iptables open port [SOLVED]

If none of the more specific forums is the right place to ask

iptables open port [SOLVED]

Postby schnappi » 2020-01-17 04:27

Hi,

Opening a new port through iptables no longer opens the port. Assuming this probably has somethng to do with iptables merely being a front end now for nftables.

The port is open when running iptables -L, but it is not actually open...

This is a Debain 10 system that was upgraded from Debain 9. Only ever used iptables.
Last edited by schnappi on 2020-01-19 15:23, edited 1 time in total.
schnappi
 
Posts: 13
Joined: 2017-07-27 17:28

Re: iptables open port

Postby dilberts_left_nut » 2020-01-17 04:48

If a tree falls in the forest and no-one is there to hear it...

How do you know it's not 'open' (and how do you define 'open')..
AdrianTM wrote:There's no hacker in my grandma...
User avatar
dilberts_left_nut
 
Posts: 5071
Joined: 2009-10-05 07:54
Location: enzed

Re: iptables open port

Postby schnappi » 2020-01-17 04:54

Online port tests at multiple sites, program internal firewall checker saying port closed, no incoming TCP connections on the port, installed multiple programs on the server using different ports to rule out that the program was the issue. Tried setting iptables to allow all connections by default and ports were still closed.
schnappi
 
Posts: 13
Joined: 2017-07-27 17:28

Re: iptables open port

Postby dilberts_left_nut » 2020-01-17 06:03

OK, how about some specifics.
What program, what port, network layout, current firewall rules (default is none).
AdrianTM wrote:There's no hacker in my grandma...
User avatar
dilberts_left_nut
 
Posts: 5071
Joined: 2009-10-05 07:54
Location: enzed

Re: iptables open port

Postby Chrisdb » 2020-01-17 09:07

If there is no service listening on your specific port, it isn't considered open..
Chrisdb
 
Posts: 273
Joined: 2018-04-10 07:16

Re: iptables open port

Postby schnappi » 2020-01-17 21:47

The program isn’t the issue as tried multiple programs on multiple ports.

But, Syncthing on 22000 is not open after

sudo iptables -A INPUT -p tcp –dport 22000 -j ACCEPT
or
sudo iptables -P INPUT ACCEPT

However, iptables -L lists port 22000 as open.
schnappi
 
Posts: 13
Joined: 2017-07-27 17:28

Re: iptables open port

Postby Chrisdb » 2020-01-18 07:30

schnappi wrote:The program isn’t the issue as tried multiple programs on multiple ports.

But, Syncthing on 22000 is not open after

sudo iptables -A INPUT -p tcp –dport 22000 -j ACCEPT
or
sudo iptables -P INPUT ACCEPT

However, iptables -L lists port 22000 as open.


Please post entire output of:
Code: Select all
iptables -L
Chrisdb
 
Posts: 273
Joined: 2018-04-10 07:16

Re: iptables open port

Postby p.H » 2020-01-18 09:10

schnappi wrote:Opening a new port through iptables no longer opens the port.

Iptables never opened ports. It is just a packet filter.
schnappi wrote:Online port tests at multiple sites, program internal firewall checker saying port closed

"Port closed" usually means that nothing listens on the port at that IP address unless you have rules with the REJECT target. Not an iptables issue.
schnappi wrote:However, iptables -L lists port 22000 as open.

No. It lists iptables rules, not open ports.
Chrisdb wrote:iptables -L

Post the output of "iptables-save" instead. It is more complete, compact and easier to read.
p.H
 
Posts: 1434
Joined: 2017-09-17 07:12

Re: iptables open port

Postby schnappi » 2020-01-18 16:19

Honestly, there are posts about semantics. While the responses are appreciated the point is the correct steps have been taken to open ports, and the ports are closed.

If anyone has suggestions unrelated to semantics please feel free to let me know.

To further the point. This server runs a webserver. When port 80 and 443 are closed in iptables port 80 and 443 remain open. Same thing if close 53. Nameserver still responds.
schnappi
 
Posts: 13
Joined: 2017-07-27 17:28

Re: iptables open port

Postby Head_on_a_Stick » 2020-01-18 17:31

schnappi wrote:Assuming this probably has somethng to do with iptables merely being a front end now for nftables.

Assume makes an ass out of u & me but you could try
Code: Select all
# update-alternatives --config iptables

And select the iptables-legacy option to return to the old behaviour.
Black Lives Matter

Debian buster-backports ISO image: for new hardware support
User avatar
Head_on_a_Stick
 
Posts: 12486
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: iptables open port

Postby dilberts_left_nut » 2020-01-18 19:10

schnappi wrote:If anyone has suggestions unrelated to semantics please feel free to let me know.

From the available evidence it would appear to be user error.
AdrianTM wrote:There's no hacker in my grandma...
User avatar
dilberts_left_nut
 
Posts: 5071
Joined: 2009-10-05 07:54
Location: enzed

Re: iptables open port

Postby schnappi » 2020-01-18 20:44

Always thought highly of Debian. But, this forum gives the Arch community competition.
schnappi
 
Posts: 13
Joined: 2017-07-27 17:28

Re: iptables open port

Postby Head_on_a_Stick » 2020-01-19 11:16

schnappi wrote:this forum gives the Arch community competition

Thanks! We do try :mrgreen:
Black Lives Matter

Debian buster-backports ISO image: for new hardware support
User avatar
Head_on_a_Stick
 
Posts: 12486
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: iptables open port

Postby schnappi » 2020-01-19 15:22

@Head_on_a_Stick I know you agree...

Anywho, there was no user error. The server had been up for a few years. No restart after Debian 10 upgrade either. Restarting resolved without any changes.
schnappi
 
Posts: 13
Joined: 2017-07-27 17:28

Re: iptables open port [SOLVED]

Postby Kirill_code » 2020-01-20 08:55

Hi, I have same issue:
I use tomcat 9.0.3 with this configs:

<Connector
protocol="org.apache.coyote.http11.Http11NioProtocol"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="mystore2" keystorePass="PWD"
clientAuth="false" sslProtocol="TLS"/>
and this listners:
org.apache.catalina.startup.VersionLoggerListener
org.apache.catalina.core.JreMemoryLeakPreventionListener
org.apache.catalina.mbeans.GlobalResourcesLifecycleListener
org.apache.catalina.core.ThreadLocalLeakPreventionListener

when I try connect from browser it throw ERR_CONNECTION_REFUSED

I try open 8443 port by:

iptables -I INPUT 1 -p tcp --dport 8443 -j ACCEPT
ufw allow https
But when I check remotely port closed even though result of ufw status:

Status: active
To Action From
-- ------ ----
OpenSSH ALLOW Anywhere
8080 ALLOW Anywhere
8443 ALLOW Anywhere
22 ALLOW Anywhere
80/tcp ALLOW Anywhere
443/tcp ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
8080 (v6) ALLOW Anywhere (v6)
8443 (v6) ALLOW Anywhere (v6)
22 (v6) ALLOW Anywhere (v6)
80/tcp (v6) ALLOW Anywhere (v6)
443/tcp (v6) ALLOW Anywhere (v6)

netstat -tulpn | grep LISTEN:

tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 622/sshd
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 684/mysqld
tcp6 0 0 :::22 :::* LISTEN 622/sshd
tcp6 0 0 127.0.0.1:8005 :::* LISTEN 618/java
tcp6 0 0 :::8080 :::* LISTEN 618/java
Kirill_code
 
Posts: 5
Joined: 2020-01-20 08:53

Next

Return to General Questions

Who is online

Users browsing this forum: marsdr and 22 guests

fashionable