I'm trying to allow Internet traffic to port 7778 on my server, but am unable to do it correctly. Probably making some rookie mistake here. Can you help me diagnose and solve the issue?
I simply did the following:
sudo iptables -A TCP -p tcp -m tcp --dport 7778 -j ACCEPT
If I do iptables -S, I do see the rule appended in the list, e.g.:
-A TCP -p tcp -m tcp --dport 22 -j ACCEPT
-A TCP -p tcp -m tcp --dport 80 -j ACCEPT
-A TCP -p tcp -m tcp --dport 443 -j ACCEPT
-A TCP -p tcp -m tcp --dport 7778 -j ACCEPT
However, if I ping this particular port from another server - telnet example.com 7778, I see:
telnet: Unable to connect to remote host: Connection refused
What else can I do here? Port 80, 443 and 22 are working correctly FYI.
Note: my server uses Azure infrastructure (classic VM). An extra step I took was adding an endpoint for port 7778 in the Azure portal. Thus this part is covered.
Answer
By using the -A switch you have added your rule to the end of the chain. This will almost certainly have placed it after the rule that drops/blocks packets.
When iptables/netfilter is checking to see how a packet should be acted upon. the first to match wins. In your case it will likely match a line like -A INPUT -j REJECT --reject-with icmp-port-unreachable which will cause a Connection Refused message prior to matching your allow messages.
The solution is to use insert the rule using -I into a suitable place in your INPUT chain.
No comments:
Post a Comment