udp -- any any anywhere anywhere udp spts:1024:5999 dpts:5190:5193
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spts:1024:5999 dpt:5050 state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spts:1024:5999 dpt:telnet state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spts:1024:5999 dpts:5000:5001 state NEW
0 0 ACCEPT udp -- any any anywhere anywhere udp spts:1024:5999 dpt:5000
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spts:1024:5999 dpt:dict state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:domain state NEW
2 132 ACCEPT udp -- any any anywhere anywhere udp dpt:domain
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spts:1024:5999 dpt:pop3s state NEW
5 260 ACCEPT tcp -- any any anywhere anywhere tcp spts:1024:5999 dpt:imap2 state NEW
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:imap2
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:kerberos state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spts:1024:5999 dpts:6660:6669 state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spts:1024:5999 dpt:ssh state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spts:0:1023 dpt:ssh state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spts:1024:5999 dpt:whois state NEW
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:43
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spts:1024:5999 dpt:rsync state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spts:1024:5999 dpt:hkp state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spts:1024:5999 dpt:nntp state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spts:1024:5999 dpt:xmpp-client state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spts:1024:5999 dpt:5223 state NEW
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:ntp
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spts:1024:5999 dpt:ntp state NEW
1 52 ACCEPT tcp -- any any anywhere anywhere tcp spts:1024:5999 dpt:https state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:3030 state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spts:1024:5999 dpt:ipp state NEW
34 5457 ACCEPT udp -- any any anywhere anywhere udp dpt:ipp
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ldap state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:522 state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:1503 state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:1720 state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:1731 state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spts:1024:5999 dpts:1024:65535 state NEW
0 0 ACCEPT udp -- any any anywhere anywhere udp spts:1024:5999 dpts:1024:65535
38 1976 ACCEPT tcp -- any any anywhere anywhere tcp spts:1024:5999 dpt:www state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spts:1024:5999 dpt:webcache state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spts:1024:5999 dpt:8008 state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spts:1024:5999 dpt:8000 state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spts:1024:5999 dpt:8888 state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:rtsp state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:7070 state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:microsoft-ds state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:7741 state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spts:1024:5999 dpt:smtp state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:1755 state NEW
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:1755
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spts:1024:5999 dpt:6969 state NEW
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:5190
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spts:1024:65535 dpts:1024:65535 state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spts:1024:5999 dpt:ftp state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:netbios-ns state NEW
0 0 ACCEPT udp -- any any anywhere anywhere udp spts:1024:5999 dpt:netbios-ns
0 0 ACCEPT udp -- any any anywhere anywhere udp spt:netbios-ns dpt:netbios-ns
0 0 ACCEPT udp -- any any anywhere anywhere udp spts:1024:5999 dpt:netbios-dgm
0 0 ACCEPT udp -- any any anywhere anywhere udp spt:netbios-dgm dpt:netbios-dgm
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:netbios-ssn state NEW
0 0 ACCEPT udp -- any any anywhere anywhere udp spts:1024:5999 dpt:netbios-ssn
0 0 logdrop all -- any any anywhere anywhere
Chain logaborted (1 references)
pkts bytes target prot opt in out source destination
4 160 logaborted2 all -- any any anywhere anywhere limit: avg 1/sec burst 10
0 0 LOG all -- any any anywhere anywhere limit: avg 2/min burst 1 LOG level warning prefix `LIMITED '
Chain logaborted2 (1 references)
pkts bytes target prot opt in out source destination
4 160 LOG all -- any any anywhere anywhere LOG level warning tcp-sequence tcp-options ip-options prefix `ABORTED '
4 160 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
Chain logdrop (4 references)
pkts bytes target prot opt in out source destination
0 0 logdrop2 all -- any any anywhere anywhere
Chain logdrop2 (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- any any anywhere anywhere
Chain logreject (0 references)
pkts bytes target prot opt in out source destination
0 0 logreject2 all -- any any anywhere anywhere
Chain logreject2 (1 references)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- any any anywhere anywhere reject-with tcp-reset
0 0 REJECT udp -- any any anywhere anywhere reject-with icmp-port-unreachable
0 0 DROP all -- any any anywhere anywhere
Chain nicfilt (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- eth0 any anywhere anywhere
0 0 RETURN all -- eth0 any anywhere anywhere
0 0 RETURN all -- lo any anywhere anywhere
0 0 logdrop all -- any any anywhere anywhere
Chain s0 (1 references)
pkts bytes target prot opt in out source destination
0 0 f0to1 all -- any any anywhere 192.168.9.32
0 0 f0to1 all -- any any anywhere 192.168.9.255
0 0 f0to1 all -- any any anywhere localhost.localdomain
0 0 logdrop all -- any any anywhere anywhere
Chain s1 (1 references)
pkts bytes target prot opt in out source destination
123 13430 f1to0 all -- any any anywhere anywhere
Chain srcfilt (2 references)
pkts bytes target prot opt in out source destination
0 0 s0 all -- any any anywhere anywhere[/quote][/code:1]
Hope this makes sense!
