Re: Web server access SOLVED

On Wed, Apr 2, 2025 at 1:50 AM Timothy M Butterworth <timothy.m.butterworth@gmail.com> wrote:

On Wed, Apr 2, 2025 at 1:37 AM Van Snyder <van.snyder@sbcglobal.net> wrote:
I discovered that although I haven't even installed iptables, my server was running firewalld. I wasn't even aware it existed. I stopped it, and now I can access my web vandyke.mynetgear.com through my router on port 80 or 443.

I disabled firewalld because I have no idea how to configure it, but my Linksys router is running a firewall that's really easy to configure.

I owe thanks to the correspondents on this list who eventually led me to ask online about Debian firewalls. I knew about iptables, which isn't even installed, but I had never before heard of ufw or firewalld.

Firewalld is nice to laptops/notebooks where you are connecting to other peoples WLAN's. Firewalld is not good for a server or desktop though. I prefer IPTables for stationary devices. You can purge Firewalld and UFW. I would keep and configure IPTables on the server as well as setting up Suricata and ClamAV. I am a Defense in Depth, zero trust kind of guy. I have all my devices hardened. It is good practice to harden devices that are made available to the public.

I attached my IP Tables cheat sheet. If you need any help feel free to ask.

Tim

Sorry here is the attachment for IP version 4.

On Tue, 2025-04-01 at 18:07 -0700, Van Snyder wrote:
-------- Forwarded Message --------
From: jeremy ardley <jeremy.ardley@gmail.com>
To: debian-user@lists.debian.org
Subject: Re: Web server access
Date: 04/01/2025 05:29:23 PM

On 2/4/25 08:21, Timothy M Butterworth wrote:

Ok so if I understand you correctly then you are attempting to port
forward 80 and 443 through the router's WAN Wide Area Network
interface to a server located in the DMZ DeMilitarized Zone. Does the
server have Apache ACL's, IP Tables or TCP wrapper running on it? Can
you try to do a port ping or use telnet to connect to port 80 to test
connectivity. ex: `telnet <Routers WAN IP Address or Public DNS Name>
80`. As you say that the server is on the inside of your network. Have
you tried placing the server in the DMZ?

Another alternative is the ISP has started blocking incoming connections
on the web ports?

How could I find out if it's doing that?

It's not blocking the random port that I map to 22 so I can ssh to my server.

I can FTP to my server from itself, but not through the router.

I can't FTP to my server from another computer in my house.

And now it seems I can't load web pages from my server on other computers in my house. So maybe the server has started some kind of a firewall. How would I find it and either turn it off or configure it so it allows more than ssh.

--
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Debian - The universal operating system
⢿⡄⠘⠷⠚⠋⠀ https://www.debian.org/
⠈⠳⣄⠀⠀

⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Debian - The universal operating system
⢿⡄⠘⠷⠚⠋⠀ https://www.debian.org/
⠈⠳⣄⠀⠀

### --flush -F [chain] - Delete all rules in chain or all chains sudo /usr/sbin/iptables -F ### Permit inbound traffic to loopback sudo /usr/sbin/iptables -A INPUT -i lo -j ACCEPT ### Permit wired ethernet sudo /usr/sbin/iptables -A INPUT -i enx0000000011f1 -j ACCEPT ### FTP Client sudo /usr/sbin/iptables -A INPUT -i wlo1 -p tcp --sport 20:21 -j ACCEPT sudo /usr/sbin/iptables -A OUTPUT -p tcp --dport 20:21 -j ACCEPT ### DNS Client UDP 53 sudo /usr/sbin/iptables -A INPUT -i wlo1 -p udp --sport 53 -j ACCEPT sudo /usr/sbin/iptables -A INPUT -i lo -p udp --dport 53 -j ACCEPT sudo /usr/sbin/iptables -A OUTPUT -p udp --dport 53 -j ACCEPT sudo /usr/sbin/iptables -A OUTPUT -p udp --sport 53 -j ACCEPT ### DNS Client UDP 5353 sudo /usr/sbin/iptables -A INPUT -i wlo1 -p udp --sport 5353 -j ACCEPT sudo /usr/sbin/iptables -A OUTPUT -p udp --dport 5353 -j ACCEPT ### DHCP UDP 67 sudo /usr/sbin/iptables -A INPUT -i wlo1 -p udp --sport 67 -j ACCEPT sudo /usr/sbin/iptables -A OUTPUT -p udp --dport 67 -j ACCEPT ### DHCP UDP 68 sudo /usr/sbin/iptables -A INPUT -i wlo1 -p udp --sport 68 -j ACCEPT sudo /usr/sbin/iptables -A OUTPUT -p udp --dport 68 -j ACCEPT ### Permit HTTP Client Traffic TCP 80 sudo /usr/sbin/iptables -A INPUT -i wlo1 -p tcp --sport 80 -j ACCEPT sudo /usr/sbin/iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT ### Permit NTP (Network Time Protocol) Client UDP 123 sudo /usr/sbin/iptables -A INPUT -i wlo1 -p udp --sport 123 -j ACCEPT sudo /usr/sbin/iptables -A OUTPUT -p udp --dport 123 -j ACCEPT ### UDP 137 sudo /usr/sbin/iptables -A INPUT -i wlo1 -p udp --sport 137 --dport 137 -j ACCEPT sudo /usr/sbin/iptables -A OUTPUT -p udp --sport 137 --dport 137 -j ACCEPT ### Permit HTTP/S Client Traffic TCP 443 sudo /usr/sbin/iptables -A INPUT -i wlo1 -p tcp --sport 443 -j ACCEPT sudo /usr/sbin/iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT sudo /usr/sbin/iptables -A INPUT -i wlo1 -p udp --sport 443 -j ACCEPT sudo /usr/sbin/iptables -A OUTPUT -p udp --dport 443 -j ACCEPT ### SNMP Agent X tcp 705 sudo /usr/sbin/iptables -A OUTPUT -p tcp --dport 705 -j ACCEPT ### UDP 1716 Broadcast sudo /usr/sbin/iptables -A INPUT -i wlo1 -p udp --sport 1716 -j ACCEPT sudo /usr/sbin/iptables -A OUTPUT -p udp --dport 1716 -j ACCEPT ### UDP 1900 sudo /usr/sbin/iptables -A INPUT -i wlo1 -p udp --sport 1900 -j ACCEPT sudo /usr/sbin/iptables -A OUTPUT -p udp --dport 1900 -j ACCEPT ### Permit Squid Proxy Server TCP 3128 sudo /usr/sbin/iptables -A INPUT -i lo -p tcp --dport 3128 -j ACCEPT sudo /usr/sbin/iptables -A OUTPUT -p tcp --sport 3128 -j ACCEPT sudo /usr/sbin/iptables -A INPUT -i lo -p tcp --sport 3128 -j ACCEPT sudo /usr/sbin/iptables -A OUTPUT -p tcp --dport 3128 -j ACCEPT ### Google Meet UDP 3478 sudo /usr/sbin/iptables -A INPUT -i lo -p udp --sport 3478 -j ACCEPT sudo /usr/sbin/iptables -A OUTPUT -p udp --dport 3478 -j ACCEPT ### KTorrent DHT sudo /usr/sbin/iptables -A INPUT -i wlo1 -p udp --sport 7881 -j ACCEPT sudo /usr/sbin/iptables -A OUTPUT -p udp --dport 7881 -j ACCEPT ### Torrent Tracker Ports sudo /usr/sbin/iptables -A INPUT -i wlo1 -p udp --sport 1337 -j ACCEPT sudo /usr/sbin/iptables -A OUTPUT -p udp --dport 1337 -j ACCEPT sudo /usr/sbin/iptables -A INPUT -i wlo1 -p tcp --sport 1337 -j ACCEPT sudo /usr/sbin/iptables -A OUTPUT -p tcp --dport 1337 -j ACCEPT sudo /usr/sbin/iptables -A INPUT -i wlo1 -p udp --sport 2710 -j ACCEPT sudo /usr/sbin/iptables -A OUTPUT -p udp --dport 2710 -j ACCEPT sudo /usr/sbin/iptables -A INPUT -i wlo1 -p udp --sport 6969 -j ACCEPT sudo /usr/sbin/iptables -A OUTPUT -p udp --dport 6969 -j ACCEPT sudo /usr/sbin/iptables -A INPUT -i wlo1 -p tcp --sport 