iptables open port [SOLVED]

Message

schnappi · #1 Post by **schnappi** » 2020-01-17 04:27

Hi,

Opening a new port through iptables no longer opens the port. Assuming this probably has somethng to do with iptables merely being a front end now for nftables.

The port is open when running iptables -L, but it is not actually open...

This is a Debain 10 system that was upgraded from Debain 9. Only ever used iptables.

#2 Post by **dilberts_left_nut** » 2020-01-17 04:48

If a tree falls in the forest and no-one is there to hear it...

How do you know it's not 'open' (and how do you define 'open')..

schnappi · #3 Post by **schnappi** » 2020-01-17 04:54

Online port tests at multiple sites, program internal firewall checker saying port closed, no incoming TCP connections on the port, installed multiple programs on the server using different ports to rule out that the program was the issue. Tried setting iptables to allow all connections by default and ports were still closed.

#4 Post by **dilberts_left_nut** » 2020-01-17 06:03

OK, how about some specifics.
What program, what port, network layout, current firewall rules (default is none).

Chrisdb · #5 Post by **Chrisdb** » 2020-01-17 09:07

If there is no service listening on your specific port, it isn't considered open..

schnappi · #6 Post by **schnappi** » 2020-01-17 21:47

The program isn’t the issue as tried multiple programs on multiple ports.

But, Syncthing on 22000 is not open after

sudo iptables -A INPUT -p tcp –dport 22000 -j ACCEPT
or
sudo iptables -P INPUT ACCEPT

However, iptables -L lists port 22000 as open.

Chrisdb · #7 Post by **Chrisdb** » 2020-01-18 07:30

schnappi wrote:The program isn’t the issue as tried multiple programs on multiple ports.

But, Syncthing on 22000 is not open after

sudo iptables -A INPUT -p tcp –dport 22000 -j ACCEPT
or
sudo iptables -P INPUT ACCEPT

However, iptables -L lists port 22000 as open.

Please post entire output of:

Code: Select all

iptables -L

#8 Post by **p.H** » 2020-01-18 09:10

schnappi wrote:Opening a new port through iptables no longer opens the port.

Iptables never opened ports. It is just a packet filter.

schnappi wrote: Online port tests at multiple sites, program internal firewall checker saying port closed

"Port closed" usually means that nothing listens on the port at that IP address unless you have rules with the REJECT target. Not an iptables issue.

schnappi wrote:However, iptables -L lists port 22000 as open.

No. It lists iptables rules, not open ports.

Chrisdb wrote:iptables -L

Post the output of "iptables-save" instead. It is more complete, compact and easier to read.

schnappi · #9 Post by **schnappi** » 2020-01-18 16:19

Honestly, there are posts about semantics. While the responses are appreciated the point is the correct steps have been taken to open ports, and the ports are closed.

If anyone has suggestions unrelated to semantics please feel free to let me know.

To further the point. This server runs a webserver. When port 80 and 443 are closed in iptables port 80 and 443 remain open. Same thing if close 53. Nameserver still responds.

Head_on_a_Stick · #10 Post by **Head_on_a_Stick** » 2020-01-18 17:31

schnappi wrote:Assuming this probably has somethng to do with iptables merely being a front end now for nftables.

Assume makes an ass out of u & me but you could try

Code: Select all

# update-alternatives --config iptables

And select the iptables-legacy option to return to the old behaviour.

#11 Post by **dilberts_left_nut** » 2020-01-18 19:10

schnappi wrote:If anyone has suggestions unrelated to semantics please feel free to let me know.

From the available evidence it would appear to be user error.

schnappi · #12 Post by **schnappi** » 2020-01-18 20:44

Always thought highly of Debian. But, this forum gives the Arch community competition.

Head_on_a_Stick · #13 Post by **Head_on_a_Stick** » 2020-01-19 11:16

schnappi wrote:this forum gives the Arch community competition

Thanks! We do try

schnappi · #14 Post by **schnappi** » 2020-01-19 15:22

@Head_on_a_Stick I know you agree...

Anywho, there was no user error. The server had been up for a few years. No restart after Debian 10 upgrade either. Restarting resolved without any changes.