R
Patience - the last reserve of the any engineer
18 years 4 months ago #15520
by nske
Replied by nske on topic Re: Linux Guarddog & port 8000
The only related rule that I see, is
[code:1] 0 0 ACCEPT tcp -- any any anywhere anywhere tcp spts:1024:5999 dpt:8000 state NEW[/code:1]
This is placed to chain "f1to0" which is linked to the Output chain. This means that the above rule would only affect traffic originating from the local machine (the one running the firewall) and destined to any external host. It wouldn't affect traffic being routed through the machine or traffic destined to the local machine and originating from an other host. Perhaps that's your intention, just making sure.
In relation to:[code:1] 1478 133K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED[/code:1] in input and output chains, it should work for allowing connections from the local host to the outside, port 8000 TCP.
As you use a default drop policy and you only explicitly allow TCP outgoing traffic destined to 8000 TCP, if the server uses UDP it is reasonable that it does not work. Try modifying the above rules to match UDP packets.
However I'm a little confused since, from the log message that you posted earlier, it looks like a reply from server listening at port 8000 is blocked, not the initial request. Could you provide a little information about your network (mainly which machine is the server, which the client and which the linux firewall);
Thanks
[code:1] 0 0 ACCEPT tcp -- any any anywhere anywhere tcp spts:1024:5999 dpt:8000 state NEW[/code:1]
This is placed to chain "f1to0" which is linked to the Output chain. This means that the above rule would only affect traffic originating from the local machine (the one running the firewall) and destined to any external host. It wouldn't affect traffic being routed through the machine or traffic destined to the local machine and originating from an other host. Perhaps that's your intention, just making sure.
In relation to:[code:1] 1478 133K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED[/code:1] in input and output chains, it should work for allowing connections from the local host to the outside, port 8000 TCP.
As you use a default drop policy and you only explicitly allow TCP outgoing traffic destined to 8000 TCP, if the server uses UDP it is reasonable that it does not work. Try modifying the above rules to match UDP packets.
However I'm a little confused since, from the log message that you posted earlier, it looks like a reply from server listening at port 8000 is blocked, not the initial request. Could you provide a little information about your network (mainly which machine is the server, which the client and which the linux firewall);
Thanks
18 years 4 months ago #15523
by Ranger24
Patience - the last reserve of the any engineer
Replied by Ranger24 on topic Network Model
Hi Nske,
You're right a network model would help:
Linux PC ---> Router --->Cable Modem ---> Internet --->Sipgate.co.uk
The linux pc is runing a sip phone to connect to the sip server at sipgate.co.uk.
For audio to be correctly established RTP must be used on port 8000/UDP to the sipgate server.
When a call in initiated SIP establishs a signalling path with the server to determine who the call is directed to (this works okay). Once this is agreed RTP is used to establish the session (voice) between the end points(linux PC & sipgate server)
So intially I'd expect a RTP message from my linux box (port 8000) to the sipgate server, and a response on 8000 from the server.
As you correctly state it is the first RTP message from my machine that fails.
Within Guarddog I have stated RTP is allowed in to the Linux PC, and Out of the linux PC...but nothing works.
This probably points to a bug in Guarddog, rather then Iptables, based on your interpretation of the Iptables rules.
Not knowing how to use Iptables (yet) I am stuck.
Thanks so far!
R
You're right a network model would help:
Linux PC ---> Router --->Cable Modem ---> Internet --->Sipgate.co.uk
The linux pc is runing a sip phone to connect to the sip server at sipgate.co.uk.
For audio to be correctly established RTP must be used on port 8000/UDP to the sipgate server.
When a call in initiated SIP establishs a signalling path with the server to determine who the call is directed to (this works okay). Once this is agreed RTP is used to establish the session (voice) between the end points(linux PC & sipgate server)
So intially I'd expect a RTP message from my linux box (port 8000) to the sipgate server, and a response on 8000 from the server.
As you correctly state it is the first RTP message from my machine that fails.
Within Guarddog I have stated RTP is allowed in to the Linux PC, and Out of the linux PC...but nothing works.
This probably points to a bug in Guarddog, rather then Iptables, based on your interpretation of the Iptables rules.
Not knowing how to use Iptables (yet) I am stuck.
Thanks so far!
R
Patience - the last reserve of the any engineer
18 years 4 months ago #15528
by nske
Replied by nske on topic Re: Linux Guarddog & port 8000
Iptables does not support recognition of RTP traffic through patterns, as far as I know. So if Guarddog allowed you to match "RTP" traffic, it only matched it based on the default ports used. However from what I read RTP is supposed to work over UDP, so the rule defined by guarddog that matches TCP packets is wrong.
You should be able to add a rule that will allow outgoing connections to port 8000 UDP, either through guarddog's interface or directly through IPtables. You already have defined to allow incoming replies to connections that you have initiated, so I think adding such a rule would be sufficient.
Through IPtables you could do this by issuing:
[code:1]iptables -A OUTPUT -p udp --dport 8000 -j ACCEPT[/code:1]
You should be able to add a rule that will allow outgoing connections to port 8000 UDP, either through guarddog's interface or directly through IPtables. You already have defined to allow incoming replies to connections that you have initiated, so I think adding such a rule would be sufficient.
Through IPtables you could do this by issuing:
[code:1]iptables -A OUTPUT -p udp --dport 8000 -j ACCEPT[/code:1]
Time to create page: 0.171 seconds