Iptables blocking https/http

Question

Have boring problem, my php admin not accesible when iptables runing. Rules:

# iptables -L -v -n | more
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REJECT     17   --  *      *       0.0.0.0/0            0.0.0.0/0            recent: UPDATE seconds: 60 name: UDP-PORTSCAN side: source mask: 255.255.255.255 reject-with icmp-port-unreachable
    0     0 REJECT     6    --  *      *       0.0.0.0/0            0.0.0.0/0            recent: UPDATE seconds: 60 name: TCP-PORTSCAN side: source mask: 255.255.255.255 reject-with tcp-reset
 4040 2195K ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     6    --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:5055
    0     0 ACCEPT     0    --  lo     *       0.0.0.0/0            0.0.0.0/0
    1   646 ACCEPT     17   --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:500
    0     0 ACCEPT     17   --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:4500
   35  1764 DROP       0    --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     6    --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
    0     0 ACCEPT     6    --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443
    0     0 REJECT     6    --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with tcp-reset
    0     0 REJECT     6    --  *      *       0.0.0.0/0            0.0.0.0/0            recent: SET name: TCP-PORTSCAN side: source mask: 255.255.255.255 reject-with tcp-reset
    0     0 REJECT     17   --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     17   --  *      *       0.0.0.0/0            0.0.0.0/0            recent: SET name: UDP-PORTSCAN side: source mask: 255.255.255.255 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 3652 1884K ACCEPT     0    --  *      *       10.10.141.0/24       0.0.0.0/0            policy match dir in pol ipsec proto 50
 4808 4752K ACCEPT     0    --  *      *       0.0.0.0/0            10.10.141.0/24       policy match dir out pol ipsec proto 50
    4  5120 DROP       0    --  *      *       0.0.0.0/0            0.0.0.0/0
Chain OUTPUT (policy ACCEPT 6539 packets, 5343K bytes)
 pkts bytes target     prot opt in     out     source               destination

Give no effects any allow rules for 80,443 ports, like:

iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -m state --state NEW -j ACCEPT

score 0 · Answer 1 · answered Oct 06 '23 at 22:24

0

move rules above the drop rule

answered Oct 06 '23 at 22:24

score 0 · Answer 2 · answered Oct 06 '23 at 22:51

I would first enable logging then you can see in the logs when a packet is dropped:

iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A OUTPUT -j LOGGING
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
iptables -A LOGGING -j DROP

Then review the logging and adjust your rules Review the kogs with cat /var/log/messages | grep "IPTables-Dropped*"

Iptables blocking https/http

2 Answers2