Linux iptables allow some ports

lbalazscs asked:

We have a Linux server (CentOS 6.3), where all ports seem to be accessible from inside (when tried from the server), but only SSH is accessible from outside. I would like to allow some other ports, such as 1521 (Oracle), but I cannot get it working.

I tried the following:

iptables -A INPUT -m state --state NEW -p tcp --dport 1521 -j ACCEPT
service iptables save
service iptables restart

but I still get a “Connection timed out” when I do a “telnet 192.168.97.1 1521” from another machine, while I can connect from the server with the same command.

This is what I have in /etc/sysconfig/iptables:

# Generated by iptables-save v1.4.7 on Fri Mar 15 12:13:41 2013
*nat
:PREROUTING ACCEPT [6:1136]
:POSTROUTING ACCEPT [14:878]
:OUTPUT ACCEPT [15:986]
-A POSTROUTING -o em1 -j MASQUERADE
COMMIT
# Completed on Fri Mar 15 12:13:41 2013
# Generated by iptables-save v1.4.7 on Fri Mar 15 12:13:41 2013
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [45:3812]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p tcp -m state --state NEW -m tcp --dport 1521 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Fri Mar 15 12:13:41 2013

(The line -A POSTROUTING -o em1 -j MASQUERADE is there because previously I also tried to install a PPTP server as described here)

My answer:


The order in which the directives appear is important. The first match wins.

So your problem is:

-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p tcp -m state --state NEW -m tcp --dport 1521 -j ACCEPT

Thus you never allow traffic to port 1521.

To fix the problem, simply reverse the two lines.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.