[Solved] Torrent + iptables can't accept connections

Post by **ayu** » 26 Aug 2008, 13:31

I have a web-based Torrent client on another computer which is running a Ubuntu server. When forwarding ports in the router it works very well and the client can accept connections. But when I configure iptables on the server, it wont work =/

The ports I am using for the clients are tcp/udp 60010-60011

My iptables look like this:

Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:microsoft-ds
ACCEPT tcp -- anywhere anywhere tcp dpt:netbios-ssn
ACCEPT tcp -- anywhere anywhere tcp dpt:www
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT udp -- anywhere anywhere udp dpt:60010
ACCEPT tcp -- anywhere anywhere tcp dpt:60010
ACCEPT tcp -- anywhere anywhere tcp dpt:60011
ACCEPT udp -- anywhere anywhere udp dpt:60011

Chain FORWARD (policy DROP)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

# Generated by iptables-save v1.3.8 on Tue Aug 26 18:10:37 2008
*filter
:INPUT DROP [128:54543]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [2723:1384052]
-A INPUT -i eth0 -p tcp -m tcp --dport 445 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 139 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p udp -m udp --dport 60010 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 60010 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 60011 -j ACCEPT
-A INPUT -p udp -m udp --dport 60011 -j ACCEPT
COMMIT
# Completed on Tue Aug 26 18:10:37 2008

And the log from the client looks like this....

[2008/08/26 - 19:08:50] error: Problem connecting to tracker - (-2, 'Name or service not known')

Why would there be a problem to connect TO the tracker? =/

And last, netstat -lp

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 localhost:mysql *:* LISTEN 4378/mysqld
tcp 0 0 *:60011 *:* LISTEN 4649/python
tcp 0 0 *:netbios-ssn *:* LISTEN 4477/smbd
tcp 0 0 *:www *:* LISTEN 4549/apache2
tcp 0 0 192.168.0.6:domain *:* LISTEN 4257/named
tcp 0 0 localhost:domain *:* LISTEN 4257/named
tcp 0 0 localhost:ipp *:* LISTEN 4460/cupsd
tcp 0 0 localhost:953 *:* LISTEN 4257/named
tcp 0 0 *:microsoft-ds *:* LISTEN 4477/smbd
tcp6 0 0 [::]:domain [::]:* LISTEN 4257/named
tcp6 0 0 [::]:ssh [::]:* LISTEN 4280/sshd
tcp6 0 0 ip6-localhost:953 [::]:* LISTEN 4257/named
getnameinfo failed
getnameinfo failed
udp 0 0 192.168.0.6:netbios-ns *:* 4475/nmbd
udp 0 0 *:netbios-ns *:* 4475/nmbd
udp 0 0 192.168.0.6:netbios-dgm *:* 4475/nmbd
udp 0 0 *:netbios-dgm *:* 4475/nmbd
udp 0 0 192.168.0.6:domain *:* 4257/named
udp 0 0 localhost:domain *:* 4257/named
udp 0 0 *:bootpc *:* 3850/dhclient3
udp 0 0 *:56689 *:* 4257/named
udp6 0 0 [::]:domain [::]:* 4257/named
udp6 0 0 [::]:41024 [::]:* 4257/named
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node PID/Program name Path
unix 2 [ ACC ] STREAM LISTENING 11842 4492/winbindd /tmp/.winbindd/pipe
unix 2 [ ACC ] STREAM LISTENING 11577 4378/mysqld /var/run/mysqld/mysqld.sock
unix 2 [ ACC ] STREAM LISTENING 11846 4492/winbindd /var/run/samba/winbindd_privileged/pipe
unix 2 [ ACC ] STREAM LISTENING 11749 4460/cupsd /var/run/cups/cups.sock

and last but not least, the interfaces file...

GNU nano 2.0.7 File: /etc/network/interfaces

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
pre-up iptables-restore < /iptables
auto eth0
iface eth0 inet dhcp

I can't see the error =/

Still_Learning · Post by **Still_Learning** » 26 Aug 2008, 16:35

Im not sure really, I use ubuntu client hardy heron which comes with transmission torrent program and i found it just as good or better then utorrent. As for netstat, i would make sure you are not file exchanging while you do the command, i once was torrenting like 5 files or more at once and did a netstat and had all kinds of weird IP's on my system, its part of torrenting and these other PC's sending files back and forth i think, so its going to show tons of connections to your pc. Try stopping all torrents then try it .. if it does the same thing then i dunno thats the extent of my knowledge maybe someone can help further, i installed ubuntu server but have not really played around with it, ive been trying to learn regular linux / bash commands first before moving on to linux servers

Post by **ayu** » 27 Aug 2008, 09:12

Updated

EDIT: I recently discovered that the DNS doesn't work like it's supposed to either. It only works when I have iptables flushed and INPUT set to ACCEPT. I have opened port 53 tcp/udp with the following commands:

iptables -A INPUT -i eth0 -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 53 -j ACCEPT

yet it doesn't work....

