Firewall rules for transmission
Source: AskUbuntu
I have transmission installed, which listens on the default port 51413.
I have tried opening everything for this port.
iptables:
Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT icmp -- 'Server IP' anywhere state NEW,RELATED,ESTABLISHED icmp echo-request ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp echo-reply ACCEPT udp -- anywhere anywhere state RELATED,ESTABLISHED udp spt:domain dpts:1024:65535 ACCEPT tcp -- anywhere anywhere tcp spt:http ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT udp -- anywhere anywhere udp spt:bootpc dpt:bootps ACCEPT tcp -- anywhere anywhere tcp dpt:9091 ACCEPT tcp -- anywhere anywhere tcp dpt:51413 ACCEPT udp -- anywhere anywhere udp dpt:51513 ACCEPT tcp -- anywhere anywhere tcp spt:51413 ACCEPT udp -- anywhere anywhere udp spt:51413 LOGGING all -- anywhere anywhere DROP all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp spt:ssh ACCEPT icmp -- anywhere anywhere state NEW,RELATED,ESTABLISHED icmp echo-request ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp echo-reply ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT tcp -- anywhere anywhere tcp spt:http ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc ACCEPT tcp -- anywhere anywhere tcp spt:9091 ACCEPT tcp -- anywhere anywhere tcp spt:51413 ACCEPT udp -- anywhere anywhere udp spt:51413 ACCEPT tcp -- anywhere anywhere tcp dpt:51413 ACCEPT udp -- anywhere anywhere udp dpt:51413 LOGGING all -- anywhere anywhere DROP all -- anywhere anywhere Chain LOGGING (2 references) target prot opt source destination LOG all -- anywhere anywhere limit: avg 12/min burst 5 LOG level warning prefix "FirewallDrops: " DROP all -- anywhere anywhere
If I flush the tables:
iptables -F
it then works, so I imagine there is something I’m missing in iptables.
Logging output:
/var/log/kern.log:May 5 18:43:32 StretchSvr kernel: [ 9.258012] FirewallDrops: IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=72 TOS=0x00 PREC=0xC0 TTL=64 ID=2371 PROTO=ICMP TYPE=3 CODE=3 [SRC=127.0.0.1 DST=127.0.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=2370 DF PROTO=UDP SPT=51413 DPT=80 LEN=24 ]
/var/log/kern.log:May 5 18:43:32 StretchSvr kernel: [ 9.298081] FirewallDrops: IN=eth0 OUT= MAC='Svr MAC Address' SRC=62.210.137.203 DST='Svr IP Address' LEN=44 TOS=0x00 PREC=0x00 TTL=53 ID=55801 PROTO=UDP SPT=1337 DPT=51413 LEN=24
/var/log/kern.log:May 5 18:43:32 StretchSvr kernel: [ 9.305079] FirewallDrops: IN=eth0 OUT= MAC='Svr MAC Address' SRC=31.172.63.226 DST='Svr IP Address' LEN=44 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=80 DPT=51413 LEN=24
/var/log/kern.log:May 5 18:44:53 StretchSvr kernel: [ 90.444453] FirewallDrops: IN=eth0 OUT= MAC='Svr MAC Address' SRC=62.210.137.203 DST='Svr IP Address' LEN=44 TOS=0x00 PREC=0x00 TTL=54 ID=55802 PROTO=UDP SPT=1337 DPT=51413 LEN=24
/var/log/kern.log:May 5 18:44:53 StretchSvr kernel: [ 90.453131] FirewallDrops: IN=eth0 OUT= MAC='Svr MAC Address' SRC=31.172.63.225 DST='Svr IP Address' LEN=44 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=6969 DPT=51413 LEN=24
/var/log/kern.log:May 5 18:44:53 StretchSvr kernel: [ 90.456361] FirewallDrops: IN=eth0 OUT= MAC='Svr MAC Address' SRC=31.172.63.226 DST='Svr IP Address' LEN=44 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=80 DPT=51413 LEN=24
