ubuntu - how to open ports for localhost on linux?

17
2014-04
  • Joey

    I've been reading for the past hour about opening ports on Ubuntu 12.04 and I can't seem to get anything to work. I'm running a program with an RPC server accepting local connections on localhost (127.0.0.1) which has allowed ip range 192.168.*.*

    I've tried to edit the iptables to allow incoming connections, but curl still can't connect to the RPC server no matter what I do.

    $ sudo iptables -A INPUT -i eth0 -p tcp --dport 18332 -j ACCEPT
    $ nmap -v -sT localhost
    
    Starting Nmap 5.21 ( http://nmap.org ) at 2013-07-13 05:54 UTC
    Initiating Ping Scan at 05:54
    Scanning localhost (127.0.0.1) [2 ports]
    Completed Ping Scan at 05:54, 0.00s elapsed (1 total hosts)
    Initiating Connect Scan at 05:54
    Scanning localhost (127.0.0.1) [1000 ports]
    Discovered open port 22/tcp on 127.0.0.1
    Discovered open port 80/tcp on 127.0.0.1
    Discovered open port 21/tcp on 127.0.0.1
    Discovered open port 3389/tcp on 127.0.0.1
    Discovered open port 3306/tcp on 127.0.0.1
    Completed Connect Scan at 05:54, 0.05s elapsed (1000 total ports)
    Nmap scan report for localhost (127.0.0.1)
    Host is up (0.00060s latency).
    Not shown: 995 closed ports
    PORT     STATE SERVICE
    21/tcp   open  ftp
    22/tcp   open  ssh
    80/tcp   open  http
    3306/tcp open  mysql
    3389/tcp open  ms-term-serv
    
    Read data files from: /usr/share/nmap
    Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds
    $ sudo iptables -A INPUT -i eth0 -p tcp --dport 18332 -m state --state NEW,ESTABLISHED -j ACCEPT
    $ sudo iptables -A OUTPUT -o eth0 -p tcp --sport 18332 -m state --state ESTABLISHED -j ACCEPT
    $ !nmap
    nmap -v -sT localhost
    
    Starting Nmap 5.21 ( http://nmap.org ) at 2013-07-13 05:57 UTC
    Initiating Ping Scan at 05:57
    Scanning localhost (127.0.0.1) [2 ports]
    Completed Ping Scan at 05:57, 0.00s elapsed (1 total hosts)
    Initiating Connect Scan at 05:57
    Scanning localhost (127.0.0.1) [1000 ports]
    Discovered open port 21/tcp on 127.0.0.1
    Discovered open port 3306/tcp on 127.0.0.1
    Discovered open port 22/tcp on 127.0.0.1
    Discovered open port 3389/tcp on 127.0.0.1
    Discovered open port 80/tcp on 127.0.0.1
    Completed Connect Scan at 05:57, 0.05s elapsed (1000 total ports)
    Nmap scan report for localhost (127.0.0.1)
    Host is up (0.00072s latency).
    Not shown: 995 closed ports
    PORT     STATE SERVICE
    21/tcp   open  ftp
    22/tcp   open  ssh
    80/tcp   open  http
    3306/tcp open  mysql
    3389/tcp open  ms-term-serv
    
    Read data files from: /usr/share/nmap
    Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds
    

    Here's the output from curl:

    $ curl --user uname:upass --data-binary '{"jsonrpc": "1.0", "id":"curltest", "method": "getinfo", "params": [] }' -H 'content-type: text/plain;' http://127.0.0.1:18332/
    % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
    Dload  Upload   Total   Spent    Left  Speed
    0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0curl: (7) couldn't connect to host
    
  • Answers
  • davidgo

    To debug the problem you probably need to provide a copy of your iptables firewall rules - Something like /sbin/iptables -vnL would suffice.

    I suspect you have a firewall where the last rule is "Drop everything". The rules you added were appended to the end of the table after this rule and thus were not executed. Instead of writing your rules starting "sudo iptables -A" try "sudo iptables -I" to insert the rules at the top.

    Also, your command sudo "iptables -A INPUT -i eth0 -p tcp --dport 18332 -j ACCEPT" is flawed if you are trying to connect to localhost. You have specified a "-i eth0" which implies an ethernet device. Localhost uses a special "lo" device. You may be better off just leaving out the "-i eth0" parameter so it works on all interfaces.

    For similar reasons your statement " (127.0.0.1) which has allowed ip range 192.168.. " is flawed, as 192.168.. should never match a route to 127.0.0.1, as the source ip address will be the interface "lo" which is bound to 127.0.0.1.


  • Related Question

    networking - How do I open a port in Ubuntu when
  • Questioner
    • My wireless is listening on 192.168.1.4
    • SSH is listening on 192.168.1.4:22
    • No firewall is running
    • TCP wrappers are not configured,
    • I can connect wirelessly to the Internet
    • My kernel logs show that I'm trying to connect from another host, but an nmap scan shows all ports are closed.

    How do I get a port to open?


  • Related Answers
  • Mikko Ohtamaa

    Do you have public IP address? Where do you run NMAP? It sounds like you are trying to use your local network IP from Internet. Effectively the computers aren't same network and cannot reach each other. Instead, you should use internet facing IP address.

    Before checking if ports are open try to run ping command between hosts.

    On source computer:

    ping 192.168.1.4
    

    If ping packets go through it is possible to form a connection between two computers.

    Then you can also run netstat -l command on the host computer to see that SSH daemon really listens to port 22:

    netstat -l
    
  • Pratik

    Your question isn't very clear, would you mind clarifying?

    Unless a service is running on a port nmap wont show it as open. In Ubuntu as far as I know the default policy for iptables is ACCEPT, so if you start up a service running on X port it will be put through the firewall without any issues. So those ports arent really "closed" in the sense that they are blocked, its just that there is nothing there to listen for anything on them.

    That being said If you want to explicitly open a port you can open it with iptables

    iptables -I INPUT -p tcp --dport 22 -j ACCEPT
    iptables -I INPUT -p udp --dport 53 -j ACCEPT
    

    You can change the -p to a different protocol, and the --dport to a different port number. iptables has a whole bunch of other options that you can look into. The -j ACCEPT can be changed to DROP or REJECT if you want to block them.