On Wed, Apr 2, 2025 at 1:50 AM Timothy M Butterworth < timothy.m.butterwo...@gmail.com> wrote:
> > > On Wed, Apr 2, 2025 at 1:37 AM Van Snyder <van.sny...@sbcglobal.net> > wrote: > >> I discovered that although I haven't even installed iptables, my server >> was running firewalld. I wasn't even aware it existed. I stopped it, and >> now I can access my web vandyke.mynetgear.com through my router on port >> 80 or 443. >> >> I disabled firewalld because I have no idea how to configure it, but my >> Linksys router is running a firewall that's really easy to configure. >> > >> I owe thanks to the correspondents on this list who eventually led me to >> ask online about Debian firewalls. I knew about iptables, which isn't even >> installed, but I had never before heard of ufw or firewalld. >> > > Firewalld is nice to laptops/notebooks where you are connecting to other > peoples WLAN's. Firewalld is not good for a server or desktop though. I > prefer IPTables for stationary devices. You can purge Firewalld and UFW. I > would keep and configure IPTables on the server as well as setting up > Suricata and ClamAV. I am a Defense in Depth, zero trust kind of guy. I > have all my devices hardened. It is good practice to harden devices that > are made available to the public. > > I attached my IP Tables cheat sheet. If you need any help feel free to ask. > > Tim > Sorry here is the attachment for IP version 4. > > >> On Tue, 2025-04-01 at 18:07 -0700, Van Snyder wrote: >> >> -------- Forwarded Message -------- >> *From*: jeremy ardley <jeremy.ard...@gmail.com >> <jeremy%20ardley%20%3cjeremy.ard...@gmail.com%3e>> >> *To*: debian-user@lists.debian.org >> *Subject*: Re: Web server access >> *Date*: 04/01/2025 05:29:23 PM >> >> >> On 2/4/25 08:21, Timothy M Butterworth wrote: >> >> >> Ok so if I understand you correctly then you are attempting to port >> forward 80 and 443 through the router's WAN Wide Area Network >> interface to a server located in the DMZ DeMilitarized Zone. Does the >> server have Apache ACL's, IP Tables or TCP wrapper running on it? Can >> you try to do a port ping or use telnet to connect to port 80 to test >> connectivity. ex: `telnet <Routers WAN IP Address or Public DNS Name> >> 80`. As you say that the server is on the inside of your network. Have >> you tried placing the server in the DMZ? >> >> >> >> Another alternative is the ISP has started blocking incoming connections >> on the web ports? >> >> How could I find out if it's doing that? >> >> It's not blocking the random port that I map to 22 so I can ssh to my >> server. >> >> I can FTP to my server from itself, but not through the router. >> >> I can't FTP to my server from another computer in my house. >> >> And now it seems I can't load web pages from my server on other computers >> in my house. So maybe the server has started some kind of a firewall. How >> would I find it and either turn it off or configure it so it allows more >> than ssh. >> >> >> > > -- > ⢀⣴⠾⠻⢶⣦⠀ > ⣾⠁⢠⠒⠀⣿⡁ Debian - The universal operating system > ⢿⡄⠘⠷⠚⠋⠀ https://www.debian.org/ > ⠈⠳⣄⠀⠀ > -- ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ Debian - The universal operating system ⢿⡄⠘⠷⠚⠋⠀ https://www.debian.org/ ⠈⠳⣄⠀⠀
### --flush -F [chain] - Delete all rules in chain or all chains sudo /usr/sbin/iptables -F ### Permit inbound traffic to loopback sudo /usr/sbin/iptables -A INPUT -i lo -j ACCEPT ### Permit wired ethernet sudo /usr/sbin/iptables -A INPUT -i enx0000000011f1 -j ACCEPT ### FTP Client sudo /usr/sbin/iptables -A INPUT -i wlo1 -p tcp --sport 20:21 -j ACCEPT sudo /usr/sbin/iptables -A OUTPUT -p tcp --dport 20:21 -j ACCEPT ### DNS Client UDP 53 sudo /usr/sbin/iptables -A INPUT -i wlo1 -p udp --sport 53 -j ACCEPT sudo /usr/sbin/iptables -A INPUT -i lo -p udp --dport 53 -j ACCEPT sudo /usr/sbin/iptables -A OUTPUT -p udp --dport 53 -j ACCEPT sudo /usr/sbin/iptables -A OUTPUT -p udp --sport 53 -j ACCEPT ### DNS Client UDP 5353 sudo /usr/sbin/iptables -A INPUT -i wlo1 -p udp --sport 5353 -j ACCEPT sudo /usr/sbin/iptables -A OUTPUT -p udp --dport 5353 -j ACCEPT ### DHCP UDP 67 sudo /usr/sbin/iptables -A INPUT -i wlo1 -p udp --sport 67 -j ACCEPT sudo /usr/sbin/iptables -A OUTPUT -p udp --dport 67 -j ACCEPT ### DHCP UDP 68 sudo /usr/sbin/iptables -A INPUT -i wlo1 -p udp --sport 68 -j ACCEPT sudo /usr/sbin/iptables -A OUTPUT -p udp --dport 68 -j ACCEPT ### Permit HTTP Client Traffic TCP 80 sudo /usr/sbin/iptables -A INPUT -i wlo1 -p tcp --sport 80 -j ACCEPT sudo /usr/sbin/iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT ### Permit NTP (Network Time Protocol) Client UDP 123 sudo /usr/sbin/iptables -A INPUT -i wlo1 -p udp --sport 123 -j ACCEPT sudo /usr/sbin/iptables -A OUTPUT -p udp --dport 123 -j ACCEPT ### UDP 137 sudo /usr/sbin/iptables -A INPUT -i wlo1 -p udp --sport 137 --dport 137 -j ACCEPT sudo /usr/sbin/iptables -A OUTPUT -p udp --sport 137 --dport 137 -j ACCEPT ### Permit HTTP/S Client Traffic TCP 443 sudo /usr/sbin/iptables -A INPUT -i wlo1 -p tcp --sport 443 -j ACCEPT sudo /usr/sbin/iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT sudo /usr/sbin/iptables -A INPUT -i wlo1 -p udp --sport 443 -j ACCEPT sudo /usr/sbin/iptables -A OUTPUT -p udp --dport 443 -j ACCEPT ### SNMP Agent X tcp 705 sudo /usr/sbin/iptables -A OUTPUT -p tcp --dport 705 -j ACCEPT ### UDP 1716 Broadcast sudo /usr/sbin/iptables -A INPUT -i wlo1 -p udp --sport 1716 -j ACCEPT sudo /usr/sbin/iptables -A OUTPUT -p udp --dport 1716 -j ACCEPT ### UDP 1900 sudo /usr/sbin/iptables -A INPUT -i wlo1 -p udp --sport 1900 -j ACCEPT sudo /usr/sbin/iptables -A OUTPUT -p udp --dport 1900 -j ACCEPT ### Permit Squid Proxy Server TCP 3128 sudo /usr/sbin/iptables -A INPUT -i lo -p tcp --dport 3128 -j ACCEPT sudo /usr/sbin/iptables -A OUTPUT -p tcp --sport 3128 -j ACCEPT sudo /usr/sbin/iptables -A INPUT -i lo -p tcp --sport 3128 -j ACCEPT sudo /usr/sbin/iptables -A OUTPUT -p tcp --dport 3128 -j ACCEPT ### Google Meet UDP 3478 sudo /usr/sbin/iptables -A INPUT -i lo -p udp --sport 3478 -j ACCEPT sudo /usr/sbin/iptables -A OUTPUT -p udp --dport 3478 -j ACCEPT ### KTorrent DHT sudo /usr/sbin/iptables -A INPUT -i wlo1 -p udp --sport 7881 -j ACCEPT sudo /usr/sbin/iptables -A OUTPUT -p udp --dport 7881 -j ACCEPT ### Torrent Tracker Ports sudo /usr/sbin/iptables -A INPUT -i wlo1 -p udp --sport 1337 -j ACCEPT sudo /usr/sbin/iptables -A OUTPUT -p udp --dport 1337 -j ACCEPT sudo /usr/sbin/iptables -A INPUT -i wlo1 -p tcp --sport 1337 -j ACCEPT sudo /usr/sbin/iptables -A OUTPUT -p tcp --dport 1337 -j ACCEPT sudo /usr/sbin/iptables -A INPUT -i wlo1 -p udp --sport 2710 -j ACCEPT sudo /usr/sbin/iptables -A OUTPUT -p udp --dport 2710 -j ACCEPT sudo /usr/sbin/iptables -A INPUT -i wlo1 -p udp --sport 6969 -j ACCEPT sudo /usr/sbin/iptables -A OUTPUT -p