6969 -j ACCEPT sudo /usr/sbin/iptables -A OUTPUT -p tcp --dport 6969 -j ACCEPT sudo /usr/sbin/iptables -A INPUT -i wlo1 -p tcp --sport 8172 -j ACCEPT sudo /usr/sbin/iptables -A OUTPUT -p tcp --dport 8172 -j ACCEPT ### Permit TCP 5228 sudo /usr/sbin/iptables -A INPUT -i wlo1 -p tcp --sport 5228 -j ACCEPT sudo /usr/sbin/iptables -A OUTPUT -p tcp --dport 5228 -j ACCEPT ### UDP 6881 torrent sudo /usr/sbin/iptables -A INPUT -i wlo1 -p udp --dport 6881 -j ACCEPT sudo /usr/sbin/iptables -A OUTPUT -p udp --sport 6881 -j ACCEPT ### UDP 7881 torrent sudo /usr/sbin/iptables -A INPUT -i wlo1 -p udp --dport 7881 -j ACCEPT sudo /usr/sbin/iptables -A OUTPUT -p udp --sport 7881 -j ACCEPT ## UDP 19302 Google Voice sudo /usr/sbin/iptables -A INPUT -i wlo1 -p udp --sport 19302:19305 -j ACCEPT sudo /usr/sbin/iptables -A OUTPUT -p udp --dport 19302:19305 -j ACCEPT ### UDP 26500 sudo /usr/sbin/iptables -A INPUT -i wlo1 -p udp --sport 26500 -j ACCEPT sudo /usr/sbin/iptables -A OUTPUT -p udp --dport 26500 -j ACCEPT ### UDP SPT=27036 DPT=27036 sudo /usr/sbin/iptables -A INPUT -i wlo1 -p udp --sport 27036 --dport 27036 -j ACCEPT sudo /usr/sbin/iptables -A OUTPUT -p udp --sport 27036 --dport 27036 -j ACCEPT ### Permit Outbound ICMP Echo Request and Reply Traffic sudo /usr/sbin/iptables -A INPUT -i wlo1 -p icmp --icmp-type echo-reply -j ACCEPT sudo /usr/sbin/iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT ### Permit ICMP Port Unavailable sudo /usr/sbin/iptables -A INPUT -i wlo1 -p icmp --icmp-type 3 -j ACCEPT sudo /usr/sbin/iptables -A OUTPUT -p icmp --icmp-type 3 -j ACCEPT ### ICMP Type 9 mcast sudo /usr/sbin/iptables -A INPUT -i wlo1 -d 224.0.0.1 -p icmp --icmp-type 9 -j ACCEPT ### 224.0.0.22 mcast sudo /usr/sbin/iptables -A OUTPUT -d 224.0.0.22 -p 2 -j ACCEPT ### open stateful established and related packets (Only use this while building out Rules) sudo /usr/sbin/iptables -A INPUT -i wlo1 -m state --state RELATED,ESTABLISHED -j LOG --log-prefix "iptables permitted inbound: " sudo /usr/sbin/iptables -A INPUT -i wlo1 -m state --state RELATED,ESTABLISHED -j ACCEPT ### Reject all other traffic sudo /usr/sbin/iptables -A INPUT -i wlo1 -j LOG --log-prefix "iptables denied inbound: " sudo /usr/sbin/iptables -A INPUT -i wlo1 -j REJECT sudo /usr/sbin/iptables -A OUTPUT -j LOG --log-prefix "iptables permitted output: " sudo /usr/sbin/iptables -A OUTPUT -j ACCEPT sudo /usr/sbin/iptables -A OUTPUT -j LOG --log-prefix "iptables denied output: " sudo /usr/sbin/iptables -A OUTPUT -j REJECT ### --policy -P chain target Change policy on chain to drop all traffic sudo /usr/sbin/iptables -P INPUT DROP sudo /usr/sbin/iptables -P OUTPUT DROP sudo /usr/sbin/iptables -P OUTPUT ACCEPT ### IP MASQUERADE sudo /usr/sbin/iptables -t nat -A POSTROUTING -o wlo1 -j MASQUERADE ### Save IPTables rules /usr/sbin/iptables-save > /etc/iptables/rules.v4 sudo sh -c '/usr/sbin/iptables-save > /etc/iptables/rules.v4' ### List IPTables Filter Rules sudo /usr/sbin/iptables -L -v --line-numbers ### Syslog Files sudo cat /var/log/syslog | grep "iptables" ### --insert -I chain [rulenum] - Insert in chain as rulenum (default 1=first) sudo /usr/sbin/iptables -I INPUT 2 -i wlo1 -p icmp -j ACCEPT ### --delete -D chain rulenum - Delete rule rulenum (1 = first) from chain sudo /usr/sbin/iptables -D INPUT 2

Reply to:

References:

Re: Web server access
- From: jeremy ardley <jeremy.ardley@gmail.com>
Re: Web server access
- From: Van Snyder <van.snyder@sbcglobal.net>
Re: Web server access SOLVED
- From: Van Snyder <van.snyder@sbcglobal.net>
Re: Web server access SOLVED
- From: Timothy M Butterworth <timothy.m.butterworth@gmail.com>