Re: Firewall blocking my new Debian 11 server ports 80 and 443

To: debian-user@lists.debian.org
Subject: Re: Firewall blocking my new Debian 11 server ports 80 and 443
From: Georgi Naplatanov <gosho@oles.biz>
Date: Sat, 28 May 2022 22:36:45 +0300
Message-id: <[🔎] 94f2cd6c-9e00-9a76-1a66-4f977577d868@oles.biz>
In-reply-to: <[🔎] CAFMGiz9U5QYB0b8XGaMn0+zH0xz+-koCcLSx5AY0djcH6bHk9A@mail.gmail.com>
References: <[🔎] CAFMGiz9U5QYB0b8XGaMn0+zH0xz+-koCcLSx5AY0djcH6bHk9A@mail.gmail.com>

On 5/28/22 22:11, Tom Browder wrote:
> As the bare-iron server came from my long-time cloud provider (since
> Debian 6), incoming ports 80 and 443 are blocked.
> 
> I ran my usual iptables command for new servers from them, but this
> time the default settings were different so it didn't work.

Try to flush the tables and (re)set default policies for the existing
chains.

> Output from "sudo iptables -S" before my attempt:
> 
> -P INPUT ACCEPT
> -P FORWARD ACCEPT
> -P OUTPUT ACCEPT
> -N f2b-sshd
> -A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
> -A f2b-sshd -s 62.204.41.56/32 -j REJECT --reject-with icmp-port-unreachable
> -A f2b-sshd -s 61.177.173.48/32 -j REJECT --reject-with icmp-port-unreachable
> -A f2b-sshd -s 167.172.187.120/32 -j REJECT --reject-with icmp-port-unreachable
> -A f2b-sshd -s 43.156.124.69/32 -j REJECT --reject-with icmp-port-unreachable
> -A f2b-sshd -s 43.154.46.209/32 -j REJECT --reject-with icmp-port-unreachable
> -A f2b-sshd -s 61.177.172.98/32 -j REJECT --reject-with icmp-port-unreachable
> -A f2b-sshd -s 122.160.233.137/32 -j REJECT --reject-with icmp-port-unreachable
> -A f2b-sshd -j RETURN
> 
> My usual incantation and response:
> 
>     # sudo iptables -A IN_public_allow -p tcp -m tcp --dport  80 -m
> conntrack --ctstate NEW,UNTRACKED -j ACCEPT
>     iptables: No chain/target/match by that name.

You have no chain "IN_public_allow". Probably you should create it.


> Then I tried:
> 
>     # sudo iptables -A  INPUT -p tcp -m tcp --dport  80 -m conntrack
> --ctstate NEW,UNTRACKED -j ACCEPT
>     # sudo iptables -A  INPUT -p tcp -m tcp --dport  443 -m conntrack
> --ctstate NEW,UNTRACKED -j ACCEPT

It's a good practice to set input/output network interfaces.

> Again checking status:
> 
> # sudo iptables -S
> -P INPUT ACCEPT
> -P FORWARD ACCEPT
> -P OUTPUT ACCEPT
> -N f2b-sshd
> -A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
> -A INPUT -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 443 -m conntrack --ctstate
> NEW,UNTRACKED -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT

You have second rule for port 80/tcp, do you need it?

> -A f2b-sshd -s 62.204.41.56/32 -j REJECT --reject-with icmp-port-unreachable
> -A f2b-sshd -s 61.177.173.48/32 -j REJECT --reject-with icmp-port-unreachable
> -A f2b-sshd -s 167.172.187.120/32 -j REJECT --reject-with icmp-port-unreachable
> -A f2b-sshd -s 43.156.124.69/32 -j REJECT --reject-with icmp-port-unreachable
> -A f2b-sshd -s 43.154.46.209/32 -j REJECT --reject-with icmp-port-unreachable
> -A f2b-sshd -s 61.177.172.98/32 -j REJECT --reject-with icmp-port-unreachable
> -A f2b-sshd -s 122.160.233.137/32 -j REJECT --reject-with icmp-port-unreachable
> -A f2b-sshd -j RETURN
> 
> But no open ports in spite of the output shown.
> 
> I am considering moving to ufw but am reluctant due to the possibility
> of getting locked-out of my remote server. I am used to logging in
> with two separate terminals to avoid that during initial setup but
> want to make sure that is safe.
> 

Kind regards
Georgi

Reply to:

References:
- Firewall blocking my new Debian 11 server ports 80 and 443
  - From: Tom Browder <tom.browder@gmail.com>

Prev by Date: Re: Firewall blocking my new Debian 11 server ports 80 and 443
Next by Date: grep: show matching line from pattern file
Previous by thread: Re: Firewall blocking my new Debian 11 server ports 80 and 443
Next by thread: Re: Firewall blocking my new Debian 11 server ports 80 and 443
Index(es):
- Date
- Thread