Another Port problem

cskiwi · 10-31-2011, 06:24 PM

hi,

I'm having some issues with my port forwarding.

i resently installed Ubuntu (server version) 11.10 on a computer,
i installed SSH, Apache, minecraft server, .... on it

everything is working fine on ethernet, but when i want someone else to see the site, or connect to the minecraft server, they can't connect to my ip.

I forwarded the following ports in my router: 22, 80, 443, 25565.

i use ufw as firewall (i think)
i typed:
sudo ufw enable, if that is enouf, then i'm running it

this is my "ufw status":

Code:

Status: active

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere
80/tcp                     ALLOW       Anywhere
21/tcp                     ALLOW       Anywhere
25565/tcp                  ALLOW       Anywhere
22/tcp                     ALLOW       Anywhere (v6)
80/tcp                     ALLOW       Anywhere (v6)
21/tcp                     ALLOW       Anywhere (v6)
25565/tcp                  ALLOW       Anywhere (v6)

but still no-one is able to connect to my server
And when I test the ports on: http://www.yougetsignal.com/tools/open-ports/
it say's there closed.

so does anyone has any idea what i forgot to do?

lqman · 11-01-2011, 12:50 AM

please post output from iptables-save command.

cskiwi · 11-01-2011, 06:39 AM

These are the tables after a fresh restart:

Code:

# Generated by iptables-save v1.4.10 on Tue Nov  1 12:39:19 2011
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [2:80]
:ufw-after-forward - [0:0]
:ufw-after-input - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-before-input - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-output - [0:0]
:ufw-logging-allow - [0:0]
:ufw-logging-deny - [0:0]
:ufw-not-local - [0:0]
:ufw-reject-forward - [0:0]
:ufw-reject-input - [0:0]
:ufw-reject-output - [0:0]
:ufw-skip-to-policy-forward - [0:0]
:ufw-skip-to-policy-input - [0:0]
:ufw-skip-to-policy-output - [0:0]
:ufw-track-input - [0:0]
:ufw-track-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-user-input - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
:ufw-user-logging-forward - [0:0]
:ufw-user-logging-input - [0:0]
:ufw-user-logging-output - [0:0]
:ufw-user-output - [0:0]
-A INPUT -j ufw-before-logging-input
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -j ufw-after-logging-input
-A INPUT -j ufw-reject-input
-A INPUT -j ufw-track-input
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A FORWARD -j ufw-after-logging-forward
-A FORWARD -j ufw-reject-forward
-A OUTPUT -j ufw-before-logging-output
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A OUTPUT -j ufw-after-logging-output
-A OUTPUT -j ufw-reject-output
-A OUTPUT -j ufw-track-output
-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
-A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-before-forward -j ufw-user-forward
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-input -m state --state RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m state --state INVALID -j ufw-logging-deny
-A ufw-before-input -m state --state INVALID -j DROP
-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A ufw-before-input -j ufw-not-local
-A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
-A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
-A ufw-before-input -j ufw-user-input
-A ufw-before-output -o lo -j ACCEPT
-A ufw-before-output -m state --state RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -j ufw-user-output
-A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
-A ufw-logging-deny -m state --state INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
-A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
-A ufw-skip-to-policy-forward -j DROP
-A ufw-skip-to-policy-input -j DROP
-A ufw-skip-to-policy-output -j ACCEPT
-A ufw-track-output -p tcp -m state --state NEW -j ACCEPT
-A ufw-track-output -p udp -m state --state NEW -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 22 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 80 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 21 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 25565 -j ACCEPT
-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
-A ufw-user-limit-accept -j ACCEPT
COMMIT
# Completed on Tue Nov  1 12:39:19 2011

lqman · 11-01-2011, 07:58 AM

Sorry I dont know about UFW, i think it just interface to configure iptables (like shorewall).
In my opinion, better U uninstall UFW and use iptables only, to get you understand deeper about firewall, port forwarding, ip accounting, etc.

cskiwi · 11-01-2011, 09:14 AM

Uninstall something because you don't know how something works is not an option for me

padeen · 11-01-2011, 07:41 PM

When you say "everything is working fine on ethernet", what do you mean? Is it that any machine on your local network can access apache, minecraft, etc?