Kirill_code · #15 Post by **Kirill_code** » 2020-01-20 08:55

Hi, I have same issue:
I use tomcat 9.0.3 with this configs:

<Connector
protocol="org.apache.coyote.http11.Http11NioProtocol"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="mystore2" keystorePass="PWD"
clientAuth="false" sslProtocol="TLS"/>
and this listners:
org.apache.catalina.startup.VersionLoggerListener
org.apache.catalina.core.JreMemoryLeakPreventionListener
org.apache.catalina.mbeans.GlobalResourcesLifecycleListener
org.apache.catalina.core.ThreadLocalLeakPreventionListener

when I try connect from browser it throw ERR_CONNECTION_REFUSED

I try open 8443 port by:

iptables -I INPUT 1 -p tcp --dport 8443 -j ACCEPT
ufw allow https
But when I check remotely port closed even though result of ufw status:

Status: active
To Action From
-- ------ ----
OpenSSH ALLOW Anywhere
8080 ALLOW Anywhere
8443 ALLOW Anywhere
22 ALLOW Anywhere
80/tcp ALLOW Anywhere
443/tcp ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
8080 (v6) ALLOW Anywhere (v6)
8443 (v6) ALLOW Anywhere (v6)
22 (v6) ALLOW Anywhere (v6)
80/tcp (v6) ALLOW Anywhere (v6)
443/tcp (v6) ALLOW Anywhere (v6)

netstat -tulpn | grep LISTEN:

tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 622/sshd
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 684/mysqld
tcp6 0 0 :::22 :::* LISTEN 622/sshd
tcp6 0 0 127.0.0.1:8005 :::* LISTEN 618/java
tcp6 0 0 :::8080 :::* LISTEN 618/java

Chrisdb · #16 Post by **Chrisdb** » 2020-01-20 09:30

Kirill_code wrote:Hi, I have same issue:
I use tomcat 9.0.3 with this configs:

<Connector
protocol="org.apache.coyote.http11.Http11NioProtocol"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="mystore2" keystorePass="PWD"
clientAuth="false" sslProtocol="TLS"/>
and this listners:
org.apache.catalina.startup.VersionLoggerListener
org.apache.catalina.core.JreMemoryLeakPreventionListener
org.apache.catalina.mbeans.GlobalResourcesLifecycleListener
org.apache.catalina.core.ThreadLocalLeakPreventionListener

when I try connect from browser it throw ERR_CONNECTION_REFUSED

I try open 8443 port by:

iptables -I INPUT 1 -p tcp --dport 8443 -j ACCEPT
ufw allow https
But when I check remotely port closed even though result of ufw status:

Status: active
To Action From
-- ------ ----
OpenSSH ALLOW Anywhere
8080 ALLOW Anywhere
8443 ALLOW Anywhere
22 ALLOW Anywhere
80/tcp ALLOW Anywhere
443/tcp ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
8080 (v6) ALLOW Anywhere (v6)
8443 (v6) ALLOW Anywhere (v6)
22 (v6) ALLOW Anywhere (v6)
80/tcp (v6) ALLOW Anywhere (v6)
443/tcp (v6) ALLOW Anywhere (v6)

netstat -tulpn | grep LISTEN:

tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 622/sshd
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 684/mysqld
tcp6 0 0 :::22 :::* LISTEN 622/sshd
tcp6 0 0 127.0.0.1:8005 :::* LISTEN 618/java
tcp6 0 0 :::8080 :::* LISTEN 618/java

Please open another thread and post results of:

Code: Select all

netstat -tulpn
lsof -i

seems like there's nothing listening on that port... Is tomcat running

Head_on_a_Stick · #17 Post by **Head_on_a_Stick** » 2020-01-20 12:29

Kirill_code wrote: I try open 8443 port by:
Code: Select all
iptables -I INPUT 1 -p tcp --dport 8443 -j ACCEPT
ufw allow https
But when I check remotely port closed even though result of ufw status

As noted by p.H above, iptables cannot open or close ports, it can only allow or deny access to them.

Debian User Forums

iptables open port [SOLVED]

iptables open port [SOLVED]

Re: iptables open port

Re: iptables open port

Re: iptables open port

Re: iptables open port

Re: iptables open port

Re: iptables open port

Re: iptables open port

Re: iptables open port

Re: iptables open port

Re: iptables open port

Re: iptables open port

Re: iptables open port

Re: iptables open port

Re: iptables open port [SOLVED]

Re: iptables open port [SOLVED]

Re: iptables open port [SOLVED]