Home / server / Questions / 236871
Accepted
gAMBOOKa
Asked: 2011-02-18 10:10:11 +0800 CST

Changed SSH port, do I need to open the port using iptables?

  • 772

UPDATE

As Khaled suggested, i changed my netstat command

netstat -lnp | grep 3899
tcp        0      0 :::3899           :::*              LISTEN      10333/sshd

So shouldn't it be listening?

I changed my ssh port on my centos 5.5 box to 3899. But I can't seem to login remotely to it. I have done this before but the last time, I didn't need to make any other changes to make it work.

iptables -L | grep 3899
[empty response]

iptables -L | grep 22
[empty response]

iptables -L | grep ssh
ACCEPT     tcp  --  anywhere       anywhere       state NEW tcp dpt:ssh
centos ssh

5 Answers

  1. Best Answer

    Yes, you probably need to adjust your firewall rules. To see your current rules:

    iptables -nvL

    If you see a bunch of ACCEPT rules and a REJECT rule at the end, that means your host is blocking all incoming connections except the specified ones.

    I think you can use the system-config-securitylevel menu-based tool to open custom ports. Run that program in a terminal and choose the 'customize' button. Add 3899:tcp to the other ports list and save your changes. I'm not sure if system-config-securitylevel takes port numbers instead of service names. If specifying the port number in that tool doesn't work, you can try adding your custom 'myssh' service name to /etc/services and then using that name in system-config-securitylevel.

    You can run

    nmap -sS -v server.example.com

    from an outside machine to scan your system to determine which ports are open.

    Another way to make this change is to hand edit /etc/sysconfig/iptables, and copy the existing ssh entry to another entry right below it, but change the port from ssh to 3899. Note that it's easy to screw up your firewall config by hand-editing the iptables file, so be very cautious if you go this route. After you make changes, reboot the machine, or run /etc/init.d/iptables restart to load your changes.

    • 3

  2. run this and it should add entry to allow connecting to port 3899

    iptables -I INPUT -p tcp --dport 3899 -j ACCEPT

    your post does not show what is default policy for INPUT chain, or what other rules are.

    copy paste here output of

    iptables-save and netstat -nlp then we will know all the details needed to help you.

    • 2

  3. The answer is probably yes -- If your iptables rules are active the destination port SSH (dpt:ssh) rule only covers port 22 -- the standard SSH port as assigned by IANA & listed in /etc/services.

    You will need to change that rule to allow traffic to port 3899 (or whatever your new SSH port is) - On CentOS I believe the ipables rules are located in /etc/sysconfig/iptables

    • 0

    1. You need to make sure that SSH deamon is really listening on the new port using netstat -lnp | grep 3899.

    2. Also, you need to check your firewall settings. Allow the new port to pass through.

    If you are getting a connection refused error, then you have a problem in point 1. If you are getting a connection timeout error, then you have a problem in point 2.

    • 0

  5. CentOS wil use port 22 regardless of the use of dpt:ssh You should manually open port 3899

    You can do this by running this command:

    iptables -I INPUT -p tcp --dport 3899 -j ACCEPT
    • 0