does adding a rule to iptables mean it takes effect immediately?

Question

I run sudo iptables -A INPUT -p tcp -m tcp --dport 2222 -j ACCEPT in bash and then tried to connect to that machine via another machine on the same LAN / subnet via port 2222 with PuTTY and it didn't work.

Maybe I need to restart iptables after I add the rule for it to take affect? If so how would I do that?

Here's the output of iptables -S:

-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A INPUT -p tcp -m tcp --dport 2222 -j ACCEPT
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-4f5770ea8905 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-4f5770ea8905 -j DOCKER
-A FORWARD -i br-4f5770ea8905 ! -o br-4f5770ea8905 -j ACCEPT
-A FORWARD -i br-4f5770ea8905 -o br-4f5770ea8905 -j ACCEPT
-A DOCKER -d 172.18.0.2/32 ! -i br-4f5770ea8905 -o br-4f5770ea8905 -p tcp -m tcp --dport 3306 -j ACCEPT
-A DOCKER -d 172.18.0.3/32 ! -i br-4f5770ea8905 -o br-4f5770ea8905 -p tcp -m tcp --dport 8080 -j ACCEPT
-A DOCKER -d 172.18.0.3/32 ! -i br-4f5770ea8905 -o br-4f5770ea8905 -p tcp -m tcp --dport 443 -j ACCEPT
-A DOCKER -d 172.18.0.7/32 ! -i br-4f5770ea8905 -o br-4f5770ea8905 -p tcp -m tcp --dport 6379 -j ACCEPT
-A DOCKER -d 172.18.0.8/32 ! -i br-4f5770ea8905 -o br-4f5770ea8905 -p tcp -m tcp --dport 3306 -j ACCEPT
-A DOCKER -d 172.18.0.10/32 ! -i br-4f5770ea8905 -o br-4f5770ea8905 -p tcp -m tcp --dport 3306 -j ACCEPT
-A DOCKER -d 172.18.0.3/32 ! -i br-4f5770ea8905 -o br-4f5770ea8905 -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-4f5770ea8905 ! -o br-4f5770ea8905 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-4f5770ea8905 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN

Here's the output of sudo iptables --line-numbers -L INPUT:

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:2222

This answer from several years back is still valid today. Generally, if you want something to take effect immediately, ufw is the tool you need. It will record the rule change to iptables and apply quietly in the background. — matigo, Aug 22 '21 at 14:29
Yes, added iptables rules take effect immediately. We would need you entire iptables rule set posted to be be able to try to help further. But, it might be that you need to insert, rather than append, that rule at an earlier stage. — Doug Smythies, Aug 22 '21 at 15:36
@DougSmythies - I added the entire iptables rule set. Thanks! — neubert, Aug 22 '21 at 18:34
@matigo - I tried sudo ufw allow 2222 without success. I'll read that answer iab - gotta go run some quick errands. Thanks! — neubert, Aug 22 '21 at 18:38
Your iptables rule set is not the problem. Are you sure that computer is listening on port 2222? — Doug Smythies, Aug 22 '21 at 19:14

user10489 · Answer 1 · 2021-08-23T00:13:12.343

Yes, adding rules via the iptables command takes effect immediately.

Presumably you want to add an ACCEPT rule for the port because you want to override rule that blocks all or most ports.

However, you have added the rule with -A which would append the rule to the table. Since you already have a blocking rule (using something like DROP or REJECT), the new rule would be added after that, making it ineffective.

If you want this to work, you need to either insert the rule (-I #) before the blocking rule, or add the rule to the correct position in a config file and reload all rules. (Or use something like ufw or firewalld to do this for you). You can get a numbered list of rules with iptables --line-numbers -L INPUT and insert your new rule at or before the position of your blocking rule.

If the assumption that you have a blocking rule is wrong, then you need to go back and check if anything even has the port open. You can use netstat -nl | grep 2222 or ss -nlt | grep 2222 and if it isn't listed, then there is nothing listening on the port.

From the output you added to your question, the INPUT table is basically empty (except for your accept rule) and -P INPUT ACCEPT says accept anything that doesn't match rules in the input table.

Here's my sudo iptables -S output: https://pastebin.com/4We0DhaP . Nothing looks like a blocking rule to me but I'm afraid to say that I really don't know iptables very well.. — neubert, Aug 22 '21 at 18:30
sudo iptables --line-numbers -L INPUT returns https://pastebin.com/VcVveE8W — neubert, Aug 22 '21 at 18:31
It looks like you don't have any blocking rules on input and the port you are trying to open in the firewall is already open. I think you are fixing the wrong problem, and you need to explain what you are trying to accomplish instead. Probably nothing is listening on the port. — user10489, Aug 22 '21 at 19:29

does adding a rule to iptables mean it takes effect immediately?

1 Answers1