How do I get iptables to allow a new port (for a webserver sockets handler)

14,293

Solution 1

The rule should be added to the INPUT chain after the

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

rule and before the

-A INPUT -j REJECT --reject-with icmp-host-prohibited

rule.

You can do this by editing /etc/sysconfig/iptables directly or by inserting the rule using the -I argument. Personally I would save the state of the firewall and then edit /etc/sysconfig/iptables and then restart the service

service iptables save
edit the file and add -A INPUT -p tcp -m state --state NEW -m tcp --dport 1337 -j ACCEPT
service iptables restart

If you wanted to do it all from the command line then you can use --line-number to decide where to insert the new rules

iptables -L INPUT --line-numberss
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
2    ACCEPT     icmp --  anywhere             anywhere
3    ACCEPT     all  --  anywhere             anywhere
4    ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
5    REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

So now to insert the rule at position 2

iptables -I INPUT 2 -p tcp -m state --state NEW -m tcp --dport 1337 -j ACCEPT

and if that works don't forget to save teh state of the firewall

service iptables save

Solution 2

It's just one command. Considering you're using TCP requests just do this:

iptables -I INPUT -p tcp -m tcp --dport 1337 -j ACCEPT

As pointed by @iain in the comments, using this on the command line will guarantee that the rule will be evaluated before the REJECT rules. If you're editing the file directly just put this before the REJECT lines:

-A INPUT -p tcp -m tcp --dport 1337 -j ACCEPT

Solution 3

Add the second line to all access from anywhere, assuming that the connection uses tcp and not udp.

-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 1337 -j ACCEPT

Or run the following command, again assuming tcp for the protocol. This will add the same line as the manual edit shown above and save the rules in /etc/sysconfig/iptables.

lokkit -p 1337:tcp

So both options are equivalent, but lokkit applies the change immediately.

Share:
14,293
NonlinearFruit
Author by

NonlinearFruit

Updated on September 18, 2022

Comments

  • NonlinearFruit
    NonlinearFruit about 1 year

    In the local development server, I don't have any iptables rules (running on a Mac). The production server however, runs CentOS 6 with certain rules.

    I need to add a rule that allows the client to connect to the 1337 port.

    This is my current iptables file. Is there a specific order position in which I have to insert the new rule?

    # Generated by iptables-save v1.4.7 on Tue Jun  4 17:42:56 2013
    *filter
    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [3:412]
    -A INPUT -p tcp -m tcp --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -p icmp -j ACCEPT
    -A INPUT -i lo -j ACCEPT
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 11211 -j ACCEPT
    -A INPUT -j REJECT --reject-with icmp-host-prohibited
    -A FORWARD -j REJECT --reject-with icmp-host-prohibited
    -A OUTPUT -p tcp -m tcp --sport 3306 -m state --state ESTABLISHED -j ACCEPT
    COMMIT
    # Completed on Tue Jun  4 17:42:56 2013
    
  • NonlinearFruit
    NonlinearFruit over 9 years
    Somehow, the lokkit command cleared a lot of my iptables rules (including the 11211 port which is for memcache)
  • John Auld
    John Auld over 9 years
    That can happen if you add an iptables rule, which has not been saved to /etc/sysconfig/iptables before you run lokkit.
  • NonlinearFruit
    NonlinearFruit over 9 years
    Worked fine, thanks! One quick question, why do you recommend using --state NEW ?