Just finished installing ISPConfig. tried to open port 81 for https://host.domain.tld:81 and no dice. nmap -p81 127.0.0.1 shows closed as does nmap -p81 <public IP>. do i need to do something more than just /etc/init.d/iptables restart after modifying the config file??

tried to copy the line in iptables for ssh, and that didnt work. googled for another possible entry. the line in /etc/sysconfig/iptables right now is:

-A RH-Firewall-1-INPUT -p tcp -i eth0 --dport 81 --sport 1024:65535 -m state --state NEW -j ACCEPT

the last ACCEPT line seems to be just slightly more detailed in that it specifies src ports? i couldnt care less about src port. eventually i would like restrict access to port 81 to a couple public IP addresses, but for now i just need to get the port open!

iptables -L shows:
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level warning

Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning

Chain RH-Firewall-1-INPUT (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:hosts2-ns state NEW
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

thanks in advance!

You're using nmap to see if you can find anything on port 81. However, that would be secondary. Port 81 could be wide open in firewalls from here to kingdome come but if you don't have anything LISTENing on port 81 nmap is not going to detect it.

So the first thing you need to do on the server itself is run "lsof -i :81" to see if it is LISTENing and if so on which interfaces (e.g. localhost? eth3? all?). If it is not LISTENing then you need to start the software that should be LISTENing (ISPConfig based on your post).

You're correct that the record you have is specifying source ports. You're record should look more like this to exclude source ports checking:
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:hosts2-ns
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
(By the way if you do iptables -nL you'll see the port number instead of the name "hosts2-ns".)

If you run iptables-save you'll see the line that was used to add what you have. You would then run iptables -D on the final icmp rule (it needs to be the last one - you'll readd it later). You then run iptables -D on the one that has your port 81 in it. Both these lines will currently have a "-A" in the iptables-save output - just change it to a -D.

You then re-add the lines with:
iptables -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 81 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

Prior to doing this save /etc/sysconfig/iptables to a date stamped copy and also I like to save iptables-save to an iptables-save copy (e.g iptables-save.20091105). That way you'll know what it was before.

AFTER you do it run iptables-save >/etc/sysconfig/iptables. This will overwrite the original and insure the change is reflected on subsequent boots.

crap...there is nothing listening. i've posted my ISPConfig install log (with possible errors) in the software forum.

i just tried this install on a virtual box FC8 and it was flawless--wonder what happened.

thanks for the extra information. lsof, iptables -nL, iptables-save, etc

thumbs up!