Linode Forum :: [SOLVED] iptables + ip6tables

Linode Forum https://forum.linode.com/

[SOLVED] iptables + ip6tables - cannot open port 80 https://forum.linode.com/viewtopic.php?f=19&t=11308	Page 1 of 1

Author:

cmorgenstern [ Mon Sep 15, 2014 11:07 pm ]

Post subject:

[SOLVED] iptables + ip6tables - cannot open port 80

I'm attempting to set up a web server on my Linode running Arch. I'm using Lighttpd, MySQL (MariaDB and phpMyAdmin) and PHP-FPM. For security, I've got a stateful firewall set-up for IPv4 and IPv6 (iptables + ip6tables) built using the instructions from the ArchWiki. Both iptables and ip6tables implement the same rules, just for their respective protocols.

My domain name is listed in the Linode DNS Manager with the Linode nameservers. It is active and has been confirmed to resolve correctly via Reverse DNS in the "Remote Access" tab. For serving web pages, I have Lighttpd listening on port 80 and configured to use an SSL certificate and re-direct HTTP requests to HTTPS. However, after opening port 80 via iptables and ip6tables and instructing Lighttpd to use port 80 for HTTP requests before redirecting them to port 443 for HTTPS, I cannot connect to my domain (eg: http://www.example.com). A quick check of port 80 at my static Linode IP address using a port checking tool indicates that it is closed, as does an Nmap port scan of the address.

I'm concerned that some of iptables settings might be thwarting my efforts to open the port, or that my current configuration somehow does not explicitly open port 80 up to the world. A copy of my iptables configuration is posted below.

Code:

 Generated by iptables-save v1.4.21 on Mon Sep 15 04:18:39 2014
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [66:10280]
:TCP - [0:0]
:UDP - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 30/min --limit-burst 8 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p ipv6 -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A INPUT -p tcp -m recent --set --name TCP-PORTSCAN --mask 255.255.255.255 --rsource -j REJECT --reject-with tcp-reset
-A INPUT -p udp -m recent --set --name UDP-PORTSCAN --mask 255.255.255.255 --rsource -j REJECT --reject-with icmp-port-unreachable
-A TCP -p tcp -m recent --update --seconds 60 --name TCP-PORTSCAN --mask 255.255.255.255 --rsource -j REJECT --reject-with tcp-reset
-A TCP -p tcp -m tcp --dport 80 -m comment --comment "HTTP connections" -j ACCEPT
-A TCP -p tcp -m tcp --dport 443 -m comment --comment "SSL connections" -j ACCEPT
-A TCP -p tcp -m tcp --dport 53 -m comment --comment DNS -j ACCEPT
-A TCP -p tcp -m tcp --dport 127 -m comment --comment "SSH uses port 127" -j ACCEPT
-A UDP -p udp -m recent --update --seconds 60 --name UDP-PORTSCAN --mask 255.255.255.255 --rsource -j REJECT --reject-with icmp-port-unreachable
-A UDP -p udp -m udp --dport 53 -m comment --comment "DNS" -j ACCEPT
COMMIT
# Completed on Mon Sep 15 04:18:39 2014

The entries that might be suspect would be:

Code:

-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A TCP -p tcp -m tcp --dport 80 -m comment --comment "HTTP connections" -j ACCEPT

The first entry attaches the TCP chain I created to the INPUT chain and requires that new TCP connections must be started with SYN packets. Would this block incoming HTTP requests?
The second entry is how I open port 80. Specifying an interface is not necessary, since the default accepts connections from both interfaces. The only other thing I can think of would be to modify the command to include "-m state --state NEW" as some have suggested.

Code:

-A TCP -p tcp -m tcp --dport 80 -m state --state NEW -m comment --comment "HTTP connections" -j ACCEPT

However, I think this is unlikely, since my iptables entry responsible for opening port 443 for SSL requests is working just fine without the additional syntax.

Any and all help/suggestions would be appreciated. I can also post my Lighttpd configuration file if needed.

Author:	vonskippy [ Tue Sep 16, 2014 12:02 am ]
Post subject:	Re: iptables + ip6tables - cannot open port 80
Temporarily (for testing) turn IPTABLES and IP6TABLES off and see if your web site comes up. If yes, then it's your firewall rules. If no, then it's probably your redirect rule.

Author:	cmorgenstern [ Tue Sep 16, 2014 4:27 am ]
Post subject:	Re: iptables + ip6tables - cannot open port 80
I took your advice and tested it, and experienced the exact same behavior. It turns out that port 80 remaining closed was due to an error in my Lighttpd configuration file. I had incorrectly told the Lighttpd server to bind to the localhost as opposed to binding to my external static IP. Once I did that and restarted the service, port 80 remained open and properly redirected my HTTP requests to HTTPS on port 443. The problem I am having now is that I keep getting a "403 - Forbidden" result when I try to visit the static HTML page that is my website right now (it's just a 'Hello world' thing). I suspect it might be a problem with the permissions on the document directory specified in Lighttpd, but everything seems to be configured correctly so far. I'll open a new thread asking about the Lighttpd problems, but otherwise I will mark this thread as closed, since my original problem of not having port 80 remain open seems to have been solved. Thank you for your help!

Page 1 of 1	All times are UTC-04:00
Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/