Home / ubuntu / Questions / 552805
In Process
Steve Lorimer
Asked: 2014-11-23 21:38:17 +0800 CST

How to allow a WAN connection via a forward port?

  • 772

My home internet connection has a static IP address (eg: 123.123.123.123)

I have configured my router to forward port 9000 to an internal host (192.168.1.101), which is running Ubuntu 14-04.

enter image description here

I run netcat listening on port 9000:

$ nc -l 9000

Connecting from inside my LAN:

On another machine on my LAN I can telnet to that port:

$ telnet 192.168.1.101 9000
Trying 192.168.1.101...
Connected to 192.168.1.101.
Escape character is '^]'.
hello world

and the connection succeeds

$ nc -l 9000
hello world

Connecting from outside my LAN:

However, if I try to connect via my external IP address I cannot get through:

$ telnet 123.213.123.123 9000
Trying 123.213.123.123...

Firewall issue?

I tried to allow port 9000 on iptables (I am no expert on iptables btw!):

$ sudo iptables -I INPUT 1 -p tcp --dport 9000 -j ACCEPT

This is my resulting configuration:

$ sudo iptables -L -n -v
Chain INPUT (policy ACCEPT 203 packets, 16977 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:9000

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 178 packets, 23749 bytes)
 pkts bytes target     prot opt in     out     source               destination

telnet still can't get through.

I think the iptables config might be unnecessary anyway though, because ufw status says it's inactive:

$ sudo ufw status
Status: inactive

Port scanning says it's open:

If I run a port scanner on my external IP with nc -l 9000 running it says the port is open.

enter image description here

If I run tcpdump I can't see anything coming in on port 9000 when I try telnet to the port. However, running the port scanner does show up:

18:41:34.023692 IP 198.199.98.246.49977 > my_host.9000: Flags [S], seq 3955039481, win 14600, options [mss 1400,sackOK,TS val 4051434607 ecr 0,nop,wscale 8], length 0
18:41:34.023748 IP my_host.9000 > 198.199.98.246.49977: Flags [S.], seq 3541700333, ack 3955039482, win 28960, options [mss 1460,sackOK,TS val 465840988 ecr 4051434607,nop,wscale 7], length 0
18:41:34.250110 IP 198.199.98.246.49977 > my_host.9000: Flags [.], ack 1, win 58, options [nop,nop,TS val 4051434663 ecr 465840988], length 0
18:41:34.250973 IP 198.199.98.246.49977 > my_host.9000: Flags [F.], seq 1, ack 1, win 58, options [nop,nop,TS val 4051434664 ecr 465840988], length 0
18:41:34.251035 IP my_host.9000 > 198.199.98.246.49977: Flags [F.], seq 1, ack 2, win 227, options [nop,nop,TS val 465841045 ecr 4051434664], length 0
18:41:34.477197 IP 198.199.98.246.49977 > my_host.9000: Flags [.], ack 2, win 58, options [nop,nop,TS val 4051434720 ecr 465841045], length 0

Questions:

I'm at a bit of a loss as to where the problem is.

  • How can I diagnose where the issue is?
  • How come the port scan data comes through, but not my telnet?
  • How can I allow incoming connections?
networking

1 Answers

  1. is there any reason why you are running the iptables firewall and fail2ban inside your internal network, from behind a hardware firewall?
    In my experience they are quite tricky to setup and diagnose. especially when you are running fail2ban, whose explicit purpose is to actually make what you are trying to do difficult.
    e.g. If you try to unsuccessfully try to connect to your machine a certain number of times fail2ban will kick in an lock you out. My suggestion (if you havent tried already) would be

    1. try connecting to the internal machine without the iptables/fail2ban firewall.
    2. once you get that working - setup iptables
    3. once you get that working - setup fail2ban - if you feel you need that level of security inside a local network
    • 1