Iptables, refused connection internal network server

**todddavisvrg** · February 14th, 2013

Hi I have a iptables issue with trying to connect to LAN servers.. I run a few server programs that communicate with each other via lan and the internet.. Also have clients computers that connect server programs via the internet.

Here is my network setup..
ifconfig results:

My Ubuntu Gateway/Router:

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:2718 errors:0 dropped:0 overruns:0 frame:0
TX packets:2718 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:183308 (183.3 KB) TX bytes:183308 (183.3 KB)

eth0 Link encap:Ethernet HWaddr 00:15:c5:4a:16:5a
inet addr:123.123.123.100 Bcast:123.123.123.255 Mask:255.255.255.0
inet6 addr: fe80::215:c5ff:fe4a:165a/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:466475604 errors:0 dropped:0 overruns:0 frame:0
TX packets:403172654 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2574778386 (2.5 GB) TX bytes:1618367329 (1.6 GB)
Interrupt:16

eth1 Link encap:Ethernet HWaddr 00:15:c5:4a:16:5a
inet addr:192.168.16.2 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::215:c5ff:fe4a:165a/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:466475604 errors:0 dropped:0 overruns:0 frame:0
TX packets:403172654 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2574778386 (2.5 GB) TX bytes:1618367329 (1.6 GB)
Interrupt:16

Ubuntu Server 1 needing to use tcp and udp ports 8002:

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:2718 errors:0 dropped:0 overruns:0 frame:0
TX packets:2718 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:183308 (183.3 KB) TX bytes:183308 (183.3 KB)

eth1 Link encap:Ethernet HWaddr 00:15:c5:4a:16:5a
inet addr:192.168.16.4 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::215:c5ff:fe4a:165a/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:466475604 errors:0 dropped:0 overruns:0 frame:0
TX packets:403172654 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2574778386 (2.5 GB) TX bytes:1618367329 (1.6 GB)
Interrupt:16

Ubuntu Server 2 needing to use tcp and udp ports 9000-9099:

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:2718 errors:0 dropped:0 overruns:0 frame:0
TX packets:2718 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:183308 (183.3 KB) TX bytes:183308 (183.3 KB)

eth1 Link encap:Ethernet HWaddr 00:15:c5:4a:16:5a
inet addr:192.168.16.13 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::215:c5ff:fe4a:165a/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:466475604 errors:0 dropped:0 overruns:0 frame:0
TX packets:403172654 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2574778386 (2.5 GB) TX bytes:1618367329 (1.6 GB)
Interrupt:16

There is another Ubuntu Server 3 offline that demonstrates part of the issue of not being able to communicate Ip of this server is 192.168.16.11 using tcp and udp ports 9100-9399..

This is my iptables:

# Generated by iptables-save v1.4.12 on Wed Feb 13 14:58:02 2013
*mangle

REROUTING ACCEPT [5297:972271]
:INPUT ACCEPT [1458:207232]
:FORWARD ACCEPT [3658:756223]
:OUTPUT ACCEPT [1250:377863]

OSTROUTING ACCEPT [4908:1134086]
COMMIT
# Completed on Wed Feb 13 14:58:02 2013
# Generated by iptables-save v1.4.12 on Wed Feb 13 14:58:02 2013
*nat
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

REROUTING ACCEPT [0:0]

OSTROUTING ACCEPT [0:0]

-A PREROUTING -p tcp -m tcp -i eth0 --dport 8002 -j DNAT --to-destination 192.168.16.4:8002
-A PREROUTING -p udp -m udp -i eth0 --dport 8002 -j DNAT --to-destination 192.168.16.4:8002
-A PREROUTING -p tcp -m tcp -i eth0 --dport 9000:9099 -j DNAT --to-destination 192.168.16.13:9000-9099
-A PREROUTING -p udp -m udp -i eth0 --dport 9000:9099 -j DNAT --to-destination 192.168.16.13:9000-9099
-A PREROUTING -p tcp -m tcp -i eth0 --dport 9100:9399 -j DNAT --to-destination 192.168.16.11:9100-9399
-A PREROUTING -p udp -m udp -i eth0 --dport 9100:9399 -j DNAT --to-destination 192.168.16.11:9100-9399
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Generated by iptables-save v1.4.12 on Wed Feb 13 14:58:02 2013
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state -i eth0 --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -p tcp -m tcp -m conntrack --dport 80 -j ACCEPT --ctstate NEW,RELATED,ESTABLISHED
-A INPUT -p tcp -m tcp -m conntrack --dport 443 -j ACCEPT --ctstate NEW,RELATED,ESTABLISHED
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m conntrack -o eth1 -j ACCEPT --ctstate NEW,RELATED,ESTABLISHED
-A OUTPUT -o eth0 -j ACCEPT
-A INPUT -p tcp -m tcp -m conntrack --dport 22 -j ACCEPT --ctstate NEW,RELATED,ESTABLISHED
-A FORWARD -i eth0 -o eth1 -j ACCEPT
-A FORWARD -i eth1 -o eth0 -j ACCEPT
COMMIT
# Completed on Wed Feb 13 14:58:02 2013

What is suppose to happen is:

The Internet client connects to Ubuntu Server 1 via tcp/udp port 8002, Ubuntu Server 1 communicates the client information to Ubuntu Server 2 via internet port 9000 then the Ubuntu Server 2 begins communication with internet client via internet tcp/udp ports 9000 and 9020..

What happens is:

The Internet client communicates to Ubuntu Server 1 via ports tcp/udp 8002 then the Ubuntu Server 1 transmits that clients information to Ubuntu Server 2 by internet via tcp/udp ports 9000 and gets a connection refused error..

In addition when Ubuntu Server 2 is loading the programs I get some communication errors saying connection refused between programs running on the same server Ubuntu Server 2 but communicating via different internet ports. The range of the programs ports for Ubuntu Server 2 is tcp/udp ports 9000-9099. Some of these connection refused errors are also when the programs are trying to connect to the offline Ubuntu Server 3 programs, these errors should not be refused but lost, which leads me to believe is the gateway/router issue.

Any help would be great!!
Todd

**Doug S** · February 14th, 2013

Hi, and welcome to Ubuntu forums.

I can not see how your problem is an iptables rule set issue with the gateway/router computer. From my understanding of the description it seems to me to be a problem with server 2, which maybe I don't understand correctly.

I assume you have somehow simplified your iptables rule set for posting, because it doesn't make sense to have several conditional INPUT ACCEPT rules followed by a default policy of ACCEPT anyhow.

All I can suggest is to look at the packets counters to observe traverse paths (which myself, I find really useful):

Code:

sudo iptables -v -x -n -L
sudo iptables -t nat -v -x -n -L

And maybe start looking at things at the packet level with tcpdump or wireshark. But focus on server 2.

Thread: Iptables, refused connection internal network server

Thread Tools

Display

Iptables, refused connection internal network server

Re: Iptables, refused connection internal network server

Tags for this Thread

Bookmarks

Bookmarks

Posting Permissions