Setting up Linux server...what ports to open?

Tabasco · #1 04-03-2011, 02:46 PM

What does your iptables script look like?

It is likely that your default policy is to deny, in which case you would need to add exceptions before the deny rule for applicable tables.

-I INPUT -p tcp --dport 20900 -j ACCEPT

freezzo · #2 04-03-2011, 03:10 PM

I have these added:

-A INPUT -p tcp --dport 20900 -j ACCEPT
-A INPUT -p udp --dport 20900 -j ACCEPT
-A INPUT -p tcp --dport 5998 -j ACCEPT
-A INPUT -p tcp --dport 5999 -j ACCEPT
-A INPUT -p udp --dport 5998 -j ACCEPT
-A INPUT -p udp --dport 5999 -j ACCEPT

I haven't setup the zone stuff yet.

Tabasco · #3 04-03-2011, 05:50 PM

Well, if it works when you shut off iptables, you have your culprit.

You may also need to add allowances for your output and (maybe?) forward chains, depending on their default policies.

freezzo · #4 04-03-2011, 07:43 PM

Sorry If I do not understand..but well..i dont understand what you mean?

I realize the culprit is that I must not be setting up the firewall right due to the fact that if I turn it off, it works. As long as there are no other ports involved, I will have to continue to dig.

Tabasco · #5 04-03-2011, 08:30 PM

To add accept rules for the other chains you would put in lines similar to the input rules.

-A INPUT -p tcp --dport 20900 -j ACCEPT
-A OUTPUT -p tcp --dport 20900 -j ACCEPT
-A FORWARD -p tcp --dport 20900 -j ACCEPT

If the firewall is doing NAT this gets more complicated.
Can you post your firewall script?

freezzo · #6 04-04-2011, 07:57 PM

This is what i have:

*filter

# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT

# Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allows all outbound traffic
# You can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
-A INPUT -p tcp --dport 8000 -j ACCEPT

# EQEMU
-A INPUT -p tcp --dport 20900 -j ACCEPT
-A INPUT -p udp --dport 20900 -j ACCEPT
-A INPUT -p tcp --dport 5998 -j ACCEPT
-A INPUT -p tcp --dport 5999 -j ACCEPT
-A INPUT -p udp --dport 5998 -j ACCEPT
-A INPUT -p udp --dport 5999 -j ACCEPT

# Allows SSH connections
#
# THE -dport NUMBER IS THE SAME ONE YOU SET UP IN THE SSHD_CONFIG FILE
#
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

# log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

# Reject all other inbound - default deny unless explicitly allowed policy
-A INPUT -j REJECT
-A FORWARD -j REJECT

Tabasco · #7 04-05-2011, 09:46 AM

I'm not at a point where I can do a lot of testing right now, but there are a couple of things you can try.

Your
-A FORWARD -j REJECT
line probably isn't doing anything without NAT, but you might comment that out or set your action to ACCEPT and reload the firewall to see if it makes a difference.

It also looks like you're logging rejected requests. You could try logging in to the server and then grepping your logs for 'iptables denied'.