/var/log/kern.log:May 5 18:44:53 StretchSvr kernel: [ 90.458255] FirewallDrops: IN=eth0 OUT= MAC='Svr MAC Address' SRC=31.172.63.252 DST='Svr IP Address' LEN=44 TOS=0x00 PREC=0x00 TTL=51 ID=0 DF PROTO=UDP SPT=80 DPT=51413 LEN=24
/var/log/kern.log:May 5 18:45:01 StretchSvr kernel: [ 98.435703] FirewallDrops: IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=72 TOS=0x00 PREC=0xC0 TTL=64 ID=2373 PROTO=ICMP TYPE=3 CODE=3 [SRC=127.0.0.1 DST=127.0.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=2372 DF PROTO=UDP SPT=51413 DPT=80 LEN=24 ]
/var/log/syslog:May 5 18:43:32 StretchSvr kernel: [ 9.258012] FirewallDrops: IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=72 TOS=0x00 PREC=0xC0 TTL=64 ID=2371 PROTO=ICMP TYPE=3 CODE=3 [SRC=127.0.0.1 DST=127.0.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=2370 DF PROTO=UDP SPT=51413 DPT=80 LEN=24 ]
/var/log/syslog:May 5 18:43:32 StretchSvr kernel: [ 9.298081] FirewallDrops: IN=eth0 OUT= MAC='Svr MAC Address' SRC=62.210.137.203 DST='Svr IP Address' LEN=44 TOS=0x00 PREC=0x00 TTL=53 ID=55801 PROTO=UDP SPT=1337 DPT=51413 LEN=24
/var/log/syslog:May 5 18:43:32 StretchSvr kernel: [ 9.305079] FirewallDrops: IN=eth0 OUT= MAC='Svr MAC Address' SRC=31.172.63.226 DST='Svr IP Address' LEN=44 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=80 DPT=51413 LEN=24
/var/log/syslog:May 5 18:44:53 StretchSvr kernel: [ 90.444453] FirewallDrops: IN=eth0 OUT= MAC='Svr MAC Address' SRC=62.210.137.203 DST='Svr IP Address' LEN=44 TOS=0x00 PREC=0x00 TTL=54 ID=55802 PROTO=UDP SPT=1337 DPT=51413 LEN=24
/var/log/syslog:May 5 18:44:53 StretchSvr kernel: [ 90.453131] FirewallDrops: IN=eth0 OUT= MAC='Svr MAC Address' SRC=31.172.63.225 DST='Svr IP Address' LEN=44 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=6969 DPT=51413 LEN=24
/var/log/syslog:May 5 18:44:53 StretchSvr kernel: [ 90.456361] FirewallDrops: IN=eth0 OUT= MAC='Svr MAC Address' SRC=31.172.63.226 DST='Svr IP Address' LEN=44 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=80 DPT=51413 LEN=24
/var/log/syslog:May 5 18:44:53 StretchSvr kernel: [ 90.458255] FirewallDrops: IN=eth0 OUT= MAC='Svr MAC Address' SRC=31.172.63.252 DST='Svr IP Address' LEN=44 TOS=0x00 PREC=0x00 TTL=51 ID=0 DF PROTO=UDP SPT=80 DPT=51413 LEN=24
Any help appreciated.
So as I explained in the comments above, it was a typo I made Lol … I had my INPUT udp port as 51513 instead of 51413 …
But, just in case anyone wants to know, these are the rules that I have used to allow Transmission:
iptables -A INPUT -m state –state RELATED,ESTABLISHED -p udp –dport 51413 -j ACCEPT
iptables -A OUTPUT -p udp –sport 51413 -j ACCEPT
Thanks everyone for their input
It’s because I am implementing a restrictive firewall (I think that’s the term Lol) … So basically I have to explicitly allow ports traffic
I have never ever needed to mess with iptables for transmission to work. I do use a router that I needed to config once (I created a rule for tranmission).
I’ve now added in the log reference port 51413
Yep I enabled logging, and it’s saying that it’s dropping packets – DPT=51413 PROT=TCP … It’s also dropping packets sent from my client on port 137, but I don’t know why it’s send on that port (might be for the web GUI) … I’ll post the full logs when I get back onto my computer tomorrow
You can enable logging for dropped packets: help.ubuntu.com/community/IptablesHowTo#Logging