Page 1 of 1
Opening closed ports
Posted:
Mar 21st, '17, 06:47by rodgoslin
A problem that I've been having, on and off for a long time, is opening port 51413 for Transmission. The modem/router is set to forward this port in tcp and udp. In the Control Centre>Security>Security>advanced, I've added 51413/udp 51413/tcp to 'other ports', and OK'd that. Ok'ing he previous page, takes me to a page with a list of network activities to be watched, which includes the additions on port 51413. Ok'ing that leads to a page asking the ethernet interface to be used. This is correct. Ok'ng that takes me back to the start. But Transmission, when asked to check the port still tells me the port is closed. I've used this procedure on other, and possibly all versions of Mageia, on a "monkey see, monkey do" basis. It's not really important. transmission works, but not well.. In the past, it has worked for months/years at a time but when it does not, I'm at a complete loss as to why it did, but does not now. There is a suggestion on one of the pages to check /etc/services, which does give me long list of port numbers, but 51413 /udp and 51413/tcp are not included.
Re: Opening closed ports
Posted:
Mar 21st, '17, 20:47by doktor5000
rodgoslin wrote:There is a suggestion on one of the pages to check /etc/services, which does give me long list of port numbers, but 51413 /udp and 51413/tcp are not included.
That is pretty much unrelated, /etc/services only provides service names for several well-known ports, this is irrelevant for your portforwarding issue. As I don't use the Mageia firewall, can't really help you with that, but it might help if you could add the output as root of
- Code: Select all
iptables -L
Re: Opening closed ports
Posted:
Mar 22nd, '17, 01:47by rodgoslin
- Code: Select all
[root@down rod]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
Ifw all -- anywhere anywhere
net-fw all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Reject all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix "Shorewall:INPUT:REJECT:"
reject all -- anywhere anywhere [goto]
Chain FORWARD (policy DROP)
target prot opt source destination
Reject all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix "Shorewall:FORWARD:REJECT:"
reject all -- anywhere anywhere [goto]
Chain OUTPUT (policy DROP)
target prot opt source destination
fw-net all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Reject all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix "Shorewall:OUTPUT:REJECT:"
reject all -- anywhere anywhere [goto]
Chain Broadcast (2 references)
target prot opt source destination
DROP all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
DROP all -- anywhere anywhere ADDRTYPE match dst-type MULTICAST
DROP all -- anywhere anywhere ADDRTYPE match dst-type ANYCAST
Chain Drop (1 references)
target prot opt source destination
all -- anywhere anywhere
Broadcast all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed /* Needed ICMP types */
ACCEPT icmp -- anywhere anywhere icmp time-exceeded /* Needed ICMP types */
DROP all -- anywhere anywhere ctstate INVALID
DROP udp -- anywhere anywhere multiport dports loc-srv,microsoft-ds /* SMB */
DROP udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn /* SMB */
DROP udp -- anywhere anywhere udp spt:netbios-ns dpts:1024:65535 /* SMB */
DROP tcp -- anywhere anywhere multiport dports loc-srv,netbios-ssn,microsoft-ds /* SMB */
DROP udp -- anywhere anywhere udp dpt:1900 /* UPnP */
DROP tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN
DROP udp -- anywhere anywhere udp spt:domain /* Late DNS Replies */
Chain Ifw (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere match-set ifw_wl src
DROP all -- anywhere anywhere match-set ifw_bl src
IFWLOG all -- anywhere anywhere ctstate INVALID,NEWpsd weight-threshold: 10 delay-threshold: 10000 lo-ports-weight: 2 hi-ports-weight: 1 IFWLOG prefix 'SCAN'
IFWLOG udp -- anywhere anywhere ctstate NEW udp dpt:sunrpcIFWLOG prefix 'NEW'
IFWLOG udp -- anywhere anywhere ctstate NEW udp dpt:nfsIFWLOG prefix 'NEW'
IFWLOG udp -- anywhere anywhere ctstate NEW udp dpt:4002IFWLOG prefix 'NEW'
IFWLOG udp -- anywhere anywhere ctstate NEW udp dpt:4001IFWLOG prefix 'NEW'
IFWLOG udp -- anywhere anywhere ctstate NEW udp dpt:4003IFWLOG prefix 'NEW'
IFWLOG udp -- anywhere anywhere ctstate NEW udp dpt:4004IFWLOG prefix 'NEW'
IFWLOG udp -- anywhere anywhere ctstate NEW udp dpt:ippIFWLOG prefix 'NEW'
