1

I run sudo iptables -A INPUT -p tcp -m tcp --dport 2222 -j ACCEPT in bash and then tried to connect to that machine via another machine on the same LAN / subnet via port 2222 with PuTTY and it didn't work.

Maybe I need to restart iptables after I add the rule for it to take affect? If so how would I do that?

Here's the output of iptables -S:

-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A INPUT -p tcp -m tcp --dport 2222 -j ACCEPT
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-4f5770ea8905 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-4f5770ea8905 -j DOCKER
-A FORWARD -i br-4f5770ea8905 ! -o br-4f5770ea8905 -j ACCEPT
-A FORWARD -i br-4f5770ea8905 -o br-4f5770ea8905 -j ACCEPT
-A DOCKER -d 172.18.0.2/32 ! -i br-4f5770ea8905 -o br-4f5770ea8905 -p tcp -m tcp --dport 3306 -j ACCEPT
-A DOCKER -d 172.18.0.3/32 ! -i br-4f5770ea8905 -o br-4f5770ea8905 -p tcp -m tcp --dport 8080 -j ACCEPT
-A DOCKER -d 172.18.0.3/32 ! -i br-4f5770ea8905 -o br-4f5770ea8905 -p tcp -m tcp --dport 443 -j ACCEPT
-A DOCKER -d 172.18.0.7/32 ! -i br-4f5770ea8905 -o br-4f5770ea8905 -p tcp -m tcp --dport 6379 -j ACCEPT
-A DOCKER -d 172.18.0.8/32 ! -i br-4f5770ea8905 -o br-4f5770ea8905 -p tcp -m tcp --dport 3306 -j ACCEPT
-A DOCKER -d 172.18.0.10/32 ! -i br-4f5770ea8905 -o br-4f5770ea8905 -p tcp -m tcp --dport 3306 -j ACCEPT
-A DOCKER -d 172.18.0.3/32 ! -i br-4f5770ea8905 -o br-4f5770ea8905 -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-4f5770ea8905 ! -o br-4f5770ea8905 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-4f5770ea8905 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN

Here's the output of sudo iptables --line-numbers -L INPUT:

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:2222
neubert
  • 229

1 Answers1

6

Yes, adding rules via the iptables command takes effect immediately.

Presumably you want to add an ACCEPT rule for the port because you want to override rule that blocks all or most ports.

However, you have added the rule with -A which would append the rule to the table. Since you already have a blocking rule (using something like DROP or REJECT), the new rule would be added after that, making it ineffective.

If you want this to work, you need to either insert the rule (-I #) before the blocking rule, or add the rule to the correct position in a config file and reload all rules. (Or use something like ufw or firewalld to do this for you). You can get a numbered list of rules with iptables --line-numbers -L INPUT and insert your new rule at or before the position of your blocking rule.

If the assumption that you have a blocking rule is wrong, then you need to go back and check if anything even has the port open. You can use netstat -nl | grep 2222 or ss -nlt | grep 2222 and if it isn't listed, then there is nothing listening on the port.

From the output you added to your question, the INPUT table is basically empty (except for your accept rule) and -P INPUT ACCEPT says accept anything that doesn't match rules in the input table.

user10489
  • 5,533