I am a client/server-IPC-iptables near-newbbie. I have made my homeworks deeply during one year and thought this should work :

# cat /root/firewall/iptable | nocomment
iptables -F
iptables -F -t nat
iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I INPUT 1 -s -p tcp --dport 80:65535 -j ACCEPT
iptables -I INPUT 1 -s -p udp --dport 80:65535 -j ACCEPT
iptables -A INPUT -s -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A INPUT -s -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A INPUT -s -p udp -m udp --dport 631 -j ACCEPT
iptables -A INPUT -s -p tcp -m tcp --dport 631 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 -j REJECT --reject-with tcp-reset
iptables -A INPUT -p udp -i eth0 -j REJECT --reject-with icmp-port-unreachable
iptables -L -v -n
/etc/init.d/iptables save

# /root/firewall/iptable
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     udp  --  *      *            udp dpts:80:65535
    0     0 ACCEPT     tcp  --  *      *            tcp dpts:80:65535
    0     0 ACCEPT     all  --  *      *              state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *            icmptype 0
    0     0 ACCEPT     icmp --  *      *            icmptype 0
    0     0 ACCEPT     udp  --  *      *            udp dpt:631
    0     0 ACCEPT     tcp  --  *      *            tcp dpt:631
    0     0 REJECT     tcp  --  eth0   *              reject-with tcp-reset
    0     0 REJECT     udp  --  eth0   *              reject-with icmp-port-unreachable

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *              state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 * Saving iptables state ...                    

# ifconfig eth0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet  netmask  broadcast
        inet6 xxxx::xxxx:xxxx:xxxx:xxxx  prefixlen 64  scopeid 0x20<link>
        inet6 xxxx::xxxx:xxxx:xxxx:xxxx::xxxx:xxxx:xxxx  prefixlen 64  scopeid 0x0<global>
        inet6 xxxx::xxxx:xxxx:xxxx::10  prefixlen 64  scopeid 0x0<global>
        ether xx:xx:xx:xx:xx:xx  txqueuelen 1000  (Ethernet)
        RX packets 204122  bytes 114225536 (108.9 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 230083  bytes 27756306 (26.4 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 17  

# ifconfig lo
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 16436
        inet  netmask
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 0  (Boucle locale)
        RX packets 443796  bytes 25809111 (24.6 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 443796  bytes 25809111 (24.6 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
  1. ping does not work.
  2. A client/server socket exchange on port 9000 does not work (from a web example).
  3. Browsing the Web works

What am I doing wrong please ?

EDIT 2013-08-12 08:28 CET

  • The client/server socket exchange test (point 2 above) is on localhost
  • I have built another example with another port (55555). This time it works. I have tried many ports and they work. Then I did a :
# netstat -a | grep 9000 
getnameinfo failed 
tcp6 0 0 [::]:9000 [::]:* LISTEN

So something has already binded to port 9000, which I assume is the cause of my problem. Have you an idea how I could identify the process ? ps aux | grep 9000 outputs nothing.

  • After suppression of the rules, my working example with port 5555 stops working. I still have : tcp6 0 0 [::]:9000 [::]:* LISTEN – When I put back the rules, it works again with port 5555.
2 Answers2


First thing: you should be really cautious about using "iptables -F" when logged in via SSH for example, especially if the default rule (policy, iptables -P) on the input chain was DROP as you set it here. You will lock yourself out.

Now to the topic:

1) I wouldn't define the (yeah! /8 not /24) anywhere in firewall rules. Take those out. Those addresses are local, why would you want to lock out sth local. You're looking for trouble.

2) "Socket exchange(?) on port 9000". From where? From the network? What host exactly? It can't work because you only have

0     0 ACCEPT     all  --  *      *              state RELATED,ESTABLISHED
0     0 ACCEPT     udp  --  *      *            udp dpt:631
0     0 ACCEPT     tcp  --  *      *            tcp dpt:631

in there, meaning it will accept new connections on port 631 only.

You've found out that you're using IPv6 too. (Listener on port 9000 is tcp6)

Meaning: ipv4 firewall rules are not the problem (they're not concerned at all, in fact): you have to make whatever listens on tcp6:9000 also listen on tcp:9000. AND THEN configure the ipv4 firewall rules to allow access on port 9000. But if you're connecting from localhost that will work out of the box.


