new iptables rule not working

Hello Experts,

I just added a new rule to my iptables... however, when I try to telnet to the port using another computer, it doesn't work... but I am able to telnet when I turn off iptables... what am I doing wrong? thanks for your help...

[root@localhost sbin]# /sbin/iptables -A INPUT -m state --state NEW -p udp --dport 25565 -j ACCEPT
[root@localhost sbin]# /sbin/iptables -A INPUT -m state --state NEW -p tcp --dport 25565 -j ACCEPT
[root@localhost sbin]# /sbin/iptables -L -v -n
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  202 27025 RH-Firewall-1-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:25565 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:25565 

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RH-Firewall-1-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 23 packets, 3419 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain RH-Firewall-1-INPUT (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 255 
    0     0 ACCEPT     esp  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     ah   --  *      *       0.0.0.0/0            0.0.0.0/0           
   54  5667 ACCEPT     udp  --  *      *       0.0.0.0/0            224.0.0.251         udp dpt:5353 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:631 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:631 
   16  1466 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:21 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
   87  6786 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:137 
    9  2114 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:138 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:139 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:445 
   36 10992 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 

Open in new window

epifanio67Asked:
Who is Participating?
 
acbxyzCommented:
Your INPUT chain forks to RH-Firewall-1-INPUT for any traffic. At the end of this subchain there is a reject without a filter. So your ACCEPTs are never reached.
You can see that when you look at the byte and packet counters of your two accept-rules and at the top "Chain INPUT (policy ACCEPT 0 packets, 0 bytes)"

The best would be to find out where this reject is written and move it to the first INPUT chain. Then you can add your accept to RH-Firewall-1-INPUT.

Without a change of your base set you cannot use -A, but you can -I instead.
iptables -I INPUT 1 -m state --state NEW -p udp --dport 25565 -j ACCEPT
iptables -I INPUT 1 -m state --state NEW -p tcp --dport 25565 -j ACCEPT

or to put it in the sub chain:
iptables -I  RH-Firewall-1-INPUT 15 -m state --state NEW -p udp --dport 25565 -j ACCEPT
iptables -I  RH-Firewall-1-INPUT 15 -m state --state NEW -p tcp --dport 25565 -j ACCEPT
15 should be the reject so the lines get inserted right before the last reject
0
 
epifanio67Author Commented:
it worked...
nice lesson...

Thanks so much for your help...

regards,
0
 
comfortjeaniusCommented:
This is what you need in order to telnet "Port 23"

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 23 -j ACCEPT
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.