Network Port Service Control
Open Ports
For development and remote maintenance, the following TCP ports are open:
| Port | Protocol (typical) | Description |
|---|---|---|
| 22 | TCP | SSH: secure remote login, maintenance, debugging, and file transfer (SCP/SFTP). |
| 3389 | TCP | RDP: Windows Remote Desktop; on the board this is often xrdp or similar. |
| 5900 | TCP | VNC: graphical remote desktop access. |
View Current Firewall Rules
On the board, run:
iptables-save
This shows the full ruleset (chain policies and each INPUT rule). For a list view only:
iptables -L -n -v
Normally the INPUT chain default policy should be DROP, with ACCEPT rules for ports such as 22, 3389, and 5900 (confirm on your device).
Example (excerpt, for reference only):
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3389 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5900 -j ACCEPT
COMMIT
Adding Ports
Rules loaded at boot are usually stored in:
- IPv4:
/etc/iptables/rules.v4 - IPv6:
/etc/iptables/rules.v6
Edit as root, for example:
sudo vi /etc/iptables/rules.v4
sudo vi /etc/iptables/rules.v6
The IPv4 *filter block is similar to the example above: allow established traffic and loopback first, then add ACCEPT lines per port.
Allow a TCP Port
After -A INPUT -i lo -j ACCEPT and before COMMIT, add one line (replace PORT with the real port, e.g. 80, 443):
-A INPUT -p tcp -m tcp --dport PORT -j ACCEPT
Alternative form (matches some export formats):
-A INPUT -p tcp --dport PORT -j ACCEPT
Allow a UDP Port
-A INPUT -p udp -m udp --dport PORT -j ACCEPT
Remove a Port Rule
Delete the matching -A INPUT ... --dport PORT ... line from the rules file. Reload the service (next section) for the change to persist.
Note: Do not remove RELATED,ESTABLISHED or lo (loopback) rules, or return traffic and local services may break.
iptables-restore Service
The board enables iptables-restore.service by default to restore rules from rules.v4 / rules.v6 at boot.
Stop the Service Temporarily
To stop it only for the current session (e.g. troubleshooting):
sudo systemctl stop iptables-restore.service
This is temporary. If the unit is still enabled, it will run again after reboot and reload rules.v4 / rules.v6.
Disable at Boot (No Auto-load After Reboot)
To avoid automatic rule restore after reboot:
sudo systemctl disable iptables-restore.service
After disable, the service will not start on reboot and will not apply rules.v4 / rules.v6 automatically.
To re-enable automatic load at boot:
sudo systemctl enable iptables-restore.service
sudo systemctl start iptables-restore.service
Quick Status Checks
systemctl is-enabled iptables-restore.service # enabled at boot or not
systemctl is-active iptables-restore.service # active now or not
Note: disable only affects whether the unit starts on the next boot; it does not by itself flush current kernel rules. Verify with
iptables -L -n.
Reload After Editing Rule Files
After changing the rules files:
sudo systemctl daemon-reload
sudo systemctl restart iptables-restore.service
sudo systemctl status iptables-restore.service
Confirm with iptables -L -n or iptables-save that the live rules match the files.
If the service fails, use systemctl status and logs; check /etc/iptables/rules.v4 syntax (each -A on its own line; *filter … COMMIT paired).
Notes
- Common remote ports: 22 (SSH), 3389 (RDP), 5900 (VNC) — always confirm with
iptables-saveon the device. - Persist changes in
/etc/iptables/rules.v4(andrules.v6if needed) by adding or removing--dportlines as above. - After edits, run
systemctl restart iptables-restore.serviceand verify withiptables -L -n. systemctl stop iptables-restore.serviceis temporary; with enabled, rules reload from file after reboot. For lasting policy, edit the files and restart the service.