SIRIS, ALTO, and NAS: Setting up iptables on a Linux system to allow Linux Agent communication

Follow

Topic

This article explains how to verify that you have the correct iptable rules on your Linux system for communication with the Datto Linux Agent.

Environment

  • Datto Linux Agent

Description

The Datto Linux Agent requires ports 25567 inbound and 3260 outbound to be open on the machine backing up to the Datto device. You can find in-depth networking requirements for all Datto devices in our SIRIS, ALTO, and NAS: BCDR networking and bandwidth requirements article. For more information on particular networking requirements for the Datto Linux Agent, see SIRIS, ALTO, and NAS: Getting started with the Datto Linux Agent.

The Datto Linux Agent should automatically add the exception for port 25567 when it installs. If you are encountering issues with backups on a machine where you've installed the agent properly, you may need to adjust your firewall rules. 

To check iptables rules on your Linux server,

At the Linux command prompt, run sudo iptables -L.

If the Linux agent has added the rule for port 25567 inbound, the output should look something like this:

Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:25567 ctstate NEW
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Your output may not look exactly like the output above, depending on the Linux distribution and how Linux added the rule (manually with different options or by another program).

Allowing 25567 inbound

To manually insert a rule to accept traffic inbound to port 25567 into iptables,

1. At the Linux command prompt, run:

sudo iptables -I[IP table chain name here, usually "INPUT" or "IN_public_allow", use the output of "iptables -L" to check] -p tcp -m tcp --dport 25567 -m conntrack --ctstate NEW -j ACCEPT

Example:

sudo iptables -I INPUT -p tcp -m tcp --dport 25567 -m conntrack --ctstate NEW -j ACCEPT

2. Run sudo iptables-save after adding the rule to make the rule persistent.

The -I flag in the command places this rule at the beginning of the list of iptables rules for Linux to evaluate (so the traffic is accepted without any other rules interfering).

3. After you've added the rule, runsudo iptables-save.

4. Run sudo iptables -L again to verify the rule was added. To verify the port is open (as opposed to "Closed" or "Filtered"), try using nmap from the Datto to the agent IP for port 25567.

Allowing 3260 outbound

To insert a rule to allow port 3260 outbound,

1. At the Linux command prompt, run:

sudo iptables -A [IP table chain name here, usually "OUTPUT" or "OUTPUT_direct", use the output of "iptables -L" to check] --dst [datto deviceID IP] -p TCP --dport 3260 -j ACCEPT

Example:

iptables -A OUTPUT --dst 192.168.100.10 -p TCP --dport 3260 -j ACCEPT

2. Run sudo iptables-save after adding the rule to make the rule persistent.

Additional Resources

 

 


Was this article helpful?

1 out of 2 found this helpful

You must sign in before voting on this article.

Want to talk about it? Have a feature request?

Head on over to our Datto Community Forum or the Datto Community Online.

For more Business Management resources, see the Datto RMM Online Help and the Autotask PSA Online Help .

Still have questions? Get live help.

Datto Homepage