Server Version#:1.42.1.10060
TDLR:
-remote access was working, i messed with something in the debian firewall I shouldnt have and broke remote access
-sagemcom modem/router port forwarded from 32400 to 32400 to a device with static IP. (hasnt changed in months and was the port was open as of last night)
-port checker sites now say my port is closed
My setup worked just fine and I broke the cardinal rule and tried to fix something that wasn’t broken. I am running PMS in docker on a debian 13 machine. I saw that my ISP modem firewall allows SMB1 connections through and thought I would fix that vulnerability by blocking the port. I installed the top hit in discover, I think it was called “firewall” and blocked port 139 for SMB. I also checked the box I thought would allow allow port 32400 through (via public) and applied settings. My plex remote access immediately went down. I unchecked both boxes, saved. Still no connection. Rebooted, remote access is still down. I uninstalled that tool and tried ufw allowing outbound and inbound connections to 32400 rebooted, and nothing changed. I also tried allow all. At this point I’ve purged ufw and have no idea how to fix it other than nuking it and starting again, which I really really dont want to do.
I’m fairly certain port forwarding still functions because my reverse proxy and other dockers on another machine are still reachable outside the network. Ports that I can confirm used to work that now do not are 81 (casaOS) and plex (32400)
netstat -lt does not show either port is being listened to.
Some additional weird behavior too - if i’m on my phone via cell, i can stream via relay, as expected, but if im on my IoT network via wifi, the plex app says the server is longer reachable
my watcher on uptime kuma that pings local.ip:32400/identify also went down at the same time. so its not even reachable on the local network but plex relay works. I dont understand that but I think I’ve almost confirmed its a problem on my server and not the router
pl_5309
September 21, 2025, 3:50pm
3
Debian “Firewall” programs like ufw are just an overlay to manage iptables.
What is the output of sudo iptables -L
Since you have docker in play, I caution against just flushing and resetting without understanding what is there.
Chain INPUT (policy ACCEPT)
target prot opt source destination
ts-input all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:3880
ACCEPT tcp -- anywhere anywhere tcp dpt:3443
ACCEPT udp -- anywhere anywhere udp dpt:4242
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-FORWARD all -- anywhere anywhere
ts-forward all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (17 references)
target prot opt source destination
ACCEPT tcp -- anywhere 172.17.0.14 tcp dpt:7171
ACCEPT tcp -- anywhere 172.17.0.13 tcp dpt:5690
ACCEPT tcp -- anywhere 172.17.0.11 tcp dpt:8181
ACCEPT tcp -- anywhere 172.17.0.12 tcp dpt:6246
ACCEPT tcp -- anywhere 172.18.0.2 tcp dpt:5055
ACCEPT tcp -- anywhere 172.20.0.2 tcp dpt:5001
ACCEPT tcp -- anywhere 172.17.0.10 tcp dpt:8266
ACCEPT tcp -- anywhere 172.17.0.10 tcp dpt:8265
ACCEPT tcp -- anywhere 172.17.0.9 tcp dpt:8989
ACCEPT tcp -- anywhere 172.29.0.2 tcp dpt:9000
ACCEPT tcp -- anywhere 172.26.0.2 tcp dpt:11434
ACCEPT tcp -- anywhere 172.17.0.7 tcp dpt:7878
ACCEPT tcp -- anywhere 172.17.0.6 tcp dpt:4242
ACCEPT tcp -- anywhere 172.17.0.5 tcp dpt:9696
ACCEPT tcp -- anywhere 172.17.0.4 tcp dpt:http-alt
ACCEPT tcp -- anywhere 172.19.0.2 tcp dpt:http
ACCEPT tcp -- anywhere 172.27.0.2 tcp dpt:2375
ACCEPT tcp -- anywhere 172.17.0.3 tcp dpt:8686
ACCEPT tcp -- anywhere 172.17.0.2 tcp dpt:6767
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
Chain DOCKER-BRIDGE (1 references)
target prot opt source destination
DOCKER all -- anywhere anywhere
DOCKER all -- anywhere anywhere
DOCKER all -- anywhere anywhere
DOCKER all -- anywhere anywhere
DOCKER all -- anywhere anywhere
DOCKER all -- anywhere anywhere
DOCKER all -- anywhere anywhere
DOCKER all -- anywhere anywhere
DOCKER all -- anywhere anywhere
DOCKER all -- anywhere anywhere
DOCKER all -- anywhere anywhere
DOCKER all -- anywhere anywhere
DOCKER all -- anywhere anywhere
DOCKER all -- anywhere anywhere
DOCKER all -- anywhere anywhere
DOCKER all -- anywhere anywhere
DOCKER all -- anywhere anywhere
Chain DOCKER-CT (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
Chain DOCKER-FORWARD (1 references)
target prot opt source destination
DOCKER-CT all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
DOCKER-BRIDGE all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (17 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
Chain ts-forward (1 references)
target prot opt source destination
MARK all -- anywhere anywhere MARK xset 0x40000/0xff0000
ACCEPT all -- anywhere anywhere mark match 0x40000/0xff0000
DROP all -- 100.64.0.0/10 anywhere
ACCEPT all -- anywhere anywhere
Chain ts-input (1 references)
target prot opt source destination
ACCEPT all -- rime anywhere
RETURN all -- 100.115.92.0/23 anywhere
DROP all -- 100.64.0.0/10 anywhere
ACCEPT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp dpt:41641
pl_5309
September 21, 2025, 7:48pm
5
I guess first the steps would be to ensure no additional iptable packages are installed:
sudo apt-get remove --purge iptables-persistent
Then save the current configuration:
sudo iptables-save > ~/rules.v4
Make a copy of the file, then edit the rules one at a time like DROP ALL – ANYWHERE
Then load
sudo iptables-restore < ~/rules.v4
Load the backup if it goes sideways. Probably will need to be at the keyboard of the machine.
its now purged. firewalld was also running (in parallel?) so maybe uninstalling via discover didnt disable the underlaying protection. when i disabled that, combined with the purge, and rebooted the issue was fixed. thanks!
