Stupid iptables question

**groovygroundhog** · 05-02-2007

Hello, all! I am trying to open up a port on a server and, unfortunately, cannot use Fedora's cute little graphical interface for it. So, is there an iptables command I can issue to open udp port 123? Thanks.

**anomie** · 05-02-2007

You're going to be inserting a rule into the RH-Firewall-1-INPUT chain. We'll need to see your current rules to know where exactly. Use iptables -nvL and post the output here (put it in code tags so that we can read it).

The rule will probably be:

Code:

# iptables -I RH-Firewall-1-INPUT 3 -p udp --dport 123 -j ACCEPT

**groovygroundhog** · 05-02-2007

Thanks for the reply. Here's the output of iptables -nvL.

Code:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
49849   12M RH-Firewall-1-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0        
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:123
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:123

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RH-Firewall-1-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0        

Chain OUTPUT (policy ACCEPT 51580 packets, 9716K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain RH-Firewall-1-INPUT (2 references)
 pkts bytes target     prot opt in     out     source               destination
15099 3105K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    2   168 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 255
    0     0 ACCEPT     esp  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     ah   --  *      *       0.0.0.0/0            0.0.0.0/0
  130 29897 ACCEPT     udp  --  *      *       0.0.0.0/0            224.0.0.251         udp dpt:5353
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:631
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:631
30851 7392K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
   55  3176 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
    1    44 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:443
    4   172 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:2947
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpts:7510:7638
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:2947
 2564 1691K ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:7501
 1143 52328 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

**anomie** · 05-02-2007

Ok, the rule I posted should be fine. Once you run that command and you're satisfied that it's working, you can save it with:

Code:

# service iptables save

**groovygroundhog** · 05-02-2007

I ran those commands, but when I do an nmap, I don't see 123/udp open. Should I?

**anomie** · 05-02-2007

Only if you have a service listening there.

If there is not a service listening there but you've poked a hole for it in the firewall, what nmap should show you is that the port is closed (not filtered).

Are you running some service that's listening on that udp port?

edit: Actually I take that back. Port scans for udp are trickier than tcp. See the -PU option for nmap.

**groovygroundhog** · 05-02-2007

Yes, I do have a service that's listening on 123. It's NTP. Actually, I've been wrestling with ntp off and on for a couple weeks. I'm just trying to get one server to broadcast to the other services on my subnet and I can't get it to work to save ny life.

**anomie** · 05-02-2007

Two things I'd do:

1. Confirm ntpd is listening on all interfaces:

Code:

$ netstat -atun | grep '123'

2. Open up tcp port 123 as well using the same command I posted above (except substitute udp with tcp after the -p option).

If it's still not working then this is a ntpd problem/question, which should probably be a different thread.

**groovygroundhog** · 05-02-2007

Thanks for the help. You're right, this could well be an NTP problem. I ran that netstat command and here's the output:

Code:

udp        0      0 192.1.22.255:123            0.0.0.0:*
udp        0      0 192.1.22.100:123            0.0.0.0:*
udp        0      0 127.0.0.1:123               0.0.0.0:*
udp        0      0 0.0.0.0:123                 0.0.0.0:*
udp        0      0 fe80::207:e9ff:fead:123     :::*
udp        0      0 ::1:123                     :::*
udp        0      0 :::123                      :::*

I have no idea how to interpret that. Should those 0.0.0.0:*s be there?

**anomie** · 05-02-2007

Yes, you're just missing the rightmost column in the output you posted. (It would show that those are in a LISTEN state.)

That output shows you that ntpd (udp port 123) is listening for connections on three different interfaces:

192.1.22.255
192.1.22.100
127.0.0.1 (loopback)

The 0.0.0.0:123 entry means it is listening on all available interfaces.

Thread Tools

Display

Stupid iptables question

Posting Permissions