Adding a port to iptables

The ibm-firewall package on the Open Client has been pre-configured to allow supported and commonly used applications to pass through the iptables firewall. This includes applications such as Lotus Notes, Sametime, MyHelp, the ATT Net Client, and several others.

In some cases, an application may require an open port to allow a new service inbound (e.g., coming into the workstation from a remote system). Examples include the DB2 Server package.

This document is designed for more technical users and system administrators, as opening new ports can easily create security violations and potentially create unlawful access to system data. There should almost be no need for general users to alter the firewall configuration. If you have further questions than this document can answer, please contact the IBM Help Desk, or pose your question in the IBM Open Client forums.

Users must be root or have superuser privileges to modify the iptables configuration.

High-level overview of this process

To add a firewall rule, there are basically 3 steps:

  • Create the firewall rules as a standalone text file defining your needed flow
  • Restart the iptables code
  • Test and validate proper function

Where rules are stored

The Open Client ibm-firewall package creates several static rule files that define the modular structure of firewall rules. A new rule can be added to an existing file, or a new file can be created for your desired flow. The incoming rules are defined in this location:


Option #1. Easy way

In this example, it will be assumed that the user has obtained superuser privileges (e.g., is root). This example will outline the steps to add a firewall rule for incoming telnet on tcp port 23.

Although this example shows enabling telnet, this is not advised or allowed due to the security risk. This is only an example, and any port can be substituted for port 23.
gedit 46-allow-telnet.rule

Give the preceding file any name you like; it is recommended to make it somewhat descriptive. Next, add the rule which you would like to allow:

# Allow incoming telnet
-A INPUT -p tcp -m tcp --dport 23 -j ACCEPT

Save this file, and restart iptables to make the changes effective.

Option #2. Advanced way

It is possible to export the entire iptables configuration and edit it. This should be attempted by advanced users or system administrators. The recommended way is Option #1. outlined above.

  • Open a Terminal Window and become superuser or the root user (alternatively, use sudo)
  • Stop the iptables firewall service
  • Create a backup of the current firewall rules:
cp /etc/sysconfig/iptables /etc/sysconfig/iptables.backup
  • Edit the file you backed up using your favorite editor (vi, kate, gedit, nano, etc.)
  • Add your desired port, save and exit, and restart iptables.

Option #2. Examples:

These are some examples of added ports within iptables:

-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 20000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5308 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5900 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5901 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5901:5999 -j ACCEPT


Post a Comment