On Wed, Apr 2, 2025 at 1:37 AM Van Snyder <van.sny...@sbcglobal.net> wrote:
> I discovered that although I haven't even installed iptables, my server > was running firewalld. I wasn't even aware it existed. I stopped it, and > now I can access my web vandyke.mynetgear.com through my router on port > 80 or 443. > > I disabled firewalld because I have no idea how to configure it, but my > Linksys router is running a firewall that's really easy to configure. > > I owe thanks to the correspondents on this list who eventually led me to > ask online about Debian firewalls. I knew about iptables, which isn't even > installed, but I had never before heard of ufw or firewalld. > Firewalld is nice to laptops/notebooks where you are connecting to other peoples WLAN's. Firewalld is not good for a server or desktop though. I prefer IPTables for stationary devices. You can purge Firewalld and UFW. I would keep and configure IPTables on the server as well as setting up Suricata and ClamAV. I am a Defense in Depth, zero trust kind of guy. I have all my devices hardened. It is good practice to harden devices that are made available to the public. I attached my IP Tables cheat sheet. If you need any help feel free to ask. Tim > On Tue, 2025-04-01 at 18:07 -0700, Van Snyder wrote: > > -------- Forwarded Message -------- > *From*: jeremy ardley <jeremy.ard...@gmail.com > <jeremy%20ardley%20%3cjeremy.ard...@gmail.com%3e>> > *To*: debian-user@lists.debian.org > *Subject*: Re: Web server access > *Date*: 04/01/2025 05:29:23 PM > > > On 2/4/25 08:21, Timothy M Butterworth wrote: > > > Ok so if I understand you correctly then you are attempting to port > forward 80 and 443 through the router's WAN Wide Area Network > interface to a server located in the DMZ DeMilitarized Zone. Does the > server have Apache ACL's, IP Tables or TCP wrapper running on it? Can > you try to do a port ping or use telnet to connect to port 80 to test > connectivity. ex: `telnet <Routers WAN IP Address or Public DNS Name> > 80`. As you say that the server is on the inside of your network. Have > you tried placing the server in the DMZ? > > > > Another alternative is the ISP has started blocking incoming connections > on the web ports? > > How could I find out if it's doing that? > > It's not blocking the random port that I map to 22 so I can ssh to my > server. > > I can FTP to my server from itself, but not through the router. > > I can't FTP to my server from another computer in my house. > > And now it seems I can't load web pages from my server on other computers > in my house. So maybe the server has started some kind of a firewall. How > would I find it and either turn it off or configure it so it allows more > than ssh. > > > -- ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ Debian - The universal operating system ⢿⡄⠘⠷⠚⠋⠀ https://www.debian.org/ ⠈⠳⣄⠀⠀
