I discovered that although I haven't even installed iptables, my server was running firewalld. I wasn't even aware it existed. I stopped it, and now I can access my web vandyke.mynetgear.com through my router on port 80 or 443.I disabled firewalld because I have no idea how to configure it, but my Linksys router is running a firewall that's really easy to configure.
I owe thanks to the correspondents on this list who eventually led me to ask online about Debian firewalls. I knew about iptables, which isn't even installed, but I had never before heard of ufw or firewalld.
On Tue, 2025-04-01 at 18:07 -0700, Van Snyder wrote:-------- Forwarded Message --------From: jeremy ardley <jeremy.ardley@gmail.com>Subject: Re: Web server accessDate: 04/01/2025 05:29:23 PMOn 2/4/25 08:21, Timothy M Butterworth wrote:Ok so if I understand you correctly then you are attempting to portforward 80 and 443 through the router's WAN Wide Area Networkinterface to a server located in the DMZ DeMilitarized Zone. Does theserver have Apache ACL's, IP Tables or TCP wrapper running on it? Canyou try to do a port ping or use telnet to connect to port 80 to testconnectivity. ex: `telnet <Routers WAN IP Address or Public DNS Name>80`. As you say that the server is on the inside of your network. Haveyou tried placing the server in the DMZ?Another alternative is the ISP has started blocking incoming connectionson the web ports?How could I find out if it's doing that?It's not blocking the random port that I map to 22 so I can ssh to my server.I can FTP to my server from itself, but not through the router.I can't FTP to my server from another computer in my house.And now it seems I can't load web pages from my server on other computers in my house. So maybe the server has started some kind of a firewall. How would I find it and either turn it off or configure it so it allows more than ssh.
### --flush -F [chain] - Delete all rules in chain or all chains sudo /usr/sbin/ip6tables -F ### FTP Client sudo /usr/sbin/ip6tables -A INPUT -i wlo1 -p tcp --sport 20:21 -j ACCEPT sudo /usr/sbin/ip6tables -A OUTPUT -p tcp --dport 20:21 -j ACCEPT ### DNS Client UDP 53 sudo /usr/sbin/ip6tables -A INPUT -i wlo1 -p udp --sport 53 -j ACCEPT sudo /usr/sbin/ip6tables -A OUTPUT -p udp --dport 53 -j ACCEPT ### DNS Client UDP 5353 sudo /usr/sbin/ip6tables -A INPUT -i wlo1 -p udp --sport 5353 -j ACCEPT sudo /usr/sbin/ip6tables -A OUTPUT -p udp --dport 5353 -j ACCEPT ### Permit HTTP Client Traffic TCP 80 sudo /usr/sbin/ip6tables -A INPUT -i wlo1 -p tcp --sport 80 -j ACCEPT sudo /usr/sbin/ip6tables -A OUTPUT -p tcp --dport 80 -j ACCEPT ### Permit NTP (Network Time Protocol) Client UDP 123 sudo /usr/sbin/ip6tables -A INPUT -i wlo1 -p udp --sport 123 -j ACCEPT sudo /usr/sbin/ip6tables -A OUTPUT -p udp --dport 123 -j ACCEPT ### Permit HTTP/S Client Traffic TCP 443 sudo /usr/sbin/ip6tables -A INPUT -i wlo1 -p tcp --sport 443 -j ACCEPT sudo /usr/sbin/ip6tables -A OUTPUT -p tcp --dport 443 -j ACCEPT sudo /usr/sbin/ip6tables -A INPUT -i wlo1 -p udp --sport 443 -j ACCEPT sudo /usr/sbin/ip6tables -A OUTPUT -p udp --dport 443 -j ACCEPT ### DHCPv6 UDP 546/547 sudo /usr/sbin/ip6tables -A INPUT -i wlo1 -p udp --dport 546 --sport 547 -j ACCEPT sudo /usr/sbin/ip6tables -A OUTPUT -p udp --dport 547 --sport 546 -j ACCEPT ### UDP 705 SNMP Agent X sudo /usr/sbin/ip6tables -A OUTPUT -p tcp --dport 705 -j ACCEPT ### Permit Squid Proxy Server TCP 3128 sudo /usr/sbin/ip6tables -A INPUT -i lo -p tcp --dport 3128 -j ACCEPT sudo /usr/sbin/ip6tables -A OUTPUT -p tcp --sport 3128 -j ACCEPT sudo /usr/sbin/ip6tables -A INPUT -i lo -p tcp --sport 3128 -j ACCEPT sudo /usr/sbin/ip6tables -A OUTPUT -p tcp --dport 3128 -j ACCEPT ### UDP 3478 Google Meet sudo /usr/sbin/ip6tables -A INPUT -i wlo1 -p udp --sport 3478 -j ACCEPT sudo /usr/sbin/ip6tables -A OUTPUT -p udp --dport 3478 -j ACCEPT ### Permit TCP 5222 Google Talk xmpp-client sudo /usr/sbin/ip6tables -A INPUT -i wlo1 -p tcp --sport 5222 -j ACCEPT sudo /usr/sbin/ip6tables -A OUTPUT -p tcp --dport 5222 -j ACCEPT ### TCP 5228 Google Cloud Messaging sudo /usr/sbin/ip6tables -A INPUT -i wlo1 -p tcp --sport 5228 -j ACCEPT sudo /usr/sbin/ip6tables -A OUTPUT -p tcp --dport 5228 -j ACCEPT # Port 6969 Torrent sudo /usr/sbin/ip6tables -A INPUT -i wlo1 -p udp --sport 6969 -j ACCEPT sudo /usr/sbin/ip6tables -A OUTPUT -p udp --dport 6969 -j ACCEPT sudo /usr/sbin/ip6tables -A INPUT -i wlo1 -p tcp --sport 6969 -j ACCEPT sudo /usr/sbin/ip6tables -A OUTPUT -p tcp --dport 6969 -j ACCEPT ### UDP 19302 - 19305 Google talk sudo /usr/sbin/ip6tables -A INPUT -i wlo1 -p udp --sport 19302:19305 -j ACCEPT sudo /usr/sbin/ip6tables -A OUTPUT -p udp --dport 19302:19305 -j ACCEPT ### UDP 26500 gRPC REST API sudo /usr/sbin/ip6tables -A INPUT -i wlo1 -p udp --sport 26500 -j ACCEPT sudo /usr/sbin/ip6tables -A OUTPUT -p udp --dport 26500 -j ACCEPT ### permit udp 35356 sudo /usr/sbin/ip6tables -A OUTPUT -p udp --dport 35356 -j ACCEPT ### permit udp 36973 sudo /usr/sbin/ip6tables -A OUTPUT -p udp --dport 36973 -j ACCEPT ### Permit UDP 38579 sudo /usr/sbin/ip6tables -A OUTPUT -p udp --dport 38579 -j ACCEPT ### Permit UDP 46287 sudo /usr/sbin/ip6tables -A OUTPUT -p udp --dport 46287 -j ACCEPT ### Permit UDP 47453 sudo /usr/sbin/ip6tables -A OUTPUT -p udp --dport 47453 -j ACCEPT ### Permit UDP 53176 sudo /usr/sbin/ip6tables -A OUTPUT -p udp --dport 53176 -j ACCEPT ### Permit UDP 59546 sudo /usr/sbin/ip6tables -A OUTPUT -p udp --dport 59546 -j ACCEPT ### Permit ICMP Echo Request and Reply Traffic sudo /usr/sbin/ip6tables -A INPUT -i wlo1 -p icmpv6 --icmpv6-type echo-reply -j ACCEPT sudo /usr/sbin/ip6tables -A OUTPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT ### Permit ICMP destination-unreachable sudo /usr/sbin/ip6tables -A INPUT -i wlo1 -p icmpv6 --icmpv6-type 1 -j ACCEPT sudo /usr/sbin/ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 1 -j ACCEPT ### Permit ICMP Port Unavailable sudo /usr/sbin/ip6tables -A INPUT -i wlo1 -p icmpv6 --icmpv6-type 3 -j ACCEPT sudo /usr/sbin/ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 3 -j ACCEPT ### Permit Inbound ipv6-icmp router-solicitation sudo /usr/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 133 -j ACCEPT sudo /usr/sbin/ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 133 -j ACCEPT ### Permit Inbound ipv6-icmp router-advertisement sudo /usr/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 134 -j ACCEPT ### Permit ipv6-icmp neighbour-solicitation sudo /usr/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 135 -j ACCEPT sudo /usr/sbin/ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 135 -j ACCEPT ### Permit ipv6-icmp neighbour-advertisement sudo /usr/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 136 -j ACCEPT sudo /usr/sbin/ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 136 -j ACCEPT ### Permit ipv6-icmptype 143 sudo /usr/sbin/ip6tables -A INPUT -i wlo1 -p icmpv6 --icmpv6-type 143 -j ACCEPT sudo /usr/sbin/ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 143 -j ACCEPT ### open stateful established and related packets (Only use this while building out Rules) sudo /usr/sbin/ip6tables -A INPUT -i wlo1 -m state --state RELATED,ESTABLISHED -j LOG --log-prefix "iptables permitted: " sudo /usr/sbin/ip6tables -A INPUT -i wlo1 -m state --state RELATED,ESTABLISHED -j ACCEPT ### Reject all other traffic sudo /usr/sbin/ip6tables -A INPUT -i wlo1 -j LOG --log-prefix "iptables denied: " sudo /usr/sbin/ip6tables -A INPUT -i wlo1 -j REJECT sudo /usr/sbin/ip6tables -A OUTPUT -j LOG --log-prefix "iptables permitted: " sudo /usr/sbin/ip6tables -A OUTPUT -j ACCEPT sudo /usr/sbin/ip6tables -A OUTPUT -j LOG --log-prefix "iptables denied: " sudo /usr/sbin/ip6tables -A OUTPUT -j REJECT ### --policy -P chain target Change policy on chain to drop all traffic sudo /usr/sbin/ip6tables -P INPUT DROP sudo /usr/sbin/ip6tables -P OUTPUT DROP ### Save Rules sudo '/usr/sbin/ip6tables-save > /etc/iptables/rules.v6' sudo sh -c '/usr/sbin/ip6tables-save > /etc/iptables/rules.v6' ### List IPTables Filter Rules sudo /usr/sbin/ip6tables -L -v --line-numbers ### Display syslog messages cat /var/log/syslog | grep iptables ### --insert -I chain [rulenum] - Insert in chain as rulenum (default 1=first) sudo /usr/sbin/ip6tables -I INPUT 2 -i wlo1 -p icmpv6 -j ACCEPT ### --delete -D chain rulenum - Delete rule rulenum (1 = first) from chain sudo /usr/sbin/ip6tables -D INPUT 2