1

Is it normal for the network to work without any ACCEPT rule? Because now my iptables have INPUT DROP, FORWARD DROP and OUTPUT DROP only port like ssh, http(s), 53 it's open. I don't add any rule for port 8333 and 9333 but it works and if I telnet (with this tool http://www.adminkit.net/telnet.aspx) port 8333 or 9333 I have an error message

Connection failed: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond

I add here all iptables rules http://notes.io/qZkF

I tried to send btc from external source and I received it. In bitcoin.conf I have

rpcport=9333

Netstat -tulpn

tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      19626/nginx.conf
tcp        0      0 127.0.0.1:9333          0.0.0.0:*               LISTEN      3537/bitcoind
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      2446/sendmail: MTA:
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      19626/nginx.conf
tcp        0      0 0.0.0.0:5565            0.0.0.0:*               LISTEN      2416/sshd
tcp        0      0 0.0.0.0:11111           0.0.0.0:*               LISTEN      8575/php
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      2936/mysqld
tcp        0      0 127.0.0.1:587           0.0.0.0:*               LISTEN      2446/sendmail: MTA:
tcp        0      0 127.0.0.1:11211         0.0.0.0:*               LISTEN      2440/memcached
tcp        0      0 0.0.0.0:8333            0.0.0.0:*               LISTEN      3537/bitcoind
tcp6       0      0 ::1:9333                :::*                    LISTEN      3537/bitcoind
tcp6       0      0 :::5565                 :::*                    LISTEN      2416/sshd
tcp6       0      0 :::8333                 :::*                    LISTEN      3537/bitcoind
udp        0      0 127.0.0.1:11211         0.0.0.0:*                           2440/memcached

Last debug.log

2015-11-22 16:33:33 receive version message: /bitcoinseeder:0.01/: version 60000, blocks=230000, us=[xxxx:xxxx:x:xxxx::]:8333, peer=304
2015-11-22 16:34:01 ERROR: AcceptToMemoryPool: free transaction rejected by rate limiter
2015-11-22 16:34:01 keypool reserve 47
2015-11-22 16:34:01 keypool return 47
2015-11-22 16:34:11 receive version message: /bitcoinseeder:0.01/: version 60000, blocks=350000, us=[xxxx:xxxx:x:xxxx::]:8333, peer=305
2015-11-22 16:34:11 ERROR: AcceptToMemoryPool: free transaction rejected by rate limiter
2015-11-22 16:34:12 ERROR: AcceptToMemoryPool: free transaction rejected by rate limiter
2015-11-22 16:34:31 ERROR: AcceptToMemoryPool: free transaction rejected by rate limiter
2015-11-22 16:34:38 ERROR: AcceptToMemoryPool: free transaction rejected by rate limiter
2015-11-22 16:34:44 ERROR: AcceptToMemoryPool: nonstandard transaction: dust
2015-11-22 16:34:53 receive version message: /bitcoinseeder:0.01/: version 60000, blocks=350000, us=[xxxx:xxxx:x:xxxx::]:8333, peer=306

With PHP I use this

$server = new jsonRPCClient("http://$user:$passwd@127.0.0.1:9333/");

Update: I think it's because I have these rules

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

Is it a good idea to close port 8333 and 9333?

soooo
  • 97
  • 6
  • If you're trying to prevent people from connecting to you, why not use listen=0 in bitcoin.conf? – Nick ODell Nov 22 '15 at 20:31
  • Thanks for reply, no i dont want to prevent connection i have just test to DROP all rules but i view its worked without opening bitcoin tcp port i think its because i have ESTABLISHED rule but im not sure. What is your iptables rule for bitcoind ? I need to open just tcp port (9333) or/and bitcoind port (8333) ? – soooo Nov 22 '15 at 22:20
  • Established means it will allow packets of an already established connection. Which is OK. The first packet of a connection will NOT match that rule as it's not established yet. It needs to be accepted by one of the other rules first. – Jannes Nov 23 '15 at 02:51
  • The order have importance ? Because now i have first ESTABLISHED and after 8333 INPUT OUTPUT ACCEPT – soooo Nov 23 '15 at 12:34

1 Answers1

1

Telnet says 'Connection failed' which means others will not be able to connect to you. Your iptables is working as it should.

You may be mistaken thinking that bitcoin is working without ACCEPT rule because you are seeing outgoing connections. Probably 8.

Your netstat shows bitcoin is LISTENing but if iptables doesn't ACCEPT then it will never see any incoming connections.

Try netstat -na | grep 8333 and you will see only outgoing connections (source address: you).

To make your bitcoin node reachable to the outside world simply add a rule to accept 8333.

Note do NOT open 9333 ! It's meant for local use only and you might lose your bitcoins if people get access to it (in fact you're better off disabling it if you're not using it).

Jannes
  • 6,325
  • 25
  • 27
  • Ah yes thanks you ! My previous config have port 8333 and 9333 open... thanks for this precision. Now i change for 2 rules `iptables -t filter -A INPUT -p tcp --dport 8333 -j ACCEPT and iptables -t filter -A OUTPUT -p tcp --dport 8333 -j ACCEPT` – soooo Nov 23 '15 at 12:30
  • Well, netstat showed that bitcoind only listens on localhost anyway, so the open firewall didn't matter in this case. But better to keep it closed. Other (off topic) notes: it's common to have the ESTABLISHED rules as the (almost) first rule, as they will be hit by most traffic. (note that that will change the meaning of the counters if you ever look at them.) Another point, DROP causes long delays and then a timeout, which can be annoying or slow things down. Especially for `OUTPUT` you might want to use DENY instead. Any application sending on a forbidden port will get an error immediately. – Jannes Nov 23 '15 at 12:49