iptables rules for iscsi initiator

Question

I need to configure iptables on my client (iscsi-initiator). From tcpdump, I can see that the server (iscsi target) sends tcp from port 3260.

So I have added following iptables rule on my client (where 10.1.212.51 is the iscsi target):

-A INPUT -i eth1  -s 10.1.212.51  -p  tcp  -m tcp  --dport 3260  -j ACCEPT

but iscsi does not work with this rule. Only after I allow all ports, does it work:

-A INPUT -i eth1  -s 10.1.212.51  -p  tcp  -m tcp   -j ACCEPT

Thus my question is, does iscsi need some other port as well?

score 5 · Accepted Answer · answered Oct 31 '13 at 14:45

5

If the server is sending from port 3260, then you want the client to allow traffic from port 3260. This is indicated by marking 3260 as the source port (sport). In the rule you posted, you specified 3260 as the destination port (dport).

Changing the rule to

-A INPUT -i eth1  -s 10.1.212.51  -p  tcp  -m tcp  --sport 3260  -j ACCEPT

should work.

answered Oct 31 '13 at 14:45

checarlos87

66
3

you are right, of course. I should have noticed this myself. How embarrassing. Thanks. – Martin Vegter Oct 31 '13 at 14:51

iptables rules for iscsi initiator

1 Answers1