forum.excito.org

Bubba community forum
https://forum.excito.org/

External access weirdness

https://forum.excito.org/viewtopic.php?t=1177

Page 1 of 1

External access weirdness

Posted: 29 Sep 2008, 17:33
by CJNE
I'm having problems accessing my bubba2 from WAN, it don't seem to respond at all on ssh, ftp and http. There is nothing between bubba and WAN, it is acting as my router and firewall.
Everything works fine from the LAN.
If i add a port forward for example on public port 2222 to private port 22 on the LAN bubba-IP it works from WAN.
I have enabled ssh, ftp and http from WAN.
Here is my iptables --list:
bubba:~# iptables --list
Chain INPUT (policy DROP)
target prot opt source destination
REJECT tcp -- anywhere anywhere tcp flags:SYN,ACK/SYN,ACK state NEW reject-with tcp-reset
DROP tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT 0 -- anywhere anywhere
ACCEPT 0 -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:www
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:imap2
ACCEPT tcp -- anywhere anywhere tcp dpt:imaps
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT icmp -- anywhere anywhere icmp echo-request

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere
ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

I have set the sshd logging to DEBUG and i can't see any connection attempts so i suspect something gets blocked before sshd.

It would be nice to get things running on the standard ports.

Posted: 01 Oct 2008, 02:20
by CJNE
Any ideas, or do you need any other info?

Posted: 01 Oct 2008, 03:14
by carl
The normal output of iptables -L is a bit inconclusive, can you post the output of the following commands?

Code: Select all

ifconfig
route -n
iptables-save
/Carl

Posted: 01 Oct 2008, 14:14
by CJNE
carl wrote:The normal output of iptables -L is a bit inconclusive, can you post the output of the following commands?

Code: Select all

ifconfig
route -n
iptables-save
/Carl
Sure, here they are, the second iptables-save output is from when i have set up port forwarding on other ports in which case it works.

bubba:~# ifconfig
eth0 Link encap:Ethernet HWaddr 00:22:02:00:00:96
inet addr:81.94.69.31 Bcast:81.94.69.255 Mask:255.255.255.0
inet6 addr: fe80::222:2ff:fe00:96/64 Scope:Link
UP BROADCAST RUNNING MTU:1500 Metric:1
RX packets:1112477 errors:0 dropped:0 overruns:0 frame:0
TX packets:1106013 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1072186984 (1022.5 MiB) TX bytes:788590844 (752.0 MiB)
Base address:0xe000

eth1 Link encap:Ethernet HWaddr 00:22:02:00:00:97
inet addr:192.168.10.1 Bcast:192.168.10.255 Mask:255.255.255.0
inet6 addr: fe80::222:2ff:fe00:97/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:8014160 errors:0 dropped:0 overruns:0 frame:0
TX packets:3565616 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3439899578 (3.2 GiB) TX bytes:3481156565 (3.2 GiB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:713 errors:0 dropped:0 overruns:0 frame:0
TX packets:713 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:81214 (79.3 KiB) TX bytes:81214 (79.3 KiB)

bubba:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
81.94.69.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
0.0.0.0 81.94.69.1 0.0.0.0 UG 0 0 0 eth0

bubba:~# iptables-save
# Generated by iptables-save v1.3.6 on Wed Oct 1 20:06:11 2008
*filter
:INPUT DROP [10116:904414]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [2811652:2725242822]
-A INPUT -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Wed Oct 1 20:06:11 2008
# Generated by iptables-save v1.3.6 on Wed Oct 1 20:06:11 2008
*nat
:PREROUTING ACCEPT [488395:148235401]
:POSTROUTING ACCEPT [4534:1026045]
:OUTPUT ACCEPT [7811:1274651]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Wed Oct 1 20:06:11 2008


With this config it works with ssh on port 2222 and http on port 8000:

bubba:~# iptables-save
# Generated by iptables-save v1.3.6 on Wed Oct 1 20:03:12 2008
*filter
:INPUT DROP [10116:904414]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [2811417:2725184407]
-A INPUT -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
COMMIT
# Completed on Wed Oct 1 20:03:12 2008
# Generated by iptables-save v1.3.6 on Wed Oct 1 20:03:12 2008
*nat
:PREROUTING ACCEPT [488258:148196613]
:POSTROUTING ACCEPT [4529:1025618]
:OUTPUT ACCEPT [7802:1273966]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 8000 -j DNAT --to-destination 192.168.10.1:80
-A PREROUTING -i eth0 -p tcp -m tcp --dport 2222 -j DNAT --to-destination 192.168.10.1:22
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Wed Oct 1 20:03:12 2008
All times are UTC-04:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited