aMule Forum

Please login or register.

Login with username, password and session length
Advanced search  

News:

We're back! (IN POG FORM)

Author Topic: opening ports in firewall  (Read 7295 times)

ashwin

  • Guest
opening ports in firewall
« on: December 16, 2004, 07:24:00 PM »

Hi,
    I am using Fedora Core 3 linux. I know it has built-in firewall. I want to know how to open port 4662 in my OS. Apart from port 4662 what others should i open to b able to exchange files. Are there any security issues with opening these ports.

Thank you,

with regards,
ashwin
Logged

deltaHF

  • Evil Admin
  • Former Developer
  • Hero Member
  • *****
  • Karma: 6
  • Offline Offline
  • Posts: 3923
  • .. Legends may sleep, but they never die ..
    • http://www.amule.org
Re: opening ports in firewall
« Reply #1 on: December 16, 2004, 07:39:22 PM »

dglnz

  • Newbie
  • *
  • Karma: 0
  • Offline Offline
  • Posts: 6
  • newbie linux user
IPTABLES as per firewall info
« Reply #2 on: January 13, 2005, 10:16:07 AM »

Running Amule rc7.


http://forum.amule.org/images/bunfirlite/icons/icon7.gif Last night i did follow the commands and got a high ID, all well and good.

I then added a TOS command to minimize-delay :D (everything was fine and dandy).


 8o Today I check the listing and it was as i had it yesterday  :D

 8o then i loaded amule up and BANG LOW-ID  ;( klled amule killed the TOS saved / reloaded the rules all fine so loaded  amule again  :( and again LOW-ID.

what is it i have done ???

is a copy of my rules below.....

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:4662
ACCEPT     udp  --  anywhere             anywhere            udp dpt:4672
ACCEPT     udp  --  anywhere             anywhere            udp multiport dports 4662,4663,4664,4665

any help would be appreciated,

dave.
Logged
Happy is the one who can do no wrong,
But they who do no wrong do little.

phoenix

  • Evil respawning bird from aMule Dev Team
  • Developer
  • Hero Member
  • *****
  • Karma: 44
  • Offline Offline
  • Posts: 2505
  • The last shadow you'll ever see
Re: opening ports in firewall
« Reply #3 on: January 13, 2005, 12:00:36 PM »

dglnz,

To make sure it is firewall related, disable it temporarily by:

$ ipfilter -F

The run aMule and see if you got lowid. If you do, it is not firewall related.

Cheers!
Logged

dglnz

  • Newbie
  • *
  • Karma: 0
  • Offline Offline
  • Posts: 6
  • newbie linux user
IPTABLES as per firewall
« Reply #4 on: January 23, 2005, 09:51:40 AM »

8o  ?( Well phoenix after doing what you asked it appears as if it isn´t related to the firewall.
as I still got a LOW-id after re-starting amule.

any suggestion as to what port to try ???

I´ve already tried some ports around 6642 and   6672 for TCP and UDP plus at least 4 other values in the 66xx range.

although i find it funny that i did get it to run once ?????

suggestions please. :)

dave.
Logged
Happy is the one who can do no wrong,
But they who do no wrong do little.

phoenix

  • Evil respawning bird from aMule Dev Team
  • Developer
  • Hero Member
  • *****
  • Karma: 44
  • Offline Offline
  • Posts: 2505
  • The last shadow you'll ever see
RE: IPTABLES as per firewall info
« Reply #5 on: January 23, 2005, 03:20:54 PM »

Quote
Originally posted by dglnz
suggestions please. :)

Yes, one suggestion:

Quote
Originally posted by dglnz
Running Amule rc7.

Try rc8 or preferrably latest cvs.

Also, while running aMule, go to your web browser and point it to this address:
http://uberpenguin.they-are.us/temp/testport/index.php?

Put there your port and click test. Then report your results.

Cheers!
Logged

dglnz

  • Newbie
  • *
  • Karma: 0
  • Offline Offline
  • Posts: 6
  • newbie linux user
RE: IPTABLES as per firewall info
« Reply #6 on: January 24, 2005, 10:11:03 AM »

okay upgrade to RC8.

phoenix wrote....
>> Also, while running aMule, go to your web browser and point it to this address:
>> http://uberpenguin.they-are.us/temp/testport/index.php?


used the site referenced above and got no where, even went to 80 and got a LOW id but the test site gave me a success notification.
got an error code 111.

finally looked again at the howto for iptables firewall and realised that i had failed to do _everything_ correctly :( as you see for yourself.

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:4662
ACCEPT     udp  --  anywhere             anywhere            udp dpt:4672
ACCEPT     tcp  --  anywhere             anywhere            tcp dpts:4662:4665
                     ^^^ should be udp  :]

I have now corrected the offending line and now restarted amule and  I got a LOW id again.

here is the corrected iptables firewall for input.

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:4662
ACCEPT     udp  --  anywhere             anywhere            udp dpt:4672
ACCEPT     udp  --  anywhere             anywhere            udp dpts:4662:4665

I now get an error 110 code.
So what do i do now ???

your help _is_ great by the way.

dave

ps how do you do the quote ??? tried using the quote button but in preview i saw what was inserted (naaamely
Quote
).
Logged
Happy is the one who can do no wrong,
But they who do no wrong do little.

phoenix

  • Evil respawning bird from aMule Dev Team
  • Developer
  • Hero Member
  • *****
  • Karma: 44
  • Offline Offline
  • Posts: 2505
  • The last shadow you'll ever see
RE: IPTABLES as per firewall info
« Reply #7 on: January 24, 2005, 12:06:32 PM »

Quote
Originally posted by dglnz
ps how do you do the quote ??? tried using the quote button but in preview i saw what was inserted (naaamely
Quote
).
You mean that? :P
Isn't there a quote button at the right side of the sceen on the top of the messages? Write like this (substitute the curly brackets for square brackets:
{quote}{i}Originally posted by dglnz{/i}
bla bla bla
{/quote}

Quote
Originally posted by dglnz
okay upgrade to RC8.
good. But cvs tarball would be better, more stable and lots of less bugs.

Quote
Originally posted by dglnz
phoenix wrote....
>> Also, while running aMule, go to your web browser and point it to this address:
>> http://uberpenguin.they-are.us/temp/testport/index.php?


used the site referenced above and got no where, even went to 80 and got a LOW id but the test site gave me a success notification.
got an error code 111.

Sorry, but I failed to understand. Error code of 111 is not a success notification.
Quote
Error: TCP port 6662 is unavailable. Make sure your firewall or router is allowing/forwarding this TCP service port and your ED2K client is running.

Explanation
TCP Error 111: The port is available for connections but a connection was refused meaning there is nothing listening on that port. This most likely means you can use ED2K but your client is not currently running. Try using this test again with an ED2K client running to make sure you can really establish a connection.

This means that the outside world can reach me, but that aMule is probably not running, because he got no answer.

Quote
Success The TCP port 8662 is available. You should be able to use the ED2K P2P service without any problems.
This is a success notification.

Quote
Originally posted by dglnz
finally looked again at the howto for iptables firewall and realised that i had failed to do _everything_ correctly :( as you see for yourself.

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:4662
ACCEPT     udp  --  anywhere             anywhere            udp dpt:4672
ACCEPT     tcp  --  anywhere             anywhere            tcp dpts:4662:4665
                     ^^^ should be udp  :]

I have now corrected the offending line and now restarted amule and  I got a LOW id again.

here is the corrected iptables firewall for input.

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:4662
ACCEPT     udp  --  anywhere             anywhere            udp dpt:4672
ACCEPT     udp  --  anywhere             anywhere            udp dpts:4662:4665

I now get an error 110 code.
So what do i do now ???
Please, paste here:
$iptables -n -L -v

Pay attention to the OUTPUT chain, maybe you are blocking outgoing packets, I say that because your INPUT chain has DROP policy.

Quote
Originally posted by dglnz
your help _is_ great by the way.

dave
Hey, thanks, you are wellcome. :)

Cheers!
Logged

dglnz

  • Newbie
  • *
  • Karma: 0
  • Offline Offline
  • Posts: 6
  • newbie linux user
Re: opening ports in firewall
« Reply #8 on: January 25, 2005, 07:04:08 AM »

Oppppsss  found out how to do the QUOTE thingy after i´d posted my last message ;)

Quote
Please, paste here:
 $iptables -n -L -v

Code: [Select]
iptables -n -L -v
Chain INPUT (policy DROP 385 packets, 24345 bytes)
 pkts bytes target     prot opt in     out     source               destination
36034   12M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
   55  3420 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    2   104 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:4662
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:4672
    3   239 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:4662:4665

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT 53963 packets, 23M bytes)
 pkts bytes target     prot opt in     out     source               destination
Now I did have aMule client running at the time i did the tests at the website last night too.

Should i have a rule in OUTPUT like that in the FORWARD chain ???
(what the hell I´ll give it a go and let you know the result before I post this message.
well added this to the iptables...

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
>>>>ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED <<<<<

and i noticed that when i tried to do a new connect to another server i got the following messages

25/01/05 18:56:46: New external connection accepted

25/01/05 18:56:46: Invalid EC packet received <<<< Not seen this before !!!

25/01/05 18:56:56: Warning: DonkeyServer No1 (62.241.53.2:4242) - NG : You have a lowid. Please review your network config and/or your settings.

and still getting a LOW id.

Quote


quote:


Originally posted by dglnz
 okay upgrade to RC8.
 


 good. But cvs tarball would be better, more stable and lots of less bugs.

In the past i have had dependancy issues with tarballs _but_ I will download one tonight and give it a try.
Logged
Happy is the one who can do no wrong,
But they who do no wrong do little.

phoenix

  • Evil respawning bird from aMule Dev Team
  • Developer
  • Hero Member
  • *****
  • Karma: 44
  • Offline Offline
  • Posts: 2505
  • The last shadow you'll ever see
Re: opening ports in firewall
« Reply #9 on: January 25, 2005, 10:40:46 AM »

Fedora Core 3? I set my firewall like this (except from my personal blocking rules):

iptables -N RH-Firewall-1-INPUT
iptables -A INPUT -j RH-Firewall-1-INPUT
iptables -A FORWARD -j RH-Firewall-1-INPUT
iptables -A RH-Firewall-1-INPUT -s 66.187.233.4 -p udp -m udp --sport 123 --dport 123 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -i lo -j ACCEPT
iptables -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type 255 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -p esp -j ACCEPT
iptables -A RH-Firewall-1-INPUT -p ah -j ACCEPT
iptables -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

Notice that it differs from your settings in the FORWARD chain.

Quote
originally posted by dglnz
25/01/05 18:56:46: New external connection accepted
25/01/05 18:56:46: Invalid EC packet received <<<< Not seen this before !!!
25/01/05 18:56:56: Warning: DonkeyServer No1 (62.241.53.2:4242) - NG : You have a lowid. Please review your network config and/or your settings.

and still getting a LOW id.
Man, I believe this must be amuleweb trying to connect. If you have never seen this before it is because port 4712 was previously disabled. On the rules you show me, this line would match for this port:
Code: [Select]
pkts bytes target     prot opt in     out     source               destination
   55  3420 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
All open for interface lo.

Anyway, if you flush your tables, you should have been able to connect (iptables -F). Try first to solve the problem without any rules on the firewall, then you add them.

I will attach a script that I use. Take a look and see if you have any doubt. The intruders table is a table for those suckers that keep scanning my machine everyday X( And amuleports chain is for running in several different amule ports, you probably dont need so many, i did this once when I was testing other things.

Cheers!
Logged

dglnz

  • Newbie
  • *
  • Karma: 0
  • Offline Offline
  • Posts: 6
  • newbie linux user
Re: opening ports in firewall
« Reply #10 on: January 26, 2005, 08:03:16 AM »

On 13-01-05 You asked me to try iptables -F and I did.

Result on that occasion was LOW-id being got from the connected server.

to be sure it was right i closed amule and restarted it with no firewall (I mean having the rules flushed).

Today I started amule and got LOW-id again (will dso the -F thing with iptables and report back)

Chain INPUT (policy DROP)
target     prot opt source               destination

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

after doing the iptables -F command and get a LOW-id.

Now changing the INPUT Policy to accept (Errrrr).

now rules look like this...
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

the test (from website http://uberpenguin.they-are.us/temp/testport/index.php) is below.

Error: TCP port 4662 is unavailable. Make sure your firewall or router is allowing/forwarding this TCP service port and your ED2K client is running.

Explanation
 TCP Error 111: The port is available for connections but a connection was refused meaning there is nothing listening on that port. This most likely means you can use ED2K but your client is not currently running. Try using this test again with an ED2K client running to make sure you can really establish a connection.


185.reserved.callplus.net.nz (203.184.24.185)
 Coding by uberpenguin, idea by deltaHF, which he found here

Loaded amule up and got a LOW id.


BTW i am running MDK 10.0 Official with IPtables ver 1.2.9


One last thing i have tried and that is to add NEW to the -state option so the INPUT chain looks like this now....

Chain INPUT (policy DROP)
target     prot opt source               destination

ACCEPT     all  --  anywhere             anywhere            state NEW,RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:4662
ACCEPT     udp  --  anywhere             anywhere            udp dpt:4672
ACCEPT     udp  --  anywhere             anywhere            udp dpts:4662:4665

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED

Now i loaded aMule and got a LOW id again (closed it down then reloaded with rules above in operation.

the website referred to earlier gave me a success as below

Success The TCP port 4662 is available. You should be able to use the ED2K P2P service without any problems.

185.reserved.callplus.net.nz (203.184.24.185)
 Coding by uberpenguin, idea by deltaHF, which he found here

So what is going on ????


Also my concern is that anyone will be able to getin via the rule in my firewall.
Logged
Happy is the one who can do no wrong,
But they who do no wrong do little.

phoenix

  • Evil respawning bird from aMule Dev Team
  • Developer
  • Hero Member
  • *****
  • Karma: 44
  • Offline Offline
  • Posts: 2505
  • The last shadow you'll ever see
Re: opening ports in firewall
« Reply #11 on: January 26, 2005, 01:22:01 PM »

dglnz,

I fail to understand how the situation can look better when the firewall is up. With flushed rules you get 111, and with some rules you get ok? That escapes me... ?(

What I can tell you is that: you get a low id if the server at the moment of connection does not get an answer to a EDONKEY HELLO packet that he sent to your TCP port (4662 in your case). Assuming you have firewall rules flushed, and that your IP is not NAT'ed, he should be able to do that. Are you sure your ISP does give you a valid routable IP? Maybe your ISP is blocking port 4662, have you tryied to change the default amule TCP port? Change it to say, 9662 (any unused value will do).
Logged

snac

  • Newbie
  • *
  • Karma: 0
  • Offline Offline
  • Posts: 34
Re: opening ports in firewall
« Reply #12 on: January 26, 2005, 06:57:47 PM »

Quote
Are you sure your ISP does give you a valid routable IP? Maybe your ISP is blocking port 4662, have you tryied to change the default amule TCP port? Change it to say, 9662 (any unused value will do).
8)

@dglnz try this page it will display your private ip.

http://www.whatismyipaddress.com/

Your ISP use for go to internet IP of the NAT/PAT (Network Address Translator / Port Address Translator). It has policy on firewall for block this traffic.
If you will have ip 10.x.x.x or 172.x.x.x ( Network class A or B ) contact your ISP.

Byez
Logged
Desktop:: AMD Barton 2600 + ArchLinux Heavy Modded + KDE 3.4.1 + aMule 2.0.3
Portable:: Ibook G4 - 1,25Ghz - OSX 10.3.9
Linux User Nr.372724

dglnz

  • Newbie
  • *
  • Karma: 0
  • Offline Offline
  • Posts: 6
  • newbie linux user
Re: opening ports in firewall
« Reply #13 on: January 28, 2005, 10:03:57 AM »

snac

thanks for URL have gone to it to try it out.

think about what you both have said _maybe_ the isp _IS_ blocking the port ´cause i did try emule (from another box i was working on for a friend at home here)[/B] and was able to use the onboard message screen (something i am unable to do in amule also) and got a suggestion to goto another port and bingo went from a LOW id to a HIGH id instantly.

the  website info tells me this
What is my IP Address?

Your IP Address:
 203.184.24.128

and the info i get from my kppp remote address is 203.184.24.128

I am also trying another port ( see earlier messages i had tried 2 or 3 in the 6000 range with no luck).

phoenix

It is a puzzling matter to me also.

when i got the success from the website i though my problems were solved but they were not.
Would me not being able to use the message area that comes with amule program show a problem ?

because all that i get is a notepad icon in top left corner.

did change as asked iptables are now...

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:9662
ACCEPT     udp  --  anywhere             anywhere            udp dpt:9672
ACCEPT     udp  --  anywhere             anywhere            udp dpts:9662:9665

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED

ALSO changed the default policy from drop to accept again no change i still get a LOW id.

BOY talk about things getting merky....

the above iptables settings are current okay i got back to the tester site and test on port 9662, 8662
both failed as in previous messages then i try 4662 and get a success as below...
I have had amule running during the testing.
Success The TCP port 4662 is available. You should be able to use the ED2K P2P service without any problems.

128.reserved.callplus.net.nz (203.184.24.128)
 Coding by uberpenguin, idea by deltaHF, which he found here


Now just for the hell of it i have gone to 10662, 10672 etc teset gave me a failure and i still get a LOW id


just thinking would i be able to do a VPN for amule ???

I haven´t used or done anything with VPN for windows or linux before.

below are some images of my config for amule incase i´ve done something and it is important and i haven´t said anything about  it.
Logged
Happy is the one who can do no wrong,
But they who do no wrong do little.