Linux – How to allow outgoing connections via iptables

connectioniptableslinuxredhat

I have two servers. The program on the first needs to communicate with the second on port 2194.

I know its not working, because when I do:

root@server1 [~]# telnet myserver2.com 2194
Trying 123.123.123.98...
telnet: connect to address 123.123.123.98: Connection timed out
telnet: Unable to connect to remote host: Connection timed out

server1# iptables -L -n

Chain INPUT (policy DROP)
...
...

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy DROP)
...

Chain LOCALINPUT (1 references)
target     prot opt source               destination
...

Chain LOCALOUTPUT (1 references)
target     prot opt source               destination
...

Chain LOGDROPIN (1 references)
target     prot opt source               destination
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain LOGDROPOUT (1 references)
target     prot opt source               destination
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Best Answer

To allow outgoing connections from server1 to server2 on TCP port 2194, use this on server1:

iptables -A OUTPUT -p tcp -d <server2ip> --dport 2194 -j ACCEPT

To allow incoming connections from server1 to server2 on TCP port 2194, use this on server2:

iptables -A INPUT -p tcp -s <server1ip> --dport 2194 -j ACCEPT

Related Solutions

Linux – iptables port forward forwarding

You're sending the traffic to 10.52.208.221. Given the config you posted, your problem is the webserver, not the firewall. Your rules look to be correct. FORWARD and INPUT are redirected to RH-Firewall-1-INPUT where your first rule is to allow all traffic. As somebody else pointed out, you could be allowing all traffic on eth1, while the world is actually coming in eth0. Secondary, you have to NAT the traffic as it goes back out to the world

iptables --table nat --append POSTROUTING --proto tcp --dport 80 --jump MASQUERADE -o OUT_INTERFACE

Your traffic originating from the router will never hit the input or forward chains, but instead traverse the output chain on to the webserver. Other systems in that subnet will similarly go directly to the webserver. Systems out on the world at large however will traverse the INPUT / FORWARD chains and need SNAT as well as DNAT so that it appears to the world to be one machine. You still cannot test from within your network. you must test from the opposite interface from the webserver. Get me your IP addresses and I'll point you to the proper configs.

Iptables allow http incoming connections, state NEW, ESTABLISHED

The former rule employs connection tracking, the latter does not. The connection tracking entries are needed for the reply packets to get through. When the connection tracking system allows a packet in that establishes a connection or logical association, an automatic, temporary reflexive rule is created to allow the reply packets out.

Best Answer

Related Solutions

Linux – iptables port forward forwarding

Iptables allow http incoming connections, state NEW, ESTABLISHED

Related Topic