Re: Firewall blocking my new Debian 11 server ports 80 and 443

Sat, 28 May 2022 12:51:36 -0700 

>
>
>
> -P INPUT ACCEPT
> -P FORWARD ACCEPT
> -P OUTPUT ACCEPT
> -N f2b-sshd
> -A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
> -A f2b-sshd -s 62.204.41.56/32 -j REJECT --reject-with
> icmp-port-unreachable
> -A f2b-sshd -s 61.177.173.48/32 -j REJECT --reject-with
> icmp-port-unreachable
> -A f2b-sshd -s 167.172.187.120/32 -j REJECT --reject-with
> icmp-port-unreachable
> -A f2b-sshd -s 43.156.124.69/32 -j REJECT --reject-with
> icmp-port-unreachable
> -A f2b-sshd -s 43.154.46.209/32 -j REJECT --reject-with
> icmp-port-unreachable
> -A f2b-sshd -s 61.177.172.98/32 -j REJECT --reject-with
> icmp-port-unreachable
> -A f2b-sshd -s 122.160.233.137/32 -j REJECT --reject-with
> icmp-port-unreachable
> -A f2b-sshd -j RETURN
>


This is fail2ban chain to block bots, but I strongly suggest to use ipset
and not to store each network as separate rule.

On my Debian server I use netfilter-persistent with ipset plugin and
fail2ban.
Works like charm!

https://dhtar.com/make-ipset-and-iptables-configurations-persistent-in-debianubuntu.html

<https://dhtar.com/make-ipset-and-iptables-configurations-persistent-in-debianubuntu.html>
But since policy is "ACCEPT", other ports are open.


> My usual incantation and response:
>
>     # sudo iptables -A IN_public_allow -p tcp -m tcp --dport  80 -m
> conntrack --ctstate NEW,UNTRACKED -j ACCEPT
>     iptables: No chain/target/match by that name.
>
>
What is "IN_public_allow"
I do not see chain with this name. Do you?




> # sudo iptables -S
> -P INPUT ACCEPT
> -P FORWARD ACCEPT
> -P OUTPUT ACCEPT
> -N f2b-sshd
> -A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
> -A INPUT -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW,UNTRACKED -j
> ACCEPT
> -A INPUT -p tcp -m tcp --dport 443 -m conntrack --ctstate
> ...
> But no open ports in spite of the output shown.
>

Hmm, I see 80 and 443 are open here. How did you check?
(I suggest to use multiple ports rule (multiport), btw)


> I am considering moving to ufw

It is up to you. I see no reason to use ufw. At least, it doesn't support
ipset:)

Also, check (using update-alternatives) if you are using iptables of nft


You may be interested in good iptables tutorial:
https://tldp.org/LDP/nag2/nag2.pdf
(section 9.8)

Reply via email to