Automatic configuration of iptables

When installed on Linux, Deep Security Manager and Deep Security Agent can automatically modify the host iptables to enable communication on specific ports. Rules are added only when the iptables service is running.

Rules are added to iptables when the manager or agent is installed or started. The rules are removed when they are stopped or uninstalled. The state of the iptables service (running or off) is not changed at any time.

For a complete list of ports used in Deep Security, see Port numbers.

Rules added for a manager

Rules are added on the manager computer to enable connections from web browsers (port 4119 by default) and for listening for agent heartbeats (port 4120 by default).

Rules added for an agent

When required, rules are added on the agent computer when manager-initiated or bidirectional communications are used (port 4118 by default). When the agent is acting as a relay, a rule is added for distributing updates (port 4120 by default).

You can prevent the agent from modifying iptables if you would rather manually add the required rules. To prevent the automatic modification of iptables, create the following file on the agent computer:

/etc/do_not_open_ports_on_iptables