### --flush -F [chain] - Delete all rules in chain or all chains sudo /usr/sbin/ip6tables -F ### FTP Client sudo /usr/sbin/ip6tables -A INPUT -i wlo1 -p tcp --sport 20:21 -j ACCEPT sudo /usr/sbin/ip6tables -A OUTPUT -p tcp --dport 20:21 -j ACCEPT ### DNS Client UDP 53 sudo /usr/sbin/ip6tables -A INPUT -i wlo1 -p udp --sport 53 -j ACCEPT sudo /usr/sbin/ip6tables -A OUTPUT -p udp --dport 53 -j ACCEPT ### DNS Client UDP 5353 sudo /usr/sbin/ip6tables -A INPUT -i wlo1 -p udp --sport 5353 -j ACCEPT sudo /usr/sbin/ip6tables -A OUTPUT -p udp --dport 5353 -j ACCEPT ### Permit HTTP Client Traffic TCP 80 sudo /usr/sbin/ip6tables -A INPUT -i wlo1 -p tcp --sport 80 -j ACCEPT sudo /usr/sbin/ip6tables -A OUTPUT -p tcp --dport 80 -j ACCEPT ### Permit NTP (Network Time Protocol) Client UDP 123 sudo /usr/sbin/ip6tables -A INPUT -i wlo1 -p udp --sport 123 -j ACCEPT sudo /usr/sbin/ip6tables -A OUTPUT -p udp --dport 123 -j ACCEPT ### Permit HTTP/S Client Traffic TCP 443 sudo /usr/sbin/ip6tables -A INPUT -i wlo1 -p tcp --sport 443 -j ACCEPT sudo /usr/sbin/ip6tables -A OUTPUT -p tcp --dport 443 -j ACCEPT sudo /usr/sbin/ip6tables -A INPUT -i wlo1 -p udp --sport 443 -j ACCEPT sudo /usr/sbin/ip6tables -A OUTPUT -p udp --dport 443 -j ACCEPT ### DHCPv6 UDP 546/547 sudo /usr/sbin/ip6tables -A INPUT -i wlo1 -p udp --dport 546 --sport 547 -j ACCEPT sudo /usr/sbin/ip6tables -A OUTPUT -p udp --dport 547 --sport 546 -j ACCEPT ### UDP 705 SNMP Agent X sudo /usr/sbin/ip6tables -A OUTPUT -p tcp --dport 705 -j ACCEPT ### Permit Squid Proxy Server TCP 3128 sudo /usr/sbin/ip6tables -A INPUT -i lo -p tcp --dport 3128 -j ACCEPT sudo /usr/sbin/ip6tables -A OUTPUT -p tcp --sport 3128 -j ACCEPT sudo /usr/sbin/ip6tables -A INPUT -i lo -p tcp --sport 3128 -j ACCEPT sudo /usr/sbin/ip6tables -A OUTPUT -p tcp --dport 3128 -j ACCEPT ### UDP 3478 Google Meet sudo /usr/sbin/ip6tables -A INPUT -i wlo1 -p udp --sport 3478 -j ACCEPT sudo /usr/sbin/ip6tables -A OUTPUT -p udp --dport 3478 -j ACCEPT ### Permit TCP 5222 Google Talk xmpp-client sudo /usr/sbin/ip6tables -A INPUT -i wlo1 -p tcp --sport 5222 -j ACCEPT sudo /usr/sbin/ip6tables -A OUTPUT -p tcp --dport 5222 -j ACCEPT ### TCP 5228 Google Cloud Messaging sudo /usr/sbin/ip6tables -A INPUT -i wlo1 -p tcp --sport 5228 -j ACCEPT sudo /usr/sbin/ip6tables -A OUTPUT -p tcp --dport 5228 -j ACCEPT # Port 6969 Torrent sudo /usr/sbin/ip6tables -A INPUT -i wlo1 -p udp --sport 6969 -j ACCEPT sudo /usr/sbin/ip6tables -A OUTPUT -p udp --dport 6969 -j ACCEPT sudo /usr/sbin/ip6tables -A INPUT -i wlo1 -p tcp --sport 6969 -j ACCEPT sudo /usr/sbin/ip6tables -A OUTPUT -p tcp --dport 6969 -j ACCEPT ### UDP 19302 - 19305 Google talk sudo /usr/sbin/ip6tables -A INPUT -i wlo1 -p udp --sport 19302:19305 -j ACCEPT sudo /usr/sbin/ip6tables -A OUTPUT -p udp --dport 19302:19305 -j ACCEPT ### UDP 26500 gRPC REST API sudo /usr/sbin/ip6tables -A INPUT -i wlo1 -p udp --sport 26500 -j ACCEPT sudo /usr/sbin/ip6tables -A OUTPUT -p udp --dport 26500 -j ACCEPT ### permit udp 35356 sudo /usr/sbin/ip6tables -A OUTPUT -p udp --dport 35356 -j ACCEPT ### permit udp 36973 sudo /usr/sbin/ip6tables -A OUTPUT -p udp --dport 36973 -j ACCEPT ### Permit UDP 38579 sudo /usr/sbin/ip6tables -A OUTPUT -p udp --dport 38579 -j ACCEPT ### Permit UDP 46287 sudo /usr/sbin/ip6tables -A OUTPUT -p udp --dport 46287 -j ACCEPT ### Permit UDP 47453 sudo /usr/sbin/ip6tables -A OUTPUT -p udp --dport 47453 -j ACCEPT ### Permit UDP 53176 sudo /usr/sbin/ip6tables -A OUTPUT -p udp --dport 53176 -j ACCEPT ### Permit UDP 59546 sudo /usr/sbin/ip6tables -A OUTPUT -p udp --dport 59546 -j ACCEPT ### Permit ICMP Echo Request and Reply Traffic sudo /usr/sbin/ip6tables -A INPUT -i wlo1 -p icmpv6 --icmpv6-type echo-reply -j ACCEPT sudo /usr/sbin/ip6tables -A OUTPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT ### Permit ICMP destination-unreachable sudo /usr/sbin/ip6tables -A INPUT -i wlo1 -p icmpv6 --icmpv6-type 1 -j ACCEPT sudo /usr/sbin/ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 1 -j ACCEPT ### Permit ICMP Port Unavailable sudo /usr/sbin/ip6tables -A INPUT -i wlo1 -p icmpv6 --icmpv6-type 3 -j ACCEPT sudo /usr/sbin/ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 3 -j ACCEPT ### Permit Inbound ipv6-icmp router-solicitation sudo /usr/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 133 -j ACCEPT sudo /usr/sbin/ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 133 -j ACCEPT ### Permit Inbound ipv6-icmp router-advertisement sudo /usr/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 134 -j ACCEPT ### Permit ipv6-icmp neighbour-solicitation sudo /usr/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 135 -j ACCEPT sudo /usr/sbin/ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 135 -j ACCEPT ### Permit ipv6-icmp neighbour-advertisement sudo /usr/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 136 -j ACCEPT sudo /usr/sbin/ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 136 -j ACCEPT ### Permit ipv6-icmptype 143 sudo /usr/sbin/ip6tables -A INPUT -i wlo1 -p icmpv6 --icmpv6-type 143 -j ACCEPT sudo /usr/sbin/ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 143 -j ACCEPT ### open stateful established and related packets (Only use this while building out Rules) sudo /usr/sbin/ip6tables -A INPUT -i wlo1 -m state --state RELATED,ESTABLISHED -j LOG --log-prefix "iptables permitted: " sudo /usr/sbin/ip6tables -A INPUT -i wlo1 -m state --state RELATED,ESTABLISHED -j ACCEPT ### Reject all other traffic sudo /usr/sbin/ip6tables -A INPUT -i wlo1 -j LOG --log-prefix "iptables denied: " sudo /usr/sbin/ip6tables -A INPUT -i wlo1 -j REJECT sudo /usr/sbin/ip6tables -A OUTPUT -j LOG --log-prefix "iptables permitted: " sudo /usr/sbin/ip6tables -A OUTPUT -j ACCEPT sudo /usr/sbin/ip6tables -A OUTPUT -j LOG --log-prefix "iptables denied: " sudo /usr/sbin/ip6tables -A OUTPUT -j REJECT ### --policy -P chain target Change policy on chain to drop all traffic sudo /usr/sbin/ip6tables -P INPUT DROP sudo /usr/sbin/ip6tables -P OUTPUT DROP ### Save Rules sudo '/usr/sbin/ip6tables-save > /etc/iptables/rules.v6' sudo sh -c '/usr/sbin/ip6tables-save > /etc/iptables/rules.v6' ### List IPTables Filter Rules sudo /usr/sbin/ip6tables -L -v --line-numbers ### Display syslog messages cat /var/log/syslog | grep iptables ### --insert -I chain [rulenum] - Insert in chain as rulenum (default 1=first) sudo /usr/sbin/ip6tables -I INPUT 2 -i wlo1 -p icmpv6 -j ACCEPT ### --delete -D chain rulenum - Delete rule rulenum (1 = first) from chain sudo /usr/sbin/ip6tables -D INPUT 2