udp --dport 6969 -j ACCEPT sudo /usr/sbin/iptables -A INPUT -i wlo1 -p tcp --sport 6969 -j ACCEPT sudo /usr/sbin/iptables -A OUTPUT -p tcp --dport 6969 -j ACCEPT sudo /usr/sbin/iptables -A INPUT -i wlo1 -p tcp --sport 8172 -j ACCEPT sudo /usr/sbin/iptables -A OUTPUT -p tcp --dport 8172 -j ACCEPT ### Permit TCP 5228 sudo /usr/sbin/iptables -A INPUT -i wlo1 -p tcp --sport 5228 -j ACCEPT sudo /usr/sbin/iptables -A OUTPUT -p tcp --dport 5228 -j ACCEPT ### UDP 6881 torrent sudo /usr/sbin/iptables -A INPUT -i wlo1 -p udp --dport 6881 -j ACCEPT sudo /usr/sbin/iptables -A OUTPUT -p udp --sport 6881 -j ACCEPT ### UDP 7881 torrent sudo /usr/sbin/iptables -A INPUT -i wlo1 -p udp --dport 7881 -j ACCEPT sudo /usr/sbin/iptables -A OUTPUT -p udp --sport 7881 -j ACCEPT ## UDP 19302 Google Voice sudo /usr/sbin/iptables -A INPUT -i wlo1 -p udp --sport 19302:19305 -j ACCEPT sudo /usr/sbin/iptables -A OUTPUT -p udp --dport 19302:19305 -j ACCEPT ### UDP 26500 sudo /usr/sbin/iptables -A INPUT -i wlo1 -p udp --sport 26500 -j ACCEPT sudo /usr/sbin/iptables -A OUTPUT -p udp --dport 26500 -j ACCEPT ### UDP SPT=27036 DPT=27036 sudo /usr/sbin/iptables -A INPUT -i wlo1 -p udp --sport 27036 --dport 27036 -j ACCEPT sudo /usr/sbin/iptables -A OUTPUT -p udp --sport 27036 --dport 27036 -j ACCEPT ### Permit Outbound ICMP Echo Request and Reply Traffic sudo /usr/sbin/iptables -A INPUT -i wlo1 -p icmp --icmp-type echo-reply -j ACCEPT sudo /usr/sbin/iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT ### Permit ICMP Port Unavailable sudo /usr/sbin/iptables -A INPUT -i wlo1 -p icmp --icmp-type 3 -j ACCEPT sudo /usr/sbin/iptables -A OUTPUT -p icmp --icmp-type 3 -j ACCEPT ### ICMP Type 9 mcast sudo /usr/sbin/iptables -A INPUT -i wlo1 -d 224.0.0.1 -p icmp --icmp-type 9 -j ACCEPT ### 224.0.0.22 mcast sudo /usr/sbin/iptables -A OUTPUT -d 224.0.0.22 -p 2 -j ACCEPT ### open stateful established and related packets (Only use this while building out Rules) sudo /usr/sbin/iptables -A INPUT -i wlo1 -m state --state RELATED,ESTABLISHED -j LOG --log-prefix "iptables permitted inbound: " sudo /usr/sbin/iptables -A INPUT -i wlo1 -m state --state RELATED,ESTABLISHED -j ACCEPT ### Reject all other traffic sudo /usr/sbin/iptables -A INPUT -i wlo1 -j LOG --log-prefix "iptables denied inbound: " sudo /usr/sbin/iptables -A INPUT -i wlo1 -j REJECT sudo /usr/sbin/iptables -A OUTPUT -j LOG --log-prefix "iptables permitted output: " sudo /usr/sbin/iptables -A OUTPUT -j ACCEPT sudo /usr/sbin/iptables -A OUTPUT -j LOG --log-prefix "iptables denied output: " sudo /usr/sbin/iptables -A OUTPUT -j REJECT ### --policy -P chain target Change policy on chain to drop all traffic sudo /usr/sbin/iptables -P INPUT DROP sudo /usr/sbin/iptables -P OUTPUT DROP sudo /usr/sbin/iptables -P OUTPUT ACCEPT ### IP MASQUERADE sudo /usr/sbin/iptables -t nat -A POSTROUTING -o wlo1 -j MASQUERADE ### Save IPTables rules /usr/sbin/iptables-save > /etc/iptables/rules.v4 sudo sh -c '/usr/sbin/iptables-save > /etc/iptables/rules.v4' ### List IPTables Filter Rules sudo /usr/sbin/iptables -L -v --line-numbers ### Syslog Files sudo cat /var/log/syslog | grep "iptables" ### --insert -I chain [rulenum] - Insert in chain as rulenum (default 1=first) sudo /usr/sbin/iptables -I INPUT 2 -i wlo1 -p icmp -j ACCEPT ### --delete -D chain rulenum - Delete rule rulenum (1 = first) from chain sudo /usr/sbin/iptables -D INPUT 2
