Redirect web server from port 5000 to port 80 on localhost (Fedora) - linux

On Fedora 24, a web server (Node.js) is running (standalone, no apache/others) on port 5000. Trying to making it accessible on port 80.
http://localhost:5000 works
Tried this:
systemctl stop firewalld
iptables -t nat -F
iptables -t mangle -F
iptables -F
iptables -X
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 5000
http://localhost doesn't work
Tried this
systemctl restart firewalld
firewall-cmd --add-service=http --permanent
firewall-cmd --zone=external --add-masquerade
firewall-cmd --zone=external --add-forward-port=port=80:proto=tcp:toport=5000
firewall-cmd --add-forward-port=port=80:proto=tcp:toport=5000
firewall-cmd --list-all
FedoraWorkstation (active)
target: default
icmp-block-inversion: no
interfaces: wlp3s0
sources:
services: mdns ssh dhcpv6-client samba-client https http
ports: 1025-65535/tcp 1025-65535/udp
protocols:
masquerade: yes
forward-ports: port=80:proto=tcp:toport=5000:toaddr=
source-ports:
icmp-blocks:
rich rules:
Additional info
Tried these
sysctl -w net.ipv4.ip_forward=1
iptables -A FORWARD -j ACCEPT
iptables -A FORWARD -j ACCEPT
iptables -t nat --list
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
REDIRECT tcp -- anywhere anywhere tcp dpt:http redir ports 5000
REDIRECT tcp -- anywhere anywhere tcp dpt:https redir ports 5000
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
ifconfig
enp0s25: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
wlp3s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
ip route
default via 192.168.1.1 dev wlp3s0 proto static metric 600
192.168.1.0/24 dev wlp3s0 proto kernel scope link src 192.168.1.4 metric 600
For others it just works:
Best practices when running Node.js with port 80 (Ubuntu / Linode)
Running node as root on port 80 works. Note, there's no IPv4:
netstat -tpln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1/systemd
tcp 0 0 0.0.0.0:4433 0.0.0.0:* LISTEN 3977/deluge-gtk
tcp 0 0 0.0.0.0:51157 0.0.0.0:* LISTEN 3977/deluge-gtk
tcp 0 0 0.0.0.0:5432 0.0.0.0:* LISTEN 900/postgres
tcp 0 0 0.0.0.0:17500 0.0.0.0:* LISTEN 3203/dropbox
tcp 0 0 127.0.0.1:17600 0.0.0.0:* LISTEN 3203/dropbox
tcp 0 0 127.0.0.1:17603 0.0.0.0:* LISTEN 3203/dropbox
tcp6 0 0 :::111 :::* LISTEN 1/systemd
tcp6 0 0 :::4433 :::* LISTEN 3977/deluge-gtk
tcp6 0 0 :::51157 :::* LISTEN 3977/deluge-gtk
tcp6 0 0 :::5432 :::* LISTEN 900/postgres
tcp6 0 0 :::17500 :::* LISTEN 3203/dropbox
tcp6 0 0 :::34017 :::* LISTEN 10532/code
tcp6 0 0 :::5858 :::* LISTEN 30394/node
tcp6 0 0 :::5000 :::* LISTEN 30394/node


firewall-cmd --add-service=http --permanent
firewall-cmd --add-service=https --permanent
firewall-cmd --add-masquerade --permanent
firewall-cmd --add-forward-port=port=80:proto=tcp:toport=5000 --permanent
#make port forwarding work on localhost
iptables -t nat -I OUTPUT --source 127.0.0.1 --destination 127.0.0.1 -p tcp --dport 80 -j REDIRECT --to-ports 5000


You should avoid using iptables for things like this, but on Fedora you'd need to setup the firewall appropriately. Also this question has nothing to do with Node.js
firewall-cmd --add-service=http --permanent
firewall-cmd --reload
Related: https://unix.stackexchange.com/questions/39216/cannot-connect-to-fedora-on-port-80

Related

Docker on AWS ElasticBeanstalk: "host.docker.internal: host-gateway": Connection refused. Iptables issue?

