How to Configure iptables Rules for Outgoing TCP Connections to a Specific Port


1 views

When your iptables OUTPUT chain has a default DROP policy, all outgoing connections are blocked unless explicitly allowed. This explains why your telnet attempt to port 2194 on myserver2.com fails with a timeout.

# Current problematic OUTPUT chain:
Chain OUTPUT (policy DROP)
...

Add these rules before your DROP policy in the OUTPUT chain:

iptables -A OUTPUT -p tcp --dport 2194 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 2194 -j ACCEPT

For a more secure approach that only allows your specific server IP:

iptables -A OUTPUT -p tcp -d 123.123.123.98 --dport 2194 -j ACCEPT
iptables -A OUTPUT -p tcp -d 123.123.123.98 --sport 2194 -j ACCEPT

After applying the rules, retest with:

telnet myserver2.com 2194
# Or for better debugging:
nc -zv myserver2.com 2194

Remember to save your iptables rules (method varies by OS):

# For CentOS/RHEL:
service iptables save

# For Ubuntu/Debian:
iptables-save > /etc/iptables.rules

If you're using custom chains like LOCALOUTPUT, add the rules there:

iptables -A LOCALOUTPUT -p tcp --dport 2194 -j ACCEPT
iptables -A LOCALOUTPUT -p tcp --sport 2194 -j ACCEPT

When attempting to establish a TCP connection from server1 to server2 on port 2194 using telnet, we encounter a timeout error:

root@server1 [~]# telnet myserver2.com 2194
Trying 123.123.123.98...
telnet: connect to address 123.123.123.98: Connection timed out
telnet: Unable to connect to remote host: Connection timed out

The iptables configuration shows restrictive policies, with both INPUT and OUTPUT chains set to DROP by default:

Chain INPUT (policy DROP)
...
Chain OUTPUT (policy DROP)

The existing setup includes custom chains (LOCALINPUT, LOCALOUTPUT) and logging chains (LOGDROPIN, LOGDROPOUT), but lacks explicit rules for outbound connections to port 2194.

Chain OUTPUT (policy DROP)
...
Chain LOCALOUTPUT (1 references)
target     prot opt source               destination
...
Chain LOGDROPOUT (1 references)
target     prot opt source               destination
DROP       all  --  0.0.0.0/0            0.0.0.0/0

To allow connections from server1 to server2 on port 2194, we need to modify the OUTPUT chain or add rules to the LOCALOUTPUT chain:

# Basic solution allowing all outbound TCP connections on port 2194
iptables -A OUTPUT -p tcp --dport 2194 -j ACCEPT

# More restrictive solution allowing only to specific destination
iptables -A OUTPUT -p tcp -d 123.123.123.98 --dport 2194 -j ACCEPT

# If using custom chains (recommended for better organization)
iptables -A LOCALOUTPUT -p tcp -d 123.123.123.98 --dport 2194 -j ACCEPT

Here's a more comprehensive approach that includes state tracking and logging:

# Allow established connections
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow new outbound connections to port 2194
iptables -A OUTPUT -p tcp --dport 2194 -m state --state NEW -j ACCEPT

# Optional: Log dropped outbound packets for debugging
iptables -A OUTPUT -j LOG --log-prefix "OUTPUT DROP: " --log-level 6
iptables -A OUTPUT -j DROP

After implementing the rules, verify the connection works:

telnet myserver2.com 2194
# Or for more detailed testing:
nc -zv myserver2.com 2194

Check the iptables counters to confirm the rules are being hit:

iptables -L OUTPUT -n -v
iptables -L LOCALOUTPUT -n -v

Remember to save your iptables rules to make them persistent across reboots:

# For CentOS/RHEL:
service iptables save

# For Ubuntu/Debian:
iptables-save > /etc/iptables.rules

When opening outbound ports, consider implementing these security measures:

# Rate limiting to prevent abuse
iptables -A OUTPUT -p tcp --dport 2194 -m limit --limit 10/min -j ACCEPT

# Restricting to specific source IP (if server1 has multiple IPs)
iptables -A OUTPUT -p tcp -s 123.123.123.97 -d 123.123.123.98 --dport 2194 -j ACCEPT