Add Linux iptables Rules to Successfully Open New Port

As the cloud server offerings grow on the internet, so does the appeal of being able to provision and decommission scalable servers on demand. However, one of the major differences between these offerings and their more aged ancestors, the virtual dedicated/private servers (VDS or VPS in short), is that most of the cloud boxes have vanilla images, at least the ones my favorite provider, Rackspace, offers do.

This usually means that one must install Apache, FTP servers and webmin if desired manually. But simply running these services after setup will not allow outside clients to access them if you have a firewall such as iptables active–and most basic boxes will have some type of one running, most probably iptables on RHEL, CentOS, Ubuntu, etc.

To allow access to your services, you must add rules to your iptables firewall rule table telling it what ports to open to whom (what ip addresses). I am not going to rewrite a full tutorial on opening ports on iptables, as a very good basic one is available at Ubuntu iptables Basic How-To plus many more advanced ones through the forums and linux communities.

However, most of the tutorials out there, do not stress the fact that “Appending” a new rule to the list using “-A” will not work in most cases since the default rule, the one listed at the end of iptables list, is usually one to deny everything that reaches it. Since iptables processes rules in sequential manner, if your rule is appended to the end of the list, the default rule will “DENY” all requests before they even approach your newly inserted rule. Below is the usually suggested approach to open the webmin port in the “INPUT” chain which does not work for our setup.

iptables -A INPUT -p tcp --dport 10000 -j ACCEPT

To remedy this, you must “INSERT” your rule use the “-I” option followed by the chain and the slot to insert the rule in. To determine this run the following command and count the slots starting with 1.

iptables -L

Making sure that you select the right chain, which you will after reading some tutorials carefully, you should then be able to add your desired rule in a slot (e.g. 3 in the example below) before the default one, as follows:

iptables -I INPUT 3 -p tcp --dport 10000 -j ACCEPT

I hope this helps reduce some aggravation while trying to get a vanilla linux box launched.

Be Sociable, Share!