How to open a port in iptables?

pinotje

pinotje

Verified User
Joined
Apr 7, 2010
Messages
49
Location
Maastricht
Hi all,

I've successfully (without any problems) followed all the steps at:
http://help.directadmin.com/item.php?id=380

Now, I don't want to use the standard SSH port (22),
so I tried to add a different port to iptables with:
/sbin/iptables -A INPUT -p tcp --dport 5356 -j ACCEPT

Then I save it:
/sbin/iptables-save

And then I check it if the port is correctly added:
/sbin/iptables -nL

output:
Code: 
[root@server1 sysconfig]# /sbin/iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  0.0.0.0/0            0.0.0.0/0           state INVALID
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
REJECT     all  --  0.0.0.0/0            127.0.0.0/8         reject-with icmp-port-unreachable
DROP       all  --  24.214.232.229       0.0.0.0/0
DROP       icmp --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:20
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:21
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:2222
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:25 flags:0x17/0x02 limit: avg 1/sec burst 10
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:25 flags:0x17/0x02
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:25
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:587
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:53
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:53
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:110
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:113
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:143
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:3306
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:3306
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:1433 limit: avg 3/hour burst 5 LOG flags 0 level 4 prefix `Firewalled packet: MSSQL '
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:1433
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:6670 limit: avg 3/hour burst 5 LOG flags 0 level 4 prefix `Firewalled packet: Deepthrt '
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:6670
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:6711 limit: avg 3/hour burst 5 LOG flags 0 level 4 prefix `Firewalled packet: Sub7 '
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:6711
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:6712 limit: avg 3/hour burst 5 LOG flags 0 level 4 prefix `Firewalled packet: Sub7 '
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:6712
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:6713 limit: avg 3/hour burst 5 LOG flags 0 level 4 prefix `Firewalled packet: Sub7 '
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:6713
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:12345 limit: avg 3/hour burst 5 LOG flags 0 level 4 prefix `Firewalled packet: Netbus '
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:12345
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:12346 limit: avg 3/hour burst 5 LOG flags 0 level 4 prefix `Firewalled packet: Netbus '
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:12346
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:20034 limit: avg 3/hour burst 5 LOG flags 0 level 4 prefix `Firewalled packet: Netbus '
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:20034
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:31337 limit: avg 3/hour burst 5 LOG flags 0 level 4 prefix `Firewalled packet: BO '
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:31337
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:6000 limit: avg 3/hour burst 5 LOG flags 0 level 4 prefix `Firewalled packet: XWin '
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:6000
DROP       udp  --  0.0.0.0/0            0.0.0.0/0           udp dpts:33434:33523
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:113 reject-with icmp-port-unreachable
REJECT     2    --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80 reject-with icmp-port-unreachable
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:443 reject-with icmp-port-unreachable
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 limit: avg 5/min burst 5 LOG flags 0 level 4 prefix `Firewalled packet:'
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           reject-with tcp-reset
DROP       all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:5356

Chain FORWARD (policy DROP)
target     prot opt source               destination
DROP       all  --  0.0.0.0/0            0.0.0.0/0           state INVALID
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 limit: avg 5/min burst 5 LOG flags 0 level 4 prefix `Firewalled packet:'
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           reject-with tcp-reset
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpts:6660:6669
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:7000
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
[root@server1 sysconfig]#

According to the output above, the port 5356 is correctly added to iptables.
But if I restart the iptables (/etc/init.d/iptables restart),
the added port is suddenly disappeared.

What is the problem?
Can someone just tell me how to open/add a port in iptables?
Thanks!
 
The order is important, you've DROP and REJECT rules before your new ACCEPT rule:

Code: 
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 limit: avg 5/min burst 5 LOG flags 0 level 4 prefix `Firewalled packet:'
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           reject-with tcp-reset
DROP       all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:5356

Open your iptables config or script file and put your new rule just after ACCEPT for port 22.
 
zEitEr said:
The order is important, you've DROP and REJECT rules before your new ACCEPT rule:

Code: 
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 limit: avg 5/min burst 5 LOG flags 0 level 4 prefix `Firewalled packet:'
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           reject-with tcp-reset
DROP       all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:5356

Open your iptables config or script file and put your new rule just after ACCEPT for port 22.
Click to expand...

