Setting up iptables on a Linux system to allow Linux Agent communication

Topic

This article explains how to verify that you have the correct iptable rules on your Linux system for communication with the Datto Linux Agent.

Environment

Datto Linux Agent

Description

The Datto Linux Agent requires ports 25567 inbound, 3260 and 3262 outbound to be open on the protected machine. In-depth networking requirements for all Datto devices can be found in the Unified Backup Networking and Bandwidth Requirements article. For more information on particular networking requirements for the Datto Linux Agent, see Getting started with the Datto Linux Agent.

The Datto Linux Agent should automatically add the exception for port 25567 when it installs. If you are encountering issues with backups on a machine where you've installed the agent properly, you may need to adjust your firewall rules.

To check iptables rules on a Linux server

At the Linux command prompt, run:

sudo iptables -L

If the Linux agent has added the rule for port 25567 inbound, the output should look something like this:

EXAMPLE
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:25567 ctstate NEW
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination

The output may not look exactly like the output above, depending on the Linux distribution and how Linux added the rule (manually with different options or by another program).

Allowing 25567 inbound

To manually insert a rule to accept traffic inbound to port 25567 into iptables:

At the Linux command prompt, run:
sudo iptables -I <ChainName> -p tcp -m tcp --dport 25567 -m conntrack --ctstate NEW -j ACCEPT
Substitute the IP table chain name in <ChainName>, usually "INPUT" or "IN_public_allow", use the output of "iptables -L" to check.
EXAMPLE
sudo iptables -I INPUT -p tcp -m tcp --dport 25567 -m conntrack --ctstate NEW -j ACCEPT
The -I flag in the command places this rule at the beginning of the list of iptables rules for Linux to evaluate (so the traffic is accepted without any other rules interfering).

To make the rule persistent, run:
sudo iptables-save
Once the rule is added, save the configurationL
sudo iptables-save.
Verify the rule was added.
sudo iptables -L
To verify the port is open (as opposed to "Closed" or "Filtered"), try using nmap from the Datto to the agent IP for port 25567.

Allowing 3260 outbound

To insert a rule to allow port 3260 outbound:

At the Linux command prompt, run
sudo iptables -A <ChainName> --dst <dattoLocalIP> -p TCP --dport 3260 -j ACCEPT
- Substitute the IP table chain name in <ChainName>, usually "OUTPUT" or "OUTPUT_direct", use the output of "iptables -L" to check.
- Use the local IP address for the Datto Device on the LAN for <dattoLocalIP>.
EXAMPLE
iptables -A OUTPUT --dst 192.168.100.10 -p TCP --dport 3260 -j ACCEPT

To make the rule persistent, run:
sudo iptables-save

Allowing 3262 outbound

To insert a rule to allow port 3262 outbound:

At the Linux command prompt, run
sudo iptables -A <ChainName> --dst <dattoLocalIP> -p TCP --dport 3262 -j ACCEPT
- Substitute the IP table chain name in <ChainName>, usually "OUTPUT" or "OUTPUT_direct", use the output of "iptables -L" to check.
- Use the local IP address for the Datto Device on the LAN for <dattoLocalIP>.
EXAMPLE

iptables -A OUTPUT --dst 192.168.100.10 -p TCP --dport 3262 -j ACCEPT

To make the rule persistent, run:
sudo iptables-save

	Need troubleshooting help? Open the Kaseya Helpdesk.
	Want to talk about it? Head on over to the Community!
	Have an idea for a new feature? Want to learn about upcoming enhancements? Visit the ideas forum!
	Provide feedback for the Documentation team.