LinuxQuestions.org - Iptables prevents HTTPS

Page 1 of 2

Show 50 post(s) from this thread on one page

- Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)

- - Iptables prevents HTTPS (https://www.linuxquestions.org/questions/linux-newbie-8/iptables-prevents-https-4175498740/)

NotionCommotion

03-19-2014 09:44 AM

Iptables prevents HTTPS

Hi,

I used to be able to access webmin at https://example.com:10000/session_login.cgi, but no longer can do so, however, upon disabling iptables, I can. I've been trying to configure gitlab per https://github.com/gitlabhq/gitlab-r.../centos#apache, and think the following command caused the problem.

Code:

lokkit -s http -s https -s ssh

Iptables is configured as follows:

Code:

[root@desktop conf]# iptables -L

Chain INPUT (policy ACCEPT)

target    prot opt source              destination

ACCEPT    all  --  anywhere            anywhere            state RELATED,ESTABLISHED

ACCEPT    icmp --  anywhere            anywhere

ACCEPT    all  --  anywhere            anywhere

ACCEPT    tcp  --  anywhere            anywhere            state NEW tcp dpt:ssh

ACCEPT    tcp  --  anywhere            anywhere            state NEW tcp dpt:http

ACCEPT    tcp  --  anywhere            anywhere            state NEW tcp dpt:https

REJECT    all  --  anywhere            anywhere            reject-with icmp-host-prohibited



Chain FORWARD (policy ACCEPT)

target    prot opt source              destination

REJECT    all  --  anywhere            anywhere            reject-with icmp-host-prohibited



Chain OUTPUT (policy ACCEPT)

target    prot opt source              destination

[root@desktop conf]#

Please let me know what is the problem.

prayag_pjs

03-19-2014 09:47 AM

What is the error you get when you try to access below link :

https://example.com:10000/session_login.cgi

Did you check the apache error log?

NotionCommotion

03-19-2014 09:51 AM

Quote:

Originally Posted by prayag_pjs (Post 5137408)

What is the error you get when you try to access below link :

https://example.com:10000/session_login.cgi

Did you check the apache error log?

Quote:

The connection has timed out

The server at example.com is taking too long to respond.

No errors in Apache error log. I don't think it is ever getting through iptables.

Thanks

prayag_pjs

03-19-2014 10:08 AM

For the time being disable iptables and test it.

If it works after disabling iptables, you can modify iptables rule.

NotionCommotion

03-19-2014 10:41 AM

Quote:

Originally Posted by prayag_pjs (Post 5137419)

For the time being disable iptables and test it.

If it works after disabling iptables, you can modify iptables rule.

It works after disabling iptables.

I am trying to determine which rules are wrong.

kirukan

03-19-2014 10:56 AM

Webmin listening on port 10000 not port 443

Smokey_justme

03-19-2014 11:16 AM

Like kirukan said above, Webmin is listening on port 10000..

HTTP and HTTPS are a transfer protocol and just because they default to port 80 and 443 doesn't mean that HTTP(S) connections can't be made on different ports..
Your firewall allows just those two ports (as instructed) but not 10000 (used by default by Webmin --btw, you should change it)..

A command to quickly allow you this is

Code:

iptables -I INPUT 1 -p tcp -dport 10000 --state NEW,ESTABLISHED -j ACCEPT

But I'm not sure how to make your change persistent on CentOS (not sure where the firewall rules are kept there)

Shadow_7

03-19-2014 11:48 AM

/etc/services has a list of common usage for ports. http being 80, https being 443, webmin being 10000 in it's list. tcpdump might help check to see what is / is not getting through.

NotionCommotion

03-19-2014 11:59 AM

Quote:

Originally Posted by Smokey_justme (Post 5137453)

Code:

iptables -I INPUT 1 -p tcp -dport 10000 --state NEW,ESTABLISHED -j ACCEPT

But I'm not sure how to make your change persistent on CentOS (not sure where the firewall rules are kept there)

I couldn't get your recommended line to work, but this appears to work. See any problems?

Code:

iptables -I INPUT 1 -p tcp --dport 10000 -j ACCEPT

Evidently, the rules are saved in /etc/sysconfig/iptables and /etc/sysconfig/ip6tables. Do I just iptables and not ip6tables?

To save my rules, do I just do the following?

Code:

iptables-save > /etc/sysconfig/iptables

BTW, I found how to change Webmin's port. Any recommend port to use?

kirukan

03-19-2014 12:06 PM

For webmin 10000 is the well know port if you intend to change some other can use above 1024

Smokey_justme

03-19-2014 12:10 PM

Your line is just fine.. :) Mine was missing an -m state before --state for it to work :)

And yes, the iptables-save line should work if that's the correct path (sorry, haven't touched CentOS in a while).. If you have an IPv6 connection, do this for ip6tables too, sure..

About ports.. anything above 1024 should be save to use.. just remember to also modify your firewall rules.. Pick something that you'll find easy to remember.. The ideea is to give a harder time to bots or other malicious software that try and exploit webmin on it's default port...

prayag_pjs

03-19-2014 12:15 PM

Code:

iptables -A INPUT -p tcp --dport 10000 -j ACCEPT

It should work.

Please read iptables tutorial on net.

NotionCommotion

03-19-2014 12:15 PM

Thanks everyone for your help!

Smokey_justme

03-19-2014 12:58 PM

Quote:

Originally Posted by prayag_pjs (Post 5137493)

Code:

iptables -A INPUT -p tcp --dport 10000 -j ACCEPT

It should work.

Please read iptables tutorial on net.

No, it shouldn't.. Please read his first post.. This would add a rule after a DROP rule.. ;)

prayag_pjs

03-19-2014 01:10 PM

Great Smokey! Keep it up! Its just an example, we are not here for spoon feeding!

All times are GMT -5. The time now is 03:30 PM.

Page 1 of 2

Show 50 post(s) from this thread on one page