How do I open the iptables config or script file?

btw. To block an IP for all services, can I just add ALL: [ipaddr] to /etc/hosts.deny ?
 
You should block ips with your firewall not tcpwrappers.

If you are using the system default firewall the config should be /etc/sysconfig/iptables

But if you are running some other custom firewall settings then the file might be somewhere else.
 
How do I open the iptables config or script file?
Click to expand...

Send me a PM with a request for a quote and I'll do it for you if you want to save your time and skip reading manuals and HowTos about iptables.
 
zEitEr said:
Send me a PM with a request for a quote and I'll do it for you if you want to save your time and skip reading manuals and HowTos about iptables.
Click to expand...

I really appreciate ur help, but I want to try it self...

Could u please tell me just how to add a port to iptables?
I only want to open the port 5356 in my firewall...That's all...

I'm running CentOS6 (clean/minimal install) with the latest DA version.

Thanks in advance!
 
I can't help you with giving any direct guide, while I don't know, how your iptables rules are getting loaded.

Did you check /etc/sysconfig/iptables ?

Note, if you want to learn how to work with iptables, you'd better read manuals and official docs then. These forums is mostly for discussing directadmin related things, and iptables is a general thing, which you should learn despite on using of directadmin. And it really does not matter what version of directadmin you're running (if any), you're on your own to get closer with iptables.

Related (probably):

http://help.directadmin.com/item.php?id=380
http://help.directadmin.com/item.php?id=71
http://help.directadmin.com/item.php?id=247
http://www.directadmin.com/forum/showthread.php?t=29807
 
zEitEr said:
I can't help you with giving any direct guide, while I don't know, how your iptables rules are getting loaded.

Did you check /etc/sysconfig/iptables ?

Note, if you want to learn how to work with iptables, you'd better read manuals and official docs then. These forums is mostly for discussing directadmin related things, and iptables is a general thing, which you should learn despite on using of directadmin. And it really does not matter what version of directadmin you're running (if any), you're on your own to get closer with iptables.

Related (probably):

http://help.directadmin.com/item.php?id=380
http://help.directadmin.com/item.php?id=71
http://help.directadmin.com/item.php?id=247
http://www.directadmin.com/forum/showthread.php?t=29807
Click to expand...

[root@server1 ~]# cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
[root@server1 ~]#

The links u gave me, I've all already read...
 
As Alex points out, there's no easy way to learn iptables.

If you want, you can use the KISS firewall (search these forums); it manages iptables for you, and it's self-documented and easy to understand.

Jeff
 
@pinotje

Content of your
/etc/sysconfig/iptables
Click to expand...
does not seem to match the results of
/sbin/iptables -nL
Click to expand...
from the starting post. Thus your system probably loads iptables rules somehow another way.

man iptables-save says:

iptables-save is used to dump the contents of an IP Table in easily
parseable format to STDOUT. Use I/O-redirection provided by your shell
to write to a file
Click to expand...

So it does not update your file/script with rules.

p.s. You should really either read manuals and docs, or hire somebody to make this job for you.
 
solved...

Hi all,

Thanks for ur replies on my posts and thanks for ur help anyway...
I was stupid...
Because after researching, I figure out how to open a port in iptables, namely:

1. I've followed all the steps on http://help.directadmin.com/item.php?id=380

2. Then I'd changed the standard SSH port 22 into 5356 in "/etc/init.d/iptables" (downloaded from http://files1.directadmin.com/services/all/iptables) and in "/etc/ssh/sshd_config"

3. Finally sshd and /etc/init.d/iptables restart :)
 
Some notes for others, who will probably find this thread in future, do not close the old port 22 with a firewall (here iptables is mentioned) and in sshd_config until you make sure that you have access to the server with a new port. Otherwise you might loose your server. So for testing purposes you should run SSHd on both ports: old 22 and a new one, and the same with iptables. As soon as you're sure, that you have no problems to connect SSH on a new port, you will simply block 22 port.
 
Changing the SSH port is not enough secure in my opinion. You should take a look at CSF (ConfigServer Firewall) or install a brute force detector (like fail2ban or something). I know DirectAdmin also has a brute force monitor but I haven't test it yet (you should take a look at it also).
 
You must log in or register to reply here.
Back
Top