IFWLOG udp -- anywhere anywhere ctstate NEW multiport dports 6881:6999IFWLOG prefix 'NEW'
IFWLOG udp -- anywhere anywhere ctstate NEW udp dpt:51413IFWLOG prefix 'NEW'
IFWLOG tcp -- anywhere anywhere ctstate NEW tcp dpt:sunrpcIFWLOG prefix 'NEW'
IFWLOG tcp -- anywhere anywhere ctstate NEW tcp dpt:nfsIFWLOG prefix 'NEW'
IFWLOG tcp -- anywhere anywhere ctstate NEW tcp dpt:4002IFWLOG prefix 'NEW'
IFWLOG tcp -- anywhere anywhere ctstate NEW tcp dpt:4001IFWLOG prefix 'NEW'
IFWLOG tcp -- anywhere anywhere ctstate NEW tcp dpt:4003IFWLOG prefix 'NEW'
IFWLOG tcp -- anywhere anywhere ctstate NEW tcp dpt:4004IFWLOG prefix 'NEW'
IFWLOG tcp -- anywhere anywhere ctstate NEW tcp dpt:ippIFWLOG prefix 'NEW'
IFWLOG tcp -- anywhere anywhere ctstate NEW multiport dports 6881:6999IFWLOG prefix 'NEW'
IFWLOG tcp -- anywhere anywhere ctstate NEW tcp dpt:51413IFWLOG prefix 'NEW'
Chain Reject (3 references)
target prot opt source destination
all -- anywhere anywhere
Broadcast all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed /* Needed ICMP types */
ACCEPT icmp -- anywhere anywhere icmp time-exceeded /* Needed ICMP types */
DROP all -- anywhere anywhere ctstate INVALID
reject udp -- anywhere anywhere multiport dports loc-srv,microsoft-ds /* SMB */
reject udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn /* SMB */
reject udp -- anywhere anywhere udp spt:netbios-ns dpts:1024:65535 /* SMB */
reject tcp -- anywhere anywhere multiport dports loc-srv,netbios-ssn,microsoft-ds /* SMB */
DROP udp -- anywhere anywhere udp dpt:1900 /* UPnP */
DROP tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN
DROP udp -- anywhere anywhere udp spt:domain /* Late DNS Replies */
Chain dynamic (1 references)
target prot opt source destination
Chain fw-net (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
Chain logdrop (0 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain logflags (5 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level info ip-options prefix "Shorewall:logflags:DROP:"
DROP all -- anywhere anywhere
Chain logreject (0 references)
target prot opt source destination
reject all -- anywhere anywhere
Chain net-fw (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere ctstate INVALID,NEW,UNTRACKED
tcpflags tcp -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere multiport dports sunrpc,nfs,4002,4001,4003,4004,ipp,6881:6999,51413
ACCEPT udp -- anywhere anywhere multiport dports sunrpc,nfs,4002,4001,4003,4004,ipp,6881:6999,51413
Drop all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix "Shorewall:net-fw:DROP:"
DROP all -- anywhere anywhere
Chain reject (8 references)
target prot opt source destination
DROP all -- anywhere anywhere ADDRTYPE match src-type BROADCAST
DROP all -- base-address.mcast.net/4 anywhere
DROP igmp -- anywhere anywhere
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
REJECT icmp -- anywhere anywhere reject-with icmp-host-unreachable
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain shorewall (0 references)
target prot opt source destination
all -- anywhere anywhere recent: SET name: %CURRENTTIME side: source mask: 255.255.255.255
Chain tcpflags (1 references)
target prot opt source destination
logflags tcp -- anywhere anywhere [goto] tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
logflags tcp -- anywhere anywhere [goto] tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
logflags tcp -- anywhere anywhere [goto] tcp flags:SYN,RST/SYN,RST
logflags tcp -- anywhere anywhere [goto] tcp flags:FIN,SYN/FIN,SYN
logflags tcp -- anywhere anywhere [goto] tcp spt:0 flags:FIN,SYN,RST,ACK/SYN
[root@down rod]#
Re: Opening closed ports
Posted:
Mar 22nd, '17, 20:05by doktor5000
rodgoslin wrote:Chain net-fw (1 references)
target prot opt source destination
[...]
ACCEPT tcp -- anywhere anywhere multiport dports sunrpc,nfs,4002,4001,4003,4004,ipp,6881:6999,51413
ACCEPT udp -- anywhere anywhere multiport dports sunrpc,nfs,4002,4001,4003,4004,ipp,6881:6999,51413
Looks good to me, at least port 51413 should be open. You can try locally via nmap if that port is considered open via something like
- Code: Select all
nmap -p 51413 127.0.0.1
Re: Opening closed ports
Posted:
Mar 22nd, '17, 21:34by rodgoslin
Thanks for the fast response. The puzzle widens. Running your suggested command indicates that the port is open, as below
[root@down rod]# nmap -p 51413 127.0.0.1
Starting Nmap 6.47 (
http://nmap.org ) at 2017-03-22 19:16 GMT
Nmap scan report for down (127.0.0.1)
Host is up (0.00011s latency).
PORT STATE SERVICE
51413/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 0.30 seconds
[root@down rod]#
However, the problem persists.Opening 'Preferences' in Transmission, selecting 'network' and clicking on the button 'test port', it still comes back as 'Port is closed'
Re: Opening closed ports
Posted:
Mar 23rd, '17, 00:33by doktor5000
You do have forwarded that same port on your router to the current IP adress of your box? Check the same port on the IP of the router via nmap.
Re: Opening closed ports
Posted:
Mar 23rd, '17, 02:45by rodgoslin
Ah, running the nmap command as you suggest on the router address does seem to indicate the cause for the blocked port, as below
- Code: Select all
[rod@down ~]$ nmap -p 51413 192.168.1.150
Starting Nmap 6.47 ( http://nmap.org ) at 2017-03-23 00:20 GMT
Nmap scan report for router (192.168.1.150)
Host is up (0.00032s latency).
PORT STATE SERVICE
51413/tcp closed unknown
Nmap done: 1 IP address (1 host up) scanned in 0.03 seconds
[rod@down ~]$
But the modem/router is set up in the same fashion as all previous ones for port forwarding, and I would have expected it to be enabled simply by the entry of the details.. I'd add a screenshot of the details, but I'm unsure of how this is accomplished, in the forum format.
Re: Opening closed ports
Posted:
Mar 23rd, '17, 20:07by doktor5000
Below the forum editor (only available in Full editor, not via quick reply), switch to the tab "Upload attachment".
Upload your picture, then when finished, click in the editor window where you want your picture to display, and click the button "Place inline".
Re: Opening closed ports
Posted:
Mar 24th, '17, 06:36by rodgoslin
Re: Opening closed ports
Posted:
Mar 24th, '17, 18:50by doktor5000
How do you ensure on the router that 192.168.1.200 is the IP adress of your Mageia box, and is that the current IP adress of your Mageia box?
If it is, maybe the router just needs a restart ... seeing that you also enabled UPnP where transmission would request itself the ports to be opened on the router, the router doesn't seem to be working normally (if UPnP is allowed on the router).
Re: Opening closed ports
Posted:
Mar 24th, '17, 22:33by rodgoslin
The Port Forwarding page on the modem/router setup (netgear1.png) has a button for adding a custom service. This brings u the edit page (netgear2.png), where you add the values for the port range and the particular host. There is an option for 'all', perhaps for all hosts on the subnet. All changes to the settings require a re-boot of the modem/router before they become effective.. I'm tending to the same conclusion as yourself, that there is a problem with the modem/router. None of the other modem/routers thay I've had on the system has displayed this problem. Other problems, perhaps, but not this one.. I shall have to replace this unit, hopefully shortly, anyway. There are faint signs that the Telephone Services Provider is going to install high speed broadband to this locality. However, since they have been promising the imminent installation of such for the past three and a half years, one has to take this with the proverbial pinch of salt.. I think my best option is to purchase a VDSL/ADSL modem/router and hope for the best. I admit to being some what surprised that Transmissions 'test port' option also includes the modem/router. This coupled by the reliability of Port Forwarding on earlier modem/routers has diverted me from suspecting the modem/router of having a problem. I'll give it another couple of days, then close the issue. Thank you for your help on this somewhat vexing problem.
Re: Opening closed ports
Posted:
Mar 31st, '17, 14:15by wintpe
ive seen this before, and on netgear routers
netgear basically think all there customers are stupid and adds a firewall block to incoming traffic.
the only way to override it is to get into the router and disable it.
that was the case when i first got into setting up wan to wan, i ended up sending the netgear back and getting a
zyxtel. Im on my third zyxtel now, and ive never had a problem since.
it maybe that netgear have since watered down that aggressive block that the DG834 used to have, but i might be right about this.
https://kb.netgear.com/8219/How-to-setu ... ar_organicregards peter
Re: Opening closed ports
Posted:
Mar 31st, '17, 20:37by rodgoslin
Peter, I thought that that was the answer, but unfortunately, not. As your link suggests, one can go into the router, to Security>Firewall Rues , which patently did nothingto remove blocks to incoming, but in my modem/router the option for incoming is "Click here". Clicking here" then took me to the Port Forwarding Rules, where I'd already carried out the required settings. Which I suppose, "Port Forwarding" is just another way of saying "let this one in"