Firewall blocking my new Debian 11 server ports 80 and 443

To: Debian Users ML <debian-user@lists.debian.org>
Subject: Firewall blocking my new Debian 11 server ports 80 and 443
From: Tom Browder <tom.browder@gmail.com>
Date: Sat, 28 May 2022 14:11:30 -0500
Message-id: <[🔎] CAFMGiz9U5QYB0b8XGaMn0+zH0xz+-koCcLSx5AY0djcH6bHk9A@mail.gmail.com>

As the bare-iron server came from my long-time cloud provider (since
Debian 6), incoming ports 80 and 443 are blocked.

I ran my usual iptables command for new servers from them, but this
time the default settings were different so it didn't work.

Output from "sudo iptables -S" before my attempt:

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N f2b-sshd
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
-A f2b-sshd -s 62.204.41.56/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 61.177.173.48/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 167.172.187.120/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 43.156.124.69/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 43.154.46.209/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 61.177.172.98/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 122.160.233.137/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -j RETURN

My usual incantation and response:

    # sudo iptables -A IN_public_allow -p tcp -m tcp --dport  80 -m
conntrack --ctstate NEW,UNTRACKED -j ACCEPT
    iptables: No chain/target/match by that name.

Then I tried:

    # sudo iptables -A  INPUT -p tcp -m tcp --dport  80 -m conntrack
--ctstate NEW,UNTRACKED -j ACCEPT
    # sudo iptables -A  INPUT -p tcp -m tcp --dport  443 -m conntrack
--ctstate NEW,UNTRACKED -j ACCEPT

Again checking status:

# sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N f2b-sshd
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
-A INPUT -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -m conntrack --ctstate
NEW,UNTRACKED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A f2b-sshd -s 62.204.41.56/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 61.177.173.48/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 167.172.187.120/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 43.156.124.69/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 43.154.46.209/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 61.177.172.98/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 122.160.233.137/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -j RETURN

But no open ports in spite of the output shown.

I am considering moving to ufw but am reluctant due to the possibility
of getting locked-out of my remote server. I am used to logging in
with two separate terminals to avoid that during initial setup but
want to make sure that is safe.

Suggestions welcome!

-Tom

Reply to:

Follow-Ups:
- Re: Firewall blocking my new Debian 11 server ports 80 and 443
  - From: Dan Ritter <dsr@randomstring.org>
- Re: Firewall blocking my new Debian 11 server ports 80 and 443
  - From: Georgi Naplatanov <gosho@oles.biz>
- Re: Firewall blocking my new Debian 11 server ports 80 and 443
  - From: IL Ka <kazakevichilya@gmail.com>
- Re: Firewall blocking my new Debian 11 server ports 80 and 443
  - From: Tom Browder <tom.browder@gmail.com>

Prev by Date: Re: Debian desktop environment
Next by Date: Re: Firewall blocking my new Debian 11 server ports 80 and 443
Previous by thread: Re: Patch broadcom-sta for kernel 5.18
Next by thread: Re: Firewall blocking my new Debian 11 server ports 80 and 443
Index(es):
- Date
- Thread