  • IPv4 = tcp/udp/... (netstat) = iptables (packet filter)
  • IPv6 = tcp6/udp6/... (netstat) = ip6tables (packet filter)
  • Thanks for your answer Marki. From localhost. I have built another example with another port (55555). This time it works. I have tried many ports and they work. Then I did a : # netstat -a | grep 9000, result is : getnameinfo failed, tcp6 0 0 [::]:9000 [::]:* LISTEN. So something has already binded to port 9000, which I assume is the cause of my problem. Have you an idea how I could identify the process ? ps aux | grep 9000 outputs nothing. – lalebarde Aug 11 '13 at 13:05
  • So what happens when you remove the rules with as a source, as I suggested? – Marki Aug 11 '13 at 13:08
  • After suppression of the rules, my working example with port 5555 stops working. I still have : tcp6 0 0 [::]:9000 [::]:* LISTEN – lalebarde Aug 11 '13 at 13:12
  • When I put back the rules, it works again with port 5555 – lalebarde Aug 11 '13 at 13:13
  • Well port 9000 seems to be a IPv6 socket. Doesn't strike me that an IPv4 connection to the port doesn't work. What does `ip6tables -vnL` say? What does netstat say about the service on port 5555? – Marki Aug 11 '13 at 13:18
  • # ip6tables -vnL Chain INPUT (policy DROP 8 packets, 630 bytes) pkts bytes target prot opt in out source destination 4544K 4519M ACCEPT all * * ::/0 ::/0 ctstate RELATED,ESTABLISHED 0 0 ACCEPT all lo * fe80::/120 ::/0 263K 19M ACCEPT icmpv6 * * ::/0 ::/0 – lalebarde Aug 11 '13 at 13:32
  • 0 0 ACCEPT udp * * fe80::/120 ::/0 udp dpt:631 0 0 ACCEPT tcp * * fe80::/120 ::/0 tcp dpt:631 39185 2636K REJECT tcp eth0 * ::/0 ::/0 reject-with tcp-reset 16 1757 REJECT udp eth0 * ::/0 ::/0 reject-with icmp6-port-unreachable – lalebarde Aug 11 '13 at 13:33
  • Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all * * xxxx::xxxx:xxxx:xxxx::/64 !xxxx::xxxx:xxxx:xxxx::/64 0 0 ACCEPT all * * ::/0 ::/0 ctstate RELATED,ESTABLISHED Chain OUTPUT (policy ACCEPT 132K packets, 15M bytes) pkts bytes target prot opt in out source destination – lalebarde Aug 11 '13 at 13:33
  • Please expand your initial question with what you've found out. In here it's unreadable. – Marki Aug 11 '13 at 13:44
  • I also suggest to mark the answer as accepted if it helped. – Marki Aug 11 '13 at 21:01

I read here post #3 that :

Linux doesn't let a process listen on the same port on both IPv4 and IPv6 (IPv4 connections will be passed to the app as IPv4-in-6 mapped connections).

But we cannot conclude from that that when a socket is opened with ipv6, it is not possible to open the same port with ipv4. Actually, my test application can bind to the same port on ipv4, and its client can connect too.

My conclusion is that the client may receive an answer from the process binded on ipv6 before the answer of its companion server binded on ipv4. That explains why the test program fails when it tries to use the same port.

Moreother, I could find the good options for netstat to identify the port thief :

# netstat -tlp | grep 9000
tcp6       0      0 [::]:9000               [::]:*                  LISTEN      15382/java          

# ps aux | grep 15382
root      5459  0.0  0.0 110788   960 pts/21   S+   08:56   0:00 grep --colour=auto 15382
laurent    15382  1.7  2.8 5479456 465744 ?      Sl   août09  74:30 /usr/lib/jvm//sun-jdk-1.6/bin/java -Dosgi.requiredJavaVersion=1.6 -XX:MaxPermSize=256m -Xms40m -Xmx384m -jar /usr/opt/eclipse-CDT/eclipse//plugins/org.eclipse.equinox.launcher_1.2.0.v20110502.jar -os linux -ws gtk -arch x86_64 -showsplash -launcher /usr/opt/eclipse-CDT/eclipse/eclipse -name Eclipse --launcher.library /usr/opt/eclipse-CDT/eclipse//plugins/org.eclipse.equinox.launcher.gtk.linux.x86_64_1.1.100.v20110505/eclipse_1407.so -startup /usr/opt/eclipse-CDT/eclipse//plugins/org.eclipse.equinox.launcher_1.2.0.v20110502.jar --launcher.overrideVmargs -exitdata f28017 -product org.eclipse.epp.package.linuxtools.product -nl en_US -vm /usr/bin/java -vmargs -Dosgi.requiredJavaVersion=1.6 -XX:MaxPermSize=256m -Xms40m -Xmx384m -jar /usr/opt/eclipse-CDT/eclipse//plugins/org.eclipse.equinox.launcher_1.2.0.v20110502.jar

After having closed Eclipse, # netstat -tlp | grep 9000 returns nothing.

..... and my test application works on port 9000.

