How do I get iptables to allow a new port (for a webserver sockets handler)
Solution 1
The rule should be added to the INPUT chain after the
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
rule and before the
-A INPUT -j REJECT --reject-with icmp-host-prohibited
rule.
You can do this by editing /etc/sysconfig/iptables directly or by inserting the rule using the -I argument. Personally I would save the state of the firewall and then edit /etc/sysconfig/iptables and then restart the service
service iptables save
edit the file and add -A INPUT -p tcp -m state --state NEW -m tcp --dport 1337 -j ACCEPT
service iptables restart
If you wanted to do it all from the command line then you can use --line-number to decide where to insert the new rules
iptables -L INPUT --line-numberss
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
2 ACCEPT icmp -- anywhere anywhere
3 ACCEPT all -- anywhere anywhere
4 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
5 REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
So now to insert the rule at position 2
iptables -I INPUT 2 -p tcp -m state --state NEW -m tcp --dport 1337 -j ACCEPT
and if that works don't forget to save teh state of the firewall
service iptables save
Solution 2
It's just one command. Considering you're using TCP requests just do this:
iptables -I INPUT -p tcp -m tcp --dport 1337 -j ACCEPT
As pointed by @iain in the comments, using this on the command line will guarantee that the rule will be evaluated before the REJECT rules. If you're editing the file directly just put this before the REJECT lines:
-A INPUT -p tcp -m tcp --dport 1337 -j ACCEPT
Solution 3
Add the second line to all access from anywhere, assuming that the connection uses tcp and not udp.
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 1337 -j ACCEPT
Or run the following command, again assuming tcp for the protocol. This will add the same line as the manual edit shown above and save the rules in /etc/sysconfig/iptables.
lokkit -p 1337:tcp
So both options are equivalent, but lokkit applies the change immediately.
NonlinearFruit
Updated on September 18, 2022Comments
-
NonlinearFruit about 1 year
In the local development server, I don't have any iptables rules (running on a Mac). The production server however, runs CentOS 6 with certain rules.
I need to add a rule that allows the client to connect to the 1337 port.
This is my current iptables file. Is there a specific order position in which I have to insert the new rule?
# Generated by iptables-save v1.4.7 on Tue Jun 4 17:42:56 2013 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [3:412] -A INPUT -p tcp -m tcp --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 11211 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited -A OUTPUT -p tcp -m tcp --sport 3306 -m state --state ESTABLISHED -j ACCEPT COMMIT # Completed on Tue Jun 4 17:42:56 2013
-
NonlinearFruit over 9 yearsSomehow, the lokkit command cleared a lot of my iptables rules (including the 11211 port which is for memcache)
-
John Auld over 9 yearsThat can happen if you add an iptables rule, which has not been saved to /etc/sysconfig/iptables before you run lokkit.
-
NonlinearFruit over 9 yearsWorked fine, thanks! One quick question, why do you recommend using --state NEW ?