how to open ports for localhost on linux?

3

I've been reading for the past hour about opening ports on Ubuntu 12.04 and I can't seem to get anything to work. I'm running a program with an RPC server accepting local connections on localhost (127.0.0.1) which has allowed ip range 192.168.*.*

I've tried to edit the iptables to allow incoming connections, but curl still can't connect to the RPC server no matter what I do.

$ sudo iptables -A INPUT -i eth0 -p tcp --dport 18332 -j ACCEPT
$ nmap -v -sT localhost

Starting Nmap 5.21 ( http://nmap.org ) at 2013-07-13 05:54 UTC
Initiating Ping Scan at 05:54
Scanning localhost (127.0.0.1) [2 ports]
Completed Ping Scan at 05:54, 0.00s elapsed (1 total hosts)
Initiating Connect Scan at 05:54
Scanning localhost (127.0.0.1) [1000 ports]
Discovered open port 22/tcp on 127.0.0.1
Discovered open port 80/tcp on 127.0.0.1
Discovered open port 21/tcp on 127.0.0.1
Discovered open port 3389/tcp on 127.0.0.1
Discovered open port 3306/tcp on 127.0.0.1
Completed Connect Scan at 05:54, 0.05s elapsed (1000 total ports)
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00060s latency).
Not shown: 995 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
80/tcp   open  http
3306/tcp open  mysql
3389/tcp open  ms-term-serv

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds
$ sudo iptables -A INPUT -i eth0 -p tcp --dport 18332 -m state --state NEW,ESTABLISHED -j ACCEPT
$ sudo iptables -A OUTPUT -o eth0 -p tcp --sport 18332 -m state --state ESTABLISHED -j ACCEPT
$ !nmap
nmap -v -sT localhost

Starting Nmap 5.21 ( http://nmap.org ) at 2013-07-13 05:57 UTC
Initiating Ping Scan at 05:57
Scanning localhost (127.0.0.1) [2 ports]
Completed Ping Scan at 05:57, 0.00s elapsed (1 total hosts)
Initiating Connect Scan at 05:57
Scanning localhost (127.0.0.1) [1000 ports]
Discovered open port 21/tcp on 127.0.0.1
Discovered open port 3306/tcp on 127.0.0.1
Discovered open port 22/tcp on 127.0.0.1
Discovered open port 3389/tcp on 127.0.0.1
Discovered open port 80/tcp on 127.0.0.1
Completed Connect Scan at 05:57, 0.05s elapsed (1000 total ports)
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00072s latency).
Not shown: 995 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
80/tcp   open  http
3306/tcp open  mysql
3389/tcp open  ms-term-serv

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds

Here's the output from curl:

$ curl --user uname:upass --data-binary '{"jsonrpc": "1.0", "id":"curltest", "method": "getinfo", "params": [] }' -H 'content-type: text/plain;' http://127.0.0.1:18332/
% Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
Dload  Upload   Total   Spent    Left  Speed
0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0curl: (7) couldn't connect to host

Joey

Posted 2013-07-13T06:10:16.667

Reputation: 131

Answers

1

To debug the problem you probably need to provide a copy of your iptables firewall rules - Something like /sbin/iptables -vnL would suffice.

I suspect you have a firewall where the last rule is "Drop everything". The rules you added were appended to the end of the table after this rule and thus were not executed. Instead of writing your rules starting "sudo iptables -A" try "sudo iptables -I" to insert the rules at the top.

Also, your command sudo "iptables -A INPUT -i eth0 -p tcp --dport 18332 -j ACCEPT" is flawed if you are trying to connect to localhost. You have specified a "-i eth0" which implies an ethernet device. Localhost uses a special "lo" device. You may be better off just leaving out the "-i eth0" parameter so it works on all interfaces.

For similar reasons your statement " (127.0.0.1) which has allowed ip range 192.168.. " is flawed, as 192.168.. should never match a route to 127.0.0.1, as the source ip address will be the interface "lo" which is bound to 127.0.0.1.

davidgo

Posted 2013-07-13T06:10:16.667

Reputation: 49 152

I can't seem to find a command that allows me to add a rule for opening a port on the ip 127.0.0.1. I thought this would be way easier to figure out, considering it seems like something very simple. I apologize for not knowing much, I'm literally brand new to this type of thing, and trying to learn as much as possible. – Joey – 2013-07-13T06:33:42.477

iptables -I INPUT -i lo -j ACCEPT would work (by letting all traffic from the LOcal interface through). Alternatively iptables -I INPUT -s 127.0.0.1 -j ACCEPT would allow you to open that IP address. Both fo these examples opens the address up for ALL traffic, but that is not a big security risk. – davidgo – 2013-07-13T19:43:53.237

Asked: 2013-07-13T06:10:16.667

Viewed: 15 220 times

Active: 2013-07-13T06:28:11.120