On 5/28/22 22:11, Tom Browder wrote: > As the bare-iron server came from my long-time cloud provider (since > Debian 6), incoming ports 80 and 443 are blocked. > > I ran my usual iptables command for new servers from them, but this > time the default settings were different so it didn't work.
Try to flush the tables and (re)set default policies for the existing chains. > Output from "sudo iptables -S" before my attempt: > > -P INPUT ACCEPT > -P FORWARD ACCEPT > -P OUTPUT ACCEPT > -N f2b-sshd > -A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd > -A f2b-sshd -s 62.204.41.56/32 -j REJECT --reject-with icmp-port-unreachable > -A f2b-sshd -s 61.177.173.48/32 -j REJECT --reject-with icmp-port-unreachable > -A f2b-sshd -s 167.172.187.120/32 -j REJECT --reject-with > icmp-port-unreachable > -A f2b-sshd -s 43.156.124.69/32 -j REJECT --reject-with icmp-port-unreachable > -A f2b-sshd -s 43.154.46.209/32 -j REJECT --reject-with icmp-port-unreachable > -A f2b-sshd -s 61.177.172.98/32 -j REJECT --reject-with icmp-port-unreachable > -A f2b-sshd -s 122.160.233.137/32 -j REJECT --reject-with > icmp-port-unreachable > -A f2b-sshd -j RETURN > > My usual incantation and response: > > # sudo iptables -A IN_public_allow -p tcp -m tcp --dport 80 -m > conntrack --ctstate NEW,UNTRACKED -j ACCEPT > iptables: No chain/target/match by that name. You have no chain "IN_public_allow". Probably you should create it. > Then I tried: > > # sudo iptables -A INPUT -p tcp -m tcp --dport 80 -m conntrack > --ctstate NEW,UNTRACKED -j ACCEPT > # sudo iptables -A INPUT -p tcp -m tcp --dport 443 -m conntrack > --ctstate NEW,UNTRACKED -j ACCEPT It's a good practice to set input/output network interfaces. > Again checking status: > > # sudo iptables -S > -P INPUT ACCEPT > -P FORWARD ACCEPT > -P OUTPUT ACCEPT > -N f2b-sshd > -A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd > -A INPUT -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW,UNTRACKED -j > ACCEPT > -A INPUT -p tcp -m tcp --dport 443 -m conntrack --ctstate > NEW,UNTRACKED -j ACCEPT > -A INPUT -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW,UNTRACKED -j > ACCEPT You have second rule for port 80/tcp, do you need it? > -A f2b-sshd -s 62.204.41.56/32 -j REJECT --reject-with icmp-port-unreachable > -A f2b-sshd -s 61.177.173.48/32 -j REJECT --reject-with icmp-port-unreachable > -A f2b-sshd -s 167.172.187.120/32 -j REJECT --reject-with > icmp-port-unreachable > -A f2b-sshd -s 43.156.124.69/32 -j REJECT --reject-with icmp-port-unreachable > -A f2b-sshd -s 43.154.46.209/32 -j REJECT --reject-with icmp-port-unreachable > -A f2b-sshd -s 61.177.172.98/32 -j REJECT --reject-with icmp-port-unreachable > -A f2b-sshd -s 122.160.233.137/32 -j REJECT --reject-with > icmp-port-unreachable > -A f2b-sshd -j RETURN > > But no open ports in spite of the output shown. > > I am considering moving to ufw but am reluctant due to the possibility > of getting locked-out of my remote server. I am used to logging in > with two separate terminals to avoid that during initial setup but > want to make sure that is safe. > Kind regards Georgi
