forwarded ports become "filtered" instead of "open"
theant at nodivisions.com
Tue Aug 9 21:30:55 CEST 2005
I have two ~identical Debian systems running iptables, and I've been having
trouble getting them to communicate with each other fully. Both machines
are running SSH and Rsync servers, and one of them is running as a Condor
master, so it has a process listening on port 9618.
Both systems have the same /etc/hosts looking like this:
127.0.0.1 localhost localhost.localdomain
10.0.0.12 box1.fqdn.com box1
10.0.0.13 box2.fqdn.com box2
Having the FQDNs resolving to the private IPs seems a little screwy to me,
but the network is set up (by someone else) so that box1.fqdn.com actually
does properly map to that system's public IP.
Now, any system on the internet outside our LAN can access the servers on
these systems with no problems. From any such outside system, an nmap scan
will show ports 22,873,9618 as "open."
The problem is that for some reason, these two systems can't talk to each
other over these ports, and neither one can even access those ports on
itself. nmapping box1 from box1, or from box2, shows all three ports as
"filtered" and indeed the servers are inaccessible.
Now here's where it gets weird, and I'm thinking the firewall rules must be
messed up. SSHing from either system to the other will always fail with a
timeout, but if I do this:
ssh from box1 to box2 [which fails]
And then this:
ssh from box2 to box1 [which also fails]
...THEN when I SSH from box1 to box2 again, it suddenly works fine -- for a
few minutes, after which the same situation occurs. I know the firewall has
some concept of a "session" or a "state" and I'm assuming that the
back-and-forth is somehow enabling SSH to work temporarily as explained above.
I've edited /etc/narc/narc.conf like this:
...and when I restart the firewall it says this:
Allow external connections on eth0 TCP ports: ssh,rsync,http,9618
Allow LAN connections on eth0 TCP ports: ssh,http,rsync,9618
...yet this problem persists.
And when I disable the firewall, the problems goes away.
Can anyone offer some pointers here? I imagine more of my narc.conf and/or
iptables' output would be helpful, but rather than me attaching the whole
thing right now, just ask if you want me to post any of that.
More information about the netfilter