24

I have two servers. The program on the first needs to communicate with the second on port 2194.

I know its not working, because when I do:

root@server1 [~]# telnet myserver2.com 2194
Trying 123.123.123.98...
telnet: connect to address 123.123.123.98: Connection timed out
telnet: Unable to connect to remote host: Connection timed out

server1# iptables -L -n

Chain INPUT (policy DROP)
...
...

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy DROP)
...

Chain LOCALINPUT (1 references)
target     prot opt source               destination
...

Chain LOCALOUTPUT (1 references)
target     prot opt source               destination
...

Chain LOGDROPIN (1 references)
target     prot opt source               destination
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain LOGDROPOUT (1 references)
target     prot opt source               destination
DROP       all  --  0.0.0.0/0            0.0.0.0/0
siliconpi
  • 1,707
  • 6
  • 30
  • 45
  • but it works when you do telnet localhost 2194 on server1 ? what about telnet server1spublicip 2194 from server1 ? – Geraint Jones Sep 22 '10 at 07:17
  • telnet localhost 2194 on server2 works. telnet server2ipaddress 2194 on server2 works as well. – siliconpi Sep 22 '10 at 07:23
  • 1
    con you do : iptables -L -n on both servers, and tell me if you get more than the following (i dont want to see your rules etc ;-)) Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination – Geraint Jones Sep 22 '10 at 07:26
  • Hello! See the edit please... – siliconpi Sep 22 '10 at 07:30

2 Answers2

29

To allow outgoing connections from server1 to server2 on TCP port 2194, use this on server1:

iptables -A OUTPUT -p tcp -d <server2ip> --dport 2194 -j ACCEPT

To allow incoming connections from server1 to server2 on TCP port 2194, use this on server2:

iptables -A INPUT -p tcp -s <server1ip> --dport 2194 -j ACCEPT
Massimo
  • 68,714
  • 56
  • 196
  • 319
  • Crap - I did the first, didnt work. I did the second, that didnt work either... I may have very restrictive settings in place... see the edit earlier – siliconpi Sep 22 '10 at 08:10
  • 2
    Try using "-I" instead of "-A"; this puts the new rules *above* all other ones that may already be in place. – Massimo Sep 22 '10 at 08:18
  • Should I be doing anything different if the application actually uses the domain name, rather than the ip address directly? – siliconpi Sep 22 '10 at 09:26
  • Woah... am able to telnet from the prompt just by doing the first statement... – siliconpi Sep 22 '10 at 09:28
  • 3
    Its minus-I as in "i" for folks who might read that as an L – siliconpi Sep 22 '10 at 10:09
7

Just a few pointers

Is the service you are running listening only on localhost? Run

netstat -ltn

If you see a line like 0.0.0.0:2194 then you are ok. If you see 127.0.0.1:2194 then you are listening only on local connections (or :::2194 and ::1:2194 respectively for IPv6 addresses, shown as tcp6 lines).

What are the current iptables rules?

iptables -L

Is the policy DROP/REJECT (if it isn't it should be, for all chains)? Is there a specific rule for the port you need?

If it is a firewall issue, then a either modifying the offending rule or adding a rule like 

iptables -A INPUT -p tcp --dport 2194 -j ACCEPT

should do the trick (untested)

=== EDIT ===

To test network issue a good tool is tcpdump. Run it on both servers while trying to connect and see where the packets are going. e.g. on server 1 run:

tcpdump -i eth0 -n host server2.com

and on server 2 run:

tcpdump -i eth0 -n host server1.com

Then try to connect. You should see all TCP packets dumped on the screen, from the source and destination. With this info you should be able to pinpoint where is the issue.

Dan Andreatta
  • 5,384
  • 2
  • 23
  • 14