How do I allow outgoing connections via iptables?

Question

I have two servers. The program on the first needs to communicate with the second on port 2194.

I know its not working, because when I do:

root@server1 [~]# telnet myserver2.com 2194
Trying 123.123.123.98...
telnet: connect to address 123.123.123.98: Connection timed out
telnet: Unable to connect to remote host: Connection timed out

---

server1# iptables -L -n

Chain INPUT (policy DROP)
...
...

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy DROP)
...

Chain LOCALINPUT (1 references)
target     prot opt source               destination
...

Chain LOCALOUTPUT (1 references)
target     prot opt source               destination
...

Chain LOGDROPIN (1 references)
target     prot opt source               destination
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain LOGDROPOUT (1 references)
target     prot opt source               destination
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Answer 1

To allow outgoing connections from server1 to server2 on TCP port 2194, use this on server1:

iptables -A OUTPUT -p tcp -d <server2ip> --dport 2194 -j ACCEPT

To allow incoming connections from server1 to server2 on TCP port 2194, use this on server2:

iptables -A INPUT -p tcp -s <server1ip> --dport 2194 -j ACCEPT

Answer 2

Just a few pointers

Is the service you are running listening only on localhost? Run

netstat -ltn

If you see a line like 0.0.0.0:2194 then you are ok. If you see 127.0.0.1:2194 then you are listening only on local connections (or :::2194 and ::1:2194 respectively for IPv6 addresses, shown as tcp6 lines).

What are the current iptables rules?

iptables -L

Is the policy DROP/REJECT (if it isn't it should be, for all chains)? Is there a specific rule for the port you need?

If it is a firewall issue, then a either modifying the offending rule or adding a rule like

iptables -A INPUT -p tcp --dport 2194 -j ACCEPT 

should do the trick (untested)

=== EDIT ===

To test network issue a good tool is tcpdump. Run it on both servers while trying to connect and see where the packets are going. e.g. on server 1 run:

tcpdump -i eth0 -n host server2.com

and on server 2 run:

tcpdump -i eth0 -n host server1.com

Then try to connect. You should see all TCP packets dumped on the screen, from the source and destination. With this info you should be able to pinpoint where is the issue.