Setting up iptables for SSL (port 443)
I hear that it's a bad idea to edit iptables by hand.
I want to open 443. Quote:
It has been suggested to me that I don't need the second line (OUTPUT), and the first line shoud be --dport NOT --sport. In other words, Quote:
http://www.redhat.com/docs/manuals/e...ipt-basic.html Background: I have an SSL cert and want to set up Apache to accept SSL conx... Since I'm not at the box, I can't use the nifty GUI. How might one do this via terminal? OS: CentOSv5 (RHELv5) |
The page you got your data from is describing the setup on a firewall device or gateway. This is why it has to allow 443 in both directions. On the server machine itself, you only need to open the port for input.
Code:
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT |
Excellent.
NMap now tells me 443 is open. However, an on-line port scan such as: http://www.yougetsignal.com/tools/open-ports/ tells be 443 is closed. Navigation to https://mydomain.com in a browser returns an error: (Chrome) Error 118 (net::ERR_CONNECTION_TIMED_OUT): The operation timed out. (Opera) Could not connect to remote server ...And so forth. Does this mean a router block? Or maybe SSL is misconfigured in Apache? |
I would suggest what is called a TCP Traceroute on port 443, this will tell you where the problem is occurring. Most hosting companies will not block 443 (since people use it quite a lot), but if you are hosting this at home, then your own router might be blocking this, another suggestion would be to start with the server itself and move further away. If the server is unable to trace itself on a "tcptraceroute -p 443 127.0.0.1" then you know the issue remains with the server. If you need to do it further away, cross compare it with a normal traceroute or a traceroute on port 80 should give you an indication of where the traffic is being blocked or rejected.
|
We are on a Comcast Business account, so I assume it's not blocked at the ISP.
Quote:
|
Did you update your apache configuration itself with the details for the HTTPS site yet? and restart apache, warning this might cause some downtime as you maybe requested to supply a pass phrase.
|
Quote:
The /var/logs/ssl_error_log reveals no error (since I fixed some cert issues) The /var/logs/ssl_access_log has no entries at all. Also... Quote:
|
Looking up I have noticed you have used iptables -A, I believe I know what has occurred, could you do an "iptables -nvL" and copy and paste the results here, because the results can get rather lengthy can you also place the results within code tags.
|
Here it is:
Code:
[localhost ~]# iptables -nvL Code:
Generated by iptables-save v1.3.5 on Sat Jul 24 13:11:30 2010 -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT and... -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT The second one was me today thinking that it didn't already exist. Should I delete it? |
Hi,
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT Won't be doing anything (it appears after the reject all rule) but I tend to get rid of unused rules just to keep things manageable. As far as I can see, the firewall is configured correctly. So it's either a service (apache) Issue, or it's being blocked by something else. |
All times are GMT -5. The time now is 02:36 PM. |