Setting up iptables on a Linux system to allow Linux agent communication

Follow

Scope

The Datto Linux Agent requires ports 25567 inbound and 3260 outbound to be open on the machine backing up to the Datto device.

If you are encountering issues with backups on a machine where the agent is installed properly, you may need to adjust your firewall rules.

Procedure

The Datto Linux Agent should automatically add the exception for port 25567 when it installs.

To check iptables rules, run:

iptables -L

If the rule for port 25567 inbound is added, it should look something like this:

Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:25567 ctstate NEW
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Note that the rule may not look exactly like the output above depending on the Linux distribution and how it was added (manually with different options or by another program).

Allowing 25567 inbound

To manually insert a rule to accept traffic inbound to port 25567 into iptables, run:

sudo iptables -I [IP table chain name here, usually "INPUT" or "IN_public_allow", use the output of "iptables -L" to check] -p tcp -m tcp --dport 25567 -m conntrack --ctstate NEW -j ACCEPT

Example:

sudo iptables -I INPUT -p tcp -m tcp --dport 25567 -m conntrack --ctstate NEW -j ACCEPT

Run iptables-save after adding the rule to make the rule persistent.

The -I flag in the command places this rule at the beginning of the list of iptables rules to be evaluated (so the traffic is accepted without any other rules interfering).

After you've added the rule, run iptables-save then iptables -L again to verify the rule was added. To verify the port is open (as opposed to "Closed" or "Filtered"), try using nmap from the Datto to the agent IP for port 25567.

Allowing 3260 outbound

To insert a rule to allow port 3260 outbound, run:

iptables -A [IP table chain name here, usually "OUTPUT" or "OUTPUT_direct", use the output of "iptables -L" to check] -dst [datto deviceID IP] -p TCP --dport 3260 -j ACCEPT

Example:

iptables -A OUTPUT --dst 192.168.100.10 -p TCP --dport 3260 -j ACCEPT

Run iptables-save after adding the rule to make the rule persistent.


Was this article helpful?

1 out of 1 found this helpful

You must sign in before voting on this article.

Want to talk about it? Head on over to our Community Forum!