Try to narrow the problem down. Start apache.

Verify connection on local machine. In a browser: http://localhost/ should give you apache's default page. If not, apache is not working.

Now try remote connections on the same network. Try from a different machine on your network. http://your_servers_ip_address/ If this works (apache servers up default page), then ufw/iptables is working correctly, in which case the problem is most likely to be with port forwarding on your router.

My gut feel from your iptables' output is that iptables is fine, and the problem is at your router and not your server.

lqman · 11-02-2011, 02:23 AM

Quote:

Uninstall something because you don't know how something works is not an option for me

I just want to help U to narrowing problem, so I can help U.
if U don't want, it's ok.

cskiwi · 11-02-2011, 04:30 AM

I can confirm that the program's on the server are running like they should.
so portforward should be the problem then.

I did portfoward the following ports:
http://screencast.com/t/h1lo2bcmm
(the ip is the right one

)
it show's up when i startup, and in the dropdown is it the same. and I reserved it for that mac adress.

@ lqman:
I know, thanks for that, but I prefer understanding what I did wrong, so I don't do it another time

cheesus · 11-06-2011, 12:18 PM

192.168.0.0 is a private/home network IP - many many people are using that.
you obviously need a public IP.

find out your "real outgoing IP" using whatismyip.com or similar.

but that IP will change over time.
if that bothers you, you can either book a "static IP" from your provider or use something like http://dyn.com/dns/dyndns-free/

padeen · 11-06-2011, 06:04 PM

Quote:

Originally Posted by cheesus

192.168.0.0 is a private/home network IP - many many people are using that.
you obviously need a public IP.
http://dyn.com/dns/dyndns-free/

No, that IP address is what outside connections are being forwarded to. Assuming his server's local IP address is 192.168.0.194, his settings are correct.

However, it does beg the question to the OP: how do your outside people know which IP address to connect to?

cskiwi · 11-07-2011, 11:22 AM

Quote:

Originally Posted by padeen

No, that IP address is what outside connections are being forwarded to. Assuming his server's local IP address is 192.168.0.194, his settings are correct.

However, it does beg the question to the OP: how do your outside people know which IP address to connect to?

I give them the IP from ipchicken.com, That's the one i can connect too when I'm on the same internet connection, so I'ts probably the router.

and fcours many people use the local IP adress, it's that one u should use :P

cheesus · 11-07-2011, 12:14 PM

Quote:

Originally Posted by cskiwi

I give them the IP from ipchicken.com, That's the one i can connect too when I'm on the same internet connection, so I'ts probably the router.

Looks good. If you have a router in-between, maybe you need to open the port there as well?
You could ask somebody outside to send you a traceroute (tracert on Windows) to your IP.

Quote:

Originally Posted by cskiwi

and fcours many people use the local IP adress, it's that one u should use :P

Indeed :-)

cskiwi · 11-12-2011, 08:32 AM

The results when a friend did the tracer:

Code:

Tracing route toFRIEND_HIS_IP.access.telenet.be [FRIEND_HIS_IP]
over a maximum of 30 hops:

  1     3 ms     1 ms     1 ms  vigor.lan [192.168.1.1] 
  2     4 ms     2 ms     2 ms  192.168.0.1 
  3     8 ms     8 ms     7 ms  FRIEND_HIS_IP.access.telenet.be[FRIEND_HIS_IP] 
  4     *        *       11 ms  dD5E0C0E1.access.telenet.be [213.224.192.225] 
  5    12 ms    12 ms    40 ms  dD5E0C0E6.acc

router ports are open.

cheesus · 11-14-2011, 07:46 AM

Sorry, I meant FROM FRIEND_IP to YOUR_IP...

cskiwi · 11-14-2011, 08:07 AM

That is traced from a friend to my IP.

but I din't change the IP's with words,
so it could be possible that there are on some places where "FRIEND_HIS_IP" is, my IP should be.