Iptables prevents HTTPS
Hi,
I used to be able to access webmin at https://example.com:10000/session_login.cgi, but no longer can do so, however, upon disabling iptables, I can. I've been trying to configure gitlab per https://github.com/gitlabhq/gitlab-r.../centos#apache, and think the following command caused the problem. Code:
lokkit -s http -s https -s ssh Code:
[root@desktop conf]# iptables -L |
What is the error you get when you try to access below link :
https://example.com:10000/session_login.cgi Did you check the apache error log? |
Quote:
Quote:
Thanks |
For the time being disable iptables and test it.
If it works after disabling iptables, you can modify iptables rule. |
Quote:
I am trying to determine which rules are wrong. |
Webmin listening on port 10000 not port 443
|
Like kirukan said above, Webmin is listening on port 10000..
HTTP and HTTPS are a transfer protocol and just because they default to port 80 and 443 doesn't mean that HTTP(S) connections can't be made on different ports.. Your firewall allows just those two ports (as instructed) but not 10000 (used by default by Webmin --btw, you should change it).. A command to quickly allow you this is Code:
iptables -I INPUT 1 -p tcp -dport 10000 --state NEW,ESTABLISHED -j ACCEPT |
/etc/services has a list of common usage for ports. http being 80, https being 443, webmin being 10000 in it's list. tcpdump might help check to see what is / is not getting through.
|
Quote:
Code:
iptables -I INPUT 1 -p tcp --dport 10000 -j ACCEPT To save my rules, do I just do the following? Code:
iptables-save > /etc/sysconfig/iptables |
For webmin 10000 is the well know port if you intend to change some other can use above 1024
|
Your line is just fine.. :) Mine was missing an -m state before --state for it to work :)
And yes, the iptables-save line should work if that's the correct path (sorry, haven't touched CentOS in a while).. If you have an IPv6 connection, do this for ip6tables too, sure.. About ports.. anything above 1024 should be save to use.. just remember to also modify your firewall rules.. Pick something that you'll find easy to remember.. The ideea is to give a harder time to bots or other malicious software that try and exploit webmin on it's default port... |
Code:
iptables -A INPUT -p tcp --dport 10000 -j ACCEPT Please read iptables tutorial on net. |
Thanks everyone for your help!
|
Quote:
|
Great Smokey! Keep it up! Its just an example, we are not here for spoon feeding!
|
We're not here to reply without reading what other said in the last page (at least)... If you would have read, you would have seen that your post actually contradicts mine.. And that's fine, if it brings something new to the table or, at least, correct..
As for spoon feeding, NotionCommotion actually took my advice (and even corrected one of my lines-- correctly) and others and applied it to his needs without been spoon feed.. So, who's out of line here? ;) |
You are great Mr. I am the FOOL...
|
Yeah.. bye bye now..
|
Quote:
|
First off, in your case it is a REJECT rule ... DROP is just more common and it stood on my thoung.. DROP simply drops the package (and is actually what makes the firewall work), while REJECTS drops the package but also sends back an error message to the host that tried to connect to you.. (see: http://www.linuxtopia.org/Linux_Fire...les/x4550.html)
Basically this line: Quote:
Code:
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited Here's a tutorial for iptables to find out more.. https://www.frozentux.net/iptables-t...-tutorial.html However, for starters, some small read like this should be enough: https://wiki.archlinux.org/index.php/iptables |
All times are GMT -5. The time now is 03:46 PM. |