open port in iptables

用iptables -L 列出目前所有的 rule:

[charles@test ~]$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  6X-7X-2XX-2XX.adsl.static.giga.net.tw  anywhere
ACCEPT     all  --  6X-2XX-1XX-1XX.hinet-ip.hinet.net  anywhere
ACCEPT     all  --  1XX.5X.4X.X          anywhere
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
DROP       all  --  anywhere             anywhere            state INVALID,NEW
DROP       all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain icmpfilter (0 references)
target     prot opt source               destination
DROP       icmp --  anywhere             anywhere            icmp echo-request
ACCEPT     icmp --  anywhere             anywhere            icmp echo-reply
ACCEPT     icmp --  anywhere             anywhere            icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere            icmp fragmentation-needed
ACCEPT     icmp --  anywhere             anywhere            icmp source-quench
ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere            icmp parameter-problem
ACCEPT     icmp --  anywhere             anywhere            icmp timestamp-reply
ACCEPT     icmp --  anywhere             anywhere            icmp type 16
ACCEPT     icmp --  anywhere             anywhere            icmp address-mask-reply
[charles@test ~]$

現在要把 tcp port 2030 打開，下：

iptables -A INPUT -p tcp --dport 2030 -j ACCEPT

這樣的話，還是沒效，因為rule被 "append" 到後面。
再list一次:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  6X-7X-2XX-2XX.adsl.static.giga.net.tw  anywhere
ACCEPT     all  --  6X-2XX-1XX-1XX.hinet-ip.hinet.net  anywhere
ACCEPT     all  --  1XX.5X.4X.X          anywhere
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
DROP       all  --  anywhere             anywhere            state INVALID,NEW
DROP       all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:device2

可以看到，是在 DROP all 之後。所以沒效。
要用 "insert" 才有效:

$ sudo iptables -I  INPUT 6 -p TCP --dport 2030 -j ACCEPT

這樣，list出來：

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  6X-7X-2XX-2XX.adsl.static.giga.net.tw  anywhere
ACCEPT     all  --  6X-2XX-1XX-1XX.hinet-ip.hinet.net  anywhere
ACCEPT     all  --  1XX.5X.4X.X          anywhere
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:device2
DROP       all  --  anywhere             anywhere            state INVALID,NEW
DROP       all  --  anywhere             anywhere

可以看到，被插到DROP之前了 (實際上是第6個)。

這樣就打開port 2030 了