Find the answer to your Linux question:
Results 1 to 10 of 10
Hello, all! I am trying to open up a port on a server and, unfortunately, cannot use Fedora's cute little graphical interface for it. So, is there an iptables command ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined! groovygroundhog's Avatar
    Join Date
    Mar 2005
    Location
    Arlington, VA
    Posts
    77

    Stupid iptables question


    Hello, all! I am trying to open up a port on a server and, unfortunately, cannot use Fedora's cute little graphical interface for it. So, is there an iptables command I can issue to open udp port 123? Thanks.

  2. #2
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    You're going to be inserting a rule into the RH-Firewall-1-INPUT chain. We'll need to see your current rules to know where exactly. Use iptables -nvL and post the output here (put it in code tags so that we can read it).

    The rule will probably be:
    Code:
    # iptables -I RH-Firewall-1-INPUT 3 -p udp --dport 123 -j ACCEPT

  3. #3
    Just Joined! groovygroundhog's Avatar
    Join Date
    Mar 2005
    Location
    Arlington, VA
    Posts
    77
    Thanks for the reply. Here's the output of iptables -nvL.
    Code:
    Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               destination
    49849   12M RH-Firewall-1-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0        
        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:123
        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:123
    
    Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               destination
        0     0 RH-Firewall-1-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0        
    
    Chain OUTPUT (policy ACCEPT 51580 packets, 9716K bytes)
     pkts bytes target     prot opt in     out     source               destination
    
    Chain RH-Firewall-1-INPUT (2 references)
     pkts bytes target     prot opt in     out     source               destination
    15099 3105K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
        2   168 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 255
        0     0 ACCEPT     esp  --  *      *       0.0.0.0/0            0.0.0.0/0
        0     0 ACCEPT     ah   --  *      *       0.0.0.0/0            0.0.0.0/0
      130 29897 ACCEPT     udp  --  *      *       0.0.0.0/0            224.0.0.251         udp dpt:5353
        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:631
        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:631
    30851 7392K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
       55  3176 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
        1    44 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:443
        4   172 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80
        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:2947
        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpts:7510:7638
        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:2947
     2564 1691K ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:7501
     1143 52328 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

  4. #4
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    Ok, the rule I posted should be fine. Once you run that command and you're satisfied that it's working, you can save it with:
    Code:
    # service iptables save

  5. #5
    Just Joined! groovygroundhog's Avatar
    Join Date
    Mar 2005
    Location
    Arlington, VA
    Posts
    77
    I ran those commands, but when I do an nmap, I don't see 123/udp open. Should I?

  6. #6
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    Only if you have a service listening there.

    If there is not a service listening there but you've poked a hole for it in the firewall, what nmap should show you is that the port is closed (not filtered).

    Are you running some service that's listening on that udp port?

    edit: Actually I take that back. Port scans for udp are trickier than tcp. See the -PU option for nmap.

  7. #7
    Just Joined! groovygroundhog's Avatar
    Join Date
    Mar 2005
    Location
    Arlington, VA
    Posts
    77
    Yes, I do have a service that's listening on 123. It's NTP. Actually, I've been wrestling with ntp off and on for a couple weeks. I'm just trying to get one server to broadcast to the other services on my subnet and I can't get it to work to save ny life.

  8. #8
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    Two things I'd do:

    1. Confirm ntpd is listening on all interfaces:
    Code:
    $ netstat -atun | grep '123'
    2. Open up tcp port 123 as well using the same command I posted above (except substitute udp with tcp after the -p option).

    If it's still not working then this is a ntpd problem/question, which should probably be a different thread.

  9. #9
    Just Joined! groovygroundhog's Avatar
    Join Date
    Mar 2005
    Location
    Arlington, VA
    Posts
    77
    Thanks for the help. You're right, this could well be an NTP problem. I ran that netstat command and here's the output:

    Code:
    udp        0      0 192.1.22.255:123            0.0.0.0:*
    udp        0      0 192.1.22.100:123            0.0.0.0:*
    udp        0      0 127.0.0.1:123               0.0.0.0:*
    udp        0      0 0.0.0.0:123                 0.0.0.0:*
    udp        0      0 fe80::207:e9ff:fead:123     :::*
    udp        0      0 ::1:123                     :::*
    udp        0      0 :::123                      :::*
    I have no idea how to interpret that. Should those 0.0.0.0:*s be there?

  10. #10
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    Yes, you're just missing the rightmost column in the output you posted. (It would show that those are in a LISTEN state.)

    That output shows you that ntpd (udp port 123) is listening for connections on three different interfaces:
    • 192.1.22.255
    • 192.1.22.100
    • 127.0.0.1 (loopback)


    The 0.0.0.0:123 entry means it is listening on all available interfaces.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •