LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 03-19-2014, 10:44 AM   #1
NotionCommotion
Member
 
Registered: Aug 2012
Posts: 543

Rep: Reputation: Disabled
Iptables prevents HTTPS


Hi,

I used to be able to access webmin at https://example.com:10000/session_login.cgi, but no longer can do so, however, upon disabling iptables, I can. I've been trying to configure gitlab per https://github.com/gitlabhq/gitlab-r.../centos#apache, and think the following command caused the problem.
Code:
lokkit -s http -s https -s ssh
Iptables is configured as follows:
Code:
[root@desktop conf]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:https
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
[root@desktop conf]#
Please let me know what is the problem.
 
Old 03-19-2014, 10:47 AM   #2
prayag_pjs
Senior Member
 
Registered: Feb 2008
Location: Pune - India
Distribution: Fedora,RedHat,CentOS,Gentoo
Posts: 1,138
Blog Entries: 4

Rep: Reputation: 147Reputation: 147
What is the error you get when you try to access below link :

https://example.com:10000/session_login.cgi

Did you check the apache error log?
 
Old 03-19-2014, 10:51 AM   #3
NotionCommotion
Member
 
Registered: Aug 2012
Posts: 543

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by prayag_pjs View Post
What is the error you get when you try to access below link :

https://example.com:10000/session_login.cgi

Did you check the apache error log?
Quote:
The connection has timed out

The server at example.com is taking too long to respond.
No errors in Apache error log. I don't think it is ever getting through iptables.

Thanks
 
Old 03-19-2014, 11:08 AM   #4
prayag_pjs
Senior Member
 
Registered: Feb 2008
Location: Pune - India
Distribution: Fedora,RedHat,CentOS,Gentoo
Posts: 1,138
Blog Entries: 4

Rep: Reputation: 147Reputation: 147
For the time being disable iptables and test it.

If it works after disabling iptables, you can modify iptables rule.
 
Old 03-19-2014, 11:41 AM   #5
NotionCommotion
Member
 
Registered: Aug 2012
Posts: 543

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by prayag_pjs View Post
For the time being disable iptables and test it.

If it works after disabling iptables, you can modify iptables rule.
It works after disabling iptables.

I am trying to determine which rules are wrong.
 
Old 03-19-2014, 11:56 AM   #6
kirukan
Senior Member
 
Registered: Jun 2008
Location: Eelam
Distribution: Redhat, Solaris, Suse
Posts: 1,272

Rep: Reputation: 148Reputation: 148
Webmin listening on port 10000 not port 443
 
Old 03-19-2014, 12:16 PM   #7
Smokey_justme
Member
 
Registered: Oct 2009
Distribution: Slackware
Posts: 534

Rep: Reputation: 203Reputation: 203Reputation: 203
Like kirukan said above, Webmin is listening on port 10000..

HTTP and HTTPS are a transfer protocol and just because they default to port 80 and 443 doesn't mean that HTTP(S) connections can't be made on different ports..
Your firewall allows just those two ports (as instructed) but not 10000 (used by default by Webmin --btw, you should change it)..

A command to quickly allow you this is
Code:
iptables -I INPUT 1 -p tcp -dport 10000 --state NEW,ESTABLISHED -j ACCEPT
But I'm not sure how to make your change persistent on CentOS (not sure where the firewall rules are kept there)
 
Old 03-19-2014, 12:48 PM   #8
Shadow_7
Senior Member
 
Registered: Feb 2003
Distribution: debian
Posts: 2,327
Blog Entries: 1

Rep: Reputation: 449Reputation: 449Reputation: 449Reputation: 449Reputation: 449
/etc/services has a list of common usage for ports. http being 80, https being 443, webmin being 10000 in it's list. tcpdump might help check to see what is / is not getting through.
 
Old 03-19-2014, 12:59 PM   #9
NotionCommotion
Member
 
Registered: Aug 2012
Posts: 543

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Smokey_justme View Post
Like kirukan said above, Webmin is listening on port 10000..

HTTP and HTTPS are a transfer protocol and just because they default to port 80 and 443 doesn't mean that HTTP(S) connections can't be made on different ports..
Your firewall allows just those two ports (as instructed) but not 10000 (used by default by Webmin --btw, you should change it)..

A command to quickly allow you this is
Code:
iptables -I INPUT 1 -p tcp -dport 10000 --state NEW,ESTABLISHED -j ACCEPT
But I'm not sure how to make your change persistent on CentOS (not sure where the firewall rules are kept there)
I couldn't get your recommended line to work, but this appears to work. See any problems?
Code:
iptables -I INPUT 1 -p tcp --dport 10000 -j ACCEPT
Evidently, the rules are saved in /etc/sysconfig/iptables and /etc/sysconfig/ip6tables. Do I just iptables and not ip6tables?

To save my rules, do I just do the following?
Code:
iptables-save > /etc/sysconfig/iptables
BTW, I found how to change Webmin's port. Any recommend port to use?
 
Old 03-19-2014, 01:06 PM   #10
kirukan
Senior Member
 
Registered: Jun 2008
Location: Eelam
Distribution: Redhat, Solaris, Suse
Posts: 1,272

Rep: Reputation: 148Reputation: 148
For webmin 10000 is the well know port if you intend to change some other can use above 1024
 
Old 03-19-2014, 01:10 PM   #11
Smokey_justme
Member
 
Registered: Oct 2009
Distribution: Slackware
Posts: 534

Rep: Reputation: 203Reputation: 203Reputation: 203
Your line is just fine.. Mine was missing an -m state before --state for it to work

And yes, the iptables-save line should work if that's the correct path (sorry, haven't touched CentOS in a while).. If you have an IPv6 connection, do this for ip6tables too, sure..

About ports.. anything above 1024 should be save to use.. just remember to also modify your firewall rules.. Pick something that you'll find easy to remember.. The ideea is to give a harder time to bots or other malicious software that try and exploit webmin on it's default port...
 
Old 03-19-2014, 01:15 PM   #12
prayag_pjs
Senior Member
 
Registered: Feb 2008
Location: Pune - India
Distribution: Fedora,RedHat,CentOS,Gentoo
Posts: 1,138
Blog Entries: 4

Rep: Reputation: 147Reputation: 147
Code:
iptables -A INPUT -p tcp --dport 10000 -j ACCEPT
It should work.

Please read iptables tutorial on net.
 
Old 03-19-2014, 01:15 PM   #13
NotionCommotion
Member
 
Registered: Aug 2012
Posts: 543

Original Poster
Rep: Reputation: Disabled
Thanks everyone for your help!
 
Old 03-19-2014, 01:58 PM   #14
Smokey_justme
Member
 
Registered: Oct 2009
Distribution: Slackware
Posts: 534

Rep: Reputation: 203Reputation: 203Reputation: 203
Quote:
Originally Posted by prayag_pjs View Post
Code:
iptables -A INPUT -p tcp --dport 10000 -j ACCEPT
It should work.

Please read iptables tutorial on net.
No, it shouldn't.. Please read his first post.. This would add a rule after a DROP rule..
 
Old 03-19-2014, 02:10 PM   #15
prayag_pjs
Senior Member
 
Registered: Feb 2008
Location: Pune - India
Distribution: Fedora,RedHat,CentOS,Gentoo
Posts: 1,138
Blog Entries: 4

Rep: Reputation: 147Reputation: 147
Great Smokey! Keep it up! Its just an example, we are not here for spoon feeding!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
how to block https using iptables pavangogineni Linux - Networking 12 03-12-2012 11:31 AM
Squid with IPTABLES not allowing https riaanc1 Linux - Newbie 1 10-07-2009 03:33 AM
how to block https using iptables pavangogineni Linux - Security 2 10-19-2006 01:49 AM
Iptables not allowing outbound https john8675309 Linux - Software 3 09-13-2004 11:41 PM
Iptables and https sturla69 Linux - Security 6 09-16-2003 11:13 PM


All times are GMT -5. The time now is 05:45 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration