0

I'm trying to allow Internet traffic to port 7778 on my server, but am unable to do it correctly. Probably making some rookie mistake here. Can you help me diagnose and solve the issue?

I simply did the following:

sudo iptables -A TCP -p tcp -m tcp --dport 7778 -j ACCEPT

If I do iptables -S, I do see the rule appended in the list, e.g.:

-A TCP -p tcp -m tcp --dport 22 -j ACCEPT
-A TCP -p tcp -m tcp --dport 80 -j ACCEPT
-A TCP -p tcp -m tcp --dport 443 -j ACCEPT
-A TCP -p tcp -m tcp --dport 7778 -j ACCEPT

However, if I ping this particular port from another server - telnet example.com 7778, I see:

telnet: Unable to connect to remote host: Connection refused

What else can I do here? Port 80, 443 and 22 are working correctly FYI.

Note: my server uses Azure infrastructure (classic VM). An extra step I took was adding an endpoint for port 7778 in the Azure portal. Thus this part is covered.

Hassan Baig
  • 2,325
  • 12
  • 29
  • 48

2 Answers2

3

By using the -A switch you have added your rule to the end of the chain. This will almost certainly have placed it after the rule that drops/blocks packets.

When iptables/netfilter is checking to see how a packet should be acted upon. the first to match wins. In your case it will likely match a line like -A INPUT -j REJECT --reject-with icmp-port-unreachable which will cause a Connection Refused message prior to matching your allow messages.

The solution is to use insert the rule using -I into a suitable place in your INPUT chain.

user9517
  • 115,471
  • 20
  • 215
  • 297
  • Makes sense, although the reject rule is above the rule for port `80` and `443` as well (see edited lines in question). Should that have blocked those ports as well? – Hassan Baig Dec 22 '16 at 16:58
  • Unless, as seems likely there is an earlier rule that allows them. – user9517 Dec 22 '16 at 17:18
  • Well I pasted the full list of rules in the question; just trying to understand what's what before I insert the rule with `-I` (in case something goes wrong). As you can see, I'm using nginx `fail2ban` as well. – Hassan Baig Dec 22 '16 at 17:23
  • I executed `sudo iptables -I INPUT 1 -p tcp -m tcp --dport 7778 -j ACCEPT`, however `telnet example.com 7778` still fails. Something very weird is going on over here. Any pointers on diagnosing this? – Hassan Baig Dec 23 '16 at 00:04
2

According to the error log, it seems that your service is not listening.

To troubleshoot this issue more efficiently, I suggested check as the following ways:

1.Check service in your VM.

netstat -ant|grep 7778

Please ensure the port is listening.

  1. Test by using localhost IP

telnet 127.0.0.1 7778

Based on my knowledge, if your firewall has some missing configure, you would get the following error.

telnet: Unable to connect to remote host: Connection timed out

Shui shengbao
  • 3,583
  • 1
  • 11
  • 20