Re: Firewall blocking my new Debian 11 server ports 80 and 443

To: Tom Browder <tom.browder@gmail.com>
Cc: Debian Users ML <debian-user@lists.debian.org>
Subject: Re: Firewall blocking my new Debian 11 server ports 80 and 443
From: Dan Ritter <dsr@randomstring.org>
Date: Sat, 28 May 2022 15:23:20 -0400
Message-id: <[🔎] 20220528192320.eegtlmtc33l2clhy@randomstring.org>
In-reply-to: <[🔎] CAFMGiz9U5QYB0b8XGaMn0+zH0xz+-koCcLSx5AY0djcH6bHk9A@mail.gmail.com>
References: <[🔎] CAFMGiz9U5QYB0b8XGaMn0+zH0xz+-koCcLSx5AY0djcH6bHk9A@mail.gmail.com>

Tom Browder wrote: 
> As the bare-iron server came from my long-time cloud provider (since
> Debian 6), incoming ports 80 and 443 are blocked.
> 
> I ran my usual iptables command for new servers from them, but this
> time the default settings were different so it didn't work.
> 
> Output from "sudo iptables -S" before my attempt:
> 
> -P INPUT ACCEPT
> -P FORWARD ACCEPT
> -P OUTPUT ACCEPT
> -N f2b-sshd
> -A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
> -A f2b-sshd -s 62.204.41.56/32 -j REJECT --reject-with icmp-port-unreachable
> -A f2b-sshd -s 61.177.173.48/32 -j REJECT --reject-with icmp-port-unreachable
> -A f2b-sshd -s 167.172.187.120/32 -j REJECT --reject-with icmp-port-unreachable
> -A f2b-sshd -s 43.156.124.69/32 -j REJECT --reject-with icmp-port-unreachable
> -A f2b-sshd -s 43.154.46.209/32 -j REJECT --reject-with icmp-port-unreachable
> -A f2b-sshd -s 61.177.172.98/32 -j REJECT --reject-with icmp-port-unreachable
> -A f2b-sshd -s 122.160.233.137/32 -j REJECT --reject-with icmp-port-unreachable
> -A f2b-sshd -j RETURN

This is strongly suggestive of having fail2ban installed.

The -P statements set default policy for each of the default
chains: if nothing else happens to a packet, that's the policy.

> My usual incantation and response:
> 
>     # sudo iptables -A IN_public_allow -p tcp -m tcp --dport  80 -m
> conntrack --ctstate NEW,UNTRACKED -j ACCEPT
>     iptables: No chain/target/match by that name.

IN_public_allow hasn't been created and isn't a default.

> Then I tried:
> 
>     # sudo iptables -A  INPUT -p tcp -m tcp --dport  80 -m conntrack
> --ctstate NEW,UNTRACKED -j ACCEPT
>     # sudo iptables -A  INPUT -p tcp -m tcp --dport  443 -m conntrack
> --ctstate NEW,UNTRACKED -j ACCEPT

Which is fine, but remember that the default policies all the
way around are ACCEPT, so this doesn't change anything until you
change the policy.

> Again checking status:

[normal output]


> But no open ports in spite of the output shown.

1. How are you checking that?

2. Have you asked the cloud provider if they need an extra step
on their end to open up the ports? It's likely on their side.

> I am considering moving to ufw but am reluctant due to the possibility
> of getting locked-out of my remote server. I am used to logging in
> with two separate terminals to avoid that during initial setup but
> want to make sure that is safe.

The cloud provider should provide console access via emulated
serial port or similar for you to get in without going through
the VM's network.

-dsr-

Reply to:

References:
- Firewall blocking my new Debian 11 server ports 80 and 443
  - From: Tom Browder <tom.browder@gmail.com>

Prev by Date: Firewall blocking my new Debian 11 server ports 80 and 443
Next by Date: Re: Firewall blocking my new Debian 11 server ports 80 and 443
Previous by thread: Firewall blocking my new Debian 11 server ports 80 and 443
Next by thread: Re: Firewall blocking my new Debian 11 server ports 80 and 443
Index(es):
- Date
- Thread