It's odd, all ports are opened now that should be opened, and the iptables have been checked multiple times now. Everything else works like it should. DNS, Samba, SSH, Apache. But not Torrentflux =/

I tried without the iptables a few minutes ago, and the active torrent went up to ~400 KB/s, and then I activated iptables again and it went straight down to ~40-50 KB/s

Post by **bad_brain** » 27 Aug 2008, 12:51

hm, what port range is the torrent client using?
usually it's something like 6881-6999...
you have to open input and depending on your policy also the output:

Code: Select all

iptables -I INPUT -p tcp --destination-port 6881:6999 -j ACCEPT
iptables -I OUTPUT -p tcp --source-port 6881:6999 -j ACCEPT

p.s. the syntax might be a little different depending on the iptables version, in case it don't accept those rules check man iptables...

Post by **ayu** » 27 Aug 2008, 15:11

Yeah, I remade the iptables now from scratch, still a lot of issues. The DNS refuses to work. It SEEMS like the torrent client works now, dunno if it really works yet, will report about that later when I have tested it a bit.

The DNS server still doesn't work though with the iptable =/

Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpts:60010:60012
ACCEPT udp -- anywhere anywhere udp dpts:60010:60012
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:netbios-ssn
ACCEPT tcp -- anywhere anywhere tcp dpt:microsoft-ds
ACCEPT tcp -- anywhere anywhere tcp dpt:www
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh

Chain FORWARD (policy DROP)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Post by **bad_brain** » 27 Aug 2008, 15:20

remember how chains in iptables work: they are processed rule by rule...if you block something in rule #1 and allow it in rule #2 it is still blocked.
so try it with placing the rules for the torrent client on top of the chain (-I adds a rule on top, -A adds a rule to the end of the chain).

Post by **ayu** » 27 Aug 2008, 15:23

bad_brain wrote:remember how chains in iptables work: they are processed rule by rule...if you block something in rule #1 and allow it in rule #2 it is still blocked.
so try it with placing the rules for the torrent client on top of the chain (-I adds a rule on top, -A adds a rule to the end of the chain).

Yeah, but as you can see, the torrent ports are in top =/ the only thing on top of them is the established connection rule.... which shouldn't be a problem.

ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpts:60010:60012
ACCEPT udp -- anywhere anywhere udp dpts:60010:60012

Post by **bad_brain** » 28 Aug 2008, 03:09

well, you said when flushing the rules it works...so the 1st rule MUST be the reason, simply try it, also place the DNS rules above the RELATED;ESTABLISHED one. if it still don't works then we at least know it must be the rules for the torrent clients themselves causing the problem...

Post by **ayu** » 28 Aug 2008, 04:44

Jupp, did like you suggested, placed the DNS on top, and then the torrent, and then the established rule. The Torrents seem to work, but the DNS doesn't as long as the iptables are loaded.

EDIT

The odd thing is, that there are no rules at all, that are blocking =/ it's only the policy that is "INPUT DROP", the rest of the rules in that chain, opens ports and keeps connections alive. I have both port 53 tcp and udp opened, and it doesn't use more then that right? =/

Post by **bad_brain** » 29 Aug 2008, 04:00

phew...ok, had to think about it...^^
try those rules:
http://code.suck-o.com/62

the first 2 rules allow local applications (>port 1024) to use the local DNS server (which is causing the problem I think because it's not explicitly allowed), the 2 other rules allow external access.
if it works try if it still works when removing the last 2 rules....

Post by **ayu** » 29 Aug 2008, 05:11

nope, didn't work =/

EDIT:

I reset my iptables, and added:

iptables -I INPUT -i lo -j ACCEPT

and now at least the local computer can use the DNS xF

I'll remake the iptables once again, but this time I'll only use SSH and DNS.... just to see if it works

EDIT2:

Didn't work:

iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -I INPUT -m state --state RELATED,ESTABLISHED

Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Updated

I made a new iptables from scratch, still doesn't work though, Think I will have to sniff some packets and try to figure out what port the DNS wants to use =/

my new tables look like this...

iptables -P INPUT ACCEPT
iptables -F
iptables -A INPUT -i eth0 -s 192.168.0.0/24 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -s 192.168.0.0/24 -p tcp --dport 139 -j ACCEPT
iptables -A INPUT -i eth0 -s 192.168.0.0/24 -p tcp --dport 445 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 60010:60012 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 60010:60012 -j ACCEPT
iptables -I INPUT -i eth0 -s 192.168.0.0/24 -p tcp --dport 53 -j ACCEPT
iptables -I INPUT -i eth0 -s 192.168.0.0/24 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i eth0 -s 192.168.0.0/24 -p icmp -j ACCEPT
iptables -I INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP