# No response from Iptables

## smorgrav

I seems like whatever configuration I give to Iptables, the only open ports are 22 for ssh and 10000 for webmin.

I have only one interface (eth0) and my kernel  2.6.12-gentoo-r10 #3 SMP has iptables.

What should I do next to debug my configuration?

----------

## frostschutz

Have iptables list your complete current configuration, for example using iptables {|-t nat|-t mangle} -L -v. This should help you figure out what's going wrong.

Another possibility would be that there is something else doing the blocking, i.e. your ISP, your router, ...

----------

## fvant

what does iptables -L  show  ?

This shows the active 'rules'

----------

## smorgrav

```
iptables -t nat -t mangle -L -v
```

Chain PREROUTING (policy ACCEPT 115K packets, 14M bytes)

 pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 80830 packets, 12M bytes)

 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 20700 packets, 1727K bytes)

 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 20700 packets, 1727K bytes)

 pkts bytes target     prot opt in     out     source               destination

```
gentoo1 etc # iptables -L
```

Chain INPUT (policy ACCEPT)

target     prot opt source               destination

ACCEPT     all  --  localhost            anywhere

ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED

ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh

ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ftp-data

ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ftp

ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http

ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http-alt

ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:https

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

```
nmap localhost
```

Starting nmap 3.83.DC13 ( http://www.insecure.org/nmap/ ) at 2005-10-12 14:12 UTC

Interesting ports on localhost (127.0.0.1):

(The 1665 ports scanned but not shown below are in state: closed)

PORT      STATE SERVICE

22/tcp    open  ssh

10000/tcp open  snet-sensor-mg

```
iptables -F
```

```
iptabels -L
```

Chain INPUT (policy ACCEPT)

target     prot opt source               destination

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

Same nmap output

----------

## befa

the problem is that your rule are on lo... not on ethx.... can you give us the rules you wrote?

----------

## smorgrav

*filter

-A INPUT -s 127.0.0.1 -j ACCEPT

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 20 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT

#-A INPUT -j REJECT --reject-with icmp-port-unreachable

COMMIT

----------

## befa

 *smorgrav wrote:*   

> *filter
> 
> -A INPUT -s 127.0.0.1 -j ACCEPT
> 
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> ...

 

why do you put the lo interface? change to your eth0...

----------

## smorgrav

I don't understand. 

Default is to apply the rules on all interfaces, right? 

And I don't specify any interface.

Now as the listing earlier showed, even if I flushed the ruleset, nothing changes. So I guessed

that the problem was outside this ruleset.

----------

## smorgrav

What should happen when I flush my iptables? What rules are default?

----------

## Sleipnir

IIRC the default policy is to deny all packages. So you have at least to set

the policies to ACCEPT (iptables -P <chain> ACCEPT ).

----------

## smorgrav

So what can be wrong when I flush my iptable and nothing changes? Ie. port 22 and 10000 are still open...

----------

## Sleipnir

We first have to clarify what you mean with "open". Do you scan your computer from outside and only see

this two ports? This can have multiple reasons:

 There are no more daemons running then sshd and webmin.

 The other services running are not bound to the outside interface

 The services running are using a protocol that is not scanned (UDP?).

 Your methode of getting the open ports is sh*t.

You can execute netstat --inet -ale to see all connections (and listening services) of your computer

and the interfaces they are bound to.

Try this and send the list maybe...

----------

## smorgrav

Well I assume that my method is sh*t... 

Ok, but first (for my understanding), is it by iptables possible to block all ports on eth0 

so that even if I have eg. sshd listening on port 22, the port would be invisible/unreachable/closed from 

outside? 

T

----------

## Sleipnir

That is correct. You can get this behaviour by setting the default policy of the input chain to DROP for eth0.

Edit:

Which behaviour do you want to get? All ports are closed/invisible from eth0??? 

If so, try the following:

 Flush all chains including the nats

 Set the default policies to drop

 Additional you should add a drop-all-line at the end of each ruleset, which is executed if no other rule matches.

----------

## DaveArb

 *Sleipnir wrote:*   

> [2] Set the default policies to drop
> 
> [3] Additional you should add a drop-all-line at the end of each ruleset, which is executed if no other rule matches.
> 
> 

 

Why #3? Setting the default policy on a chain to DROP is the same as setting a last rule with DROP on all, AFAIK.

Dave

----------

## Sleipnir

This is correct, its more a habit than really required.  :Smile: 

----------

## saturas

you only have to put the drop at the end of the chain only if your policy is ACCEPT. if that policy is DROP, you don't need that. 

This "habit" is useless. it makes sense if you use a put a REJECT at the end of rule set, witch is so much different than DROP.

----------

