forwarded ports become "filtered" instead of "open"

Anthony DiSante theant at
Tue Aug 9 21:30:55 CEST 2005


I have two ~identical Debian systems running iptables, and I've been having 
trouble getting them to communicate with each other fully.  Both machines 
are running SSH and Rsync servers, and one of them is running as a Condor 
master, so it has a process listening on port 9618.

Both systems have the same /etc/hosts looking like this: localhost localhost.localdomain box1 box2

Having the FQDNs resolving to the private IPs seems a little screwy to me, 
but the network is set up (by someone else) so that actually 
does properly map to that system's public IP.

Now, any system on the internet outside our LAN can access the servers on 
these systems with no problems.  From any such outside system, an nmap scan 
will show ports 22,873,9618 as "open."

The problem is that for some reason, these two systems can't talk to each 
other over these ports, and neither one can even access those ports on 
itself.  nmapping box1 from box1, or from box2, shows all three ports as 
"filtered" and indeed the servers are inaccessible.

Now here's where it gets weird, and I'm thinking the firewall rules must be 
messed up.  SSHing from either system to the other will always fail with a 
timeout, but if I do this:

	ssh from box1 to box2 [which fails]

And then this:

	ssh from box2 to box1 [which also fails]

...THEN when I SSH from box1 to box2 again, it suddenly works fine -- for a 
few minutes, after which the same situation occurs.  I know the firewall has 
some concept of a "session" or a "state" and I'm assuming that the 
back-and-forth is somehow enabling SSH to work temporarily as explained above.

I've edited /etc/narc/narc.conf like this:


...and when I restart the firewall it says this:

	Allow external connections on eth0 TCP ports: ssh,rsync,http,9618
	Allow LAN connections on eth0 TCP ports: ssh,http,rsync,9618

...yet this problem persists.

And when I disable the firewall, the problems goes away.

Can anyone offer some pointers here?  I imagine more of my narc.conf and/or 
iptables' output would be helpful, but rather than me attaching the whole 
thing right now, just ask if you want me to post any of that.

Anthony DiSante

More information about the netfilter mailing list