So I have a multicontainer project running on AWS ElasticBeanstalk (latest Docker platform).
The containers share the same bridge network since they need to be able to communicate with each other (ports 3000, 8080, 9090, 9100). But one of those containers needs to be able to communicate with the host too (ports 55113, 56113).
This is normally possible by just adding extra_hosts: "host.docker.internal:host-gateway" to that container and then using host.docker.internal instead of localhost inside the container, i.e. host.docker.internal:55113. I've successfully used it before on a Debian.
But this is not working on AWS ElasticBeanstalk, the connection is refused.
Am I doing something wrong? Is there any workaround?
AWS ElasticBeanstalk Platform:
Docker running on 64bit Amazon Linux 2/3.4.2
Host's Docker & Docker-Compose versions:
$ sudo docker --version
Docker version 20.10.4, build d3cb89e
$ sudo docker-compose --version
docker-compose version 1.29.2, build unknown
Project's docker-compose.yml: (showing only the relevant parts)
version: "3.9"
services:
prometheus:
image: prom/prometheus:v2.28.1
container_name: prometheus
ports:
- 9090:9090
extra_hosts:
- host.docker.internal:host-gateway # <-------- EXTRA HOST
networks:
default:
name: monitoring
Container debug:
$ sudo docker exec -it prometheus cat /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
172.17.0.1 host.docker.internal # <-------- the mapping is present
172.25.0.4 f01ffc6b2a8a
$ sudo docker exec -it prometheus wget host.docker.internal
Connecting to host.docker.internal (172.17.0.1:80)
wget: can't connect to remote host (172.17.0.1): Connection refused
$ sudo docker exec -it prometheus wget host.docker.internal:55113 # <-------- the port I want to reach
Connecting to host.docker.internal:55113 (172.17.0.1:55113)
wget: can't connect to remote host (172.17.0.1): Connection refused
Host's iptables (configured by AWS and/or Docker, I didn't edit it):
$ sudo iptables -S
-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o br-a8a58f19c627 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-a8a58f19c627 -j DOCKER
-A FORWARD -i br-a8a58f19c627 ! -o br-a8a58f19c627 -j ACCEPT
-A FORWARD -i br-a8a58f19c627 -o br-a8a58f19c627 -j ACCEPT
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER -d 172.25.0.2/32 ! -i br-a8a58f19c627 -o br-a8a58f19c627 -p tcp -m tcp --dport 8080 -j ACCEPT
-A DOCKER -d 172.25.0.3/32 ! -i br-a8a58f19c627 -o br-a8a58f19c627 -p tcp -m tcp --dport 9100 -j ACCEPT
-A DOCKER -d 172.25.0.4/32 ! -i br-a8a58f19c627 -o br-a8a58f19c627 -p tcp -m tcp --dport 9090 -j ACCEPT
-A DOCKER -d 172.25.0.5/32 ! -i br-a8a58f19c627 -o br-a8a58f19c627 -p tcp -m tcp --dport 3000 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i br-a8a58f19c627 ! -o br-a8a58f19c627 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o br-a8a58f19c627 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
Host's open ports:
$ netstat -tuplen
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
tcp 0 0 0.0.0.0:9090 0.0.0.0:* LISTEN 0 200315 -
tcp 0 0 127.0.0.1:55113 0.0.0.0:* LISTEN 1000 119886 -
tcp 0 0 0.0.0.0:9100 0.0.0.0:* LISTEN 0 200280 -
tcp 0 0 127.0.0.1:22221 0.0.0.0:* LISTEN 1001 197452 -
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 0 14121 -
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 0 201081 -
tcp 0 0 127.0.0.1:56113 0.0.0.0:* LISTEN 1000 119890 -
tcp 0 0 127.0.0.1:38581 0.0.0.0:* LISTEN 0 20325 -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 0 18585 -
tcp 0 0 0.0.0.0:3000 0.0.0.0:* LISTEN 0 201164 -
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 0 16235 -
tcp6 0 0 ::1:55113 :::* LISTEN 1000 119885 -
tcp6 0 0 :::111 :::* LISTEN 0 14124 -
tcp6 0 0 ::1:56113 :::* LISTEN 1000 119889 -
tcp6 0 0 :::22 :::* LISTEN 0 18594 -
udp 0 0 0.0.0.0:68 0.0.0.0:* 0 15762 -
udp 0 0 0.0.0.0:111 0.0.0.0:* 0 14119 -
udp 0 0 127.0.0.1:323 0.0.0.0:* 0 14990 -
udp 0 0 0.0.0.0:979 0.0.0.0:* 0 14120 -
udp6 0 0 fe80::ed:19ff:fe84::546 :::* 0 16539 -
udp6 0 0 :::111 :::* 0 14122 -
udp6 0 0 ::1:323 :::* 0 14991 -
udp6 0 0 :::979 :::* 0 14123 -

I'm new in the field.
Your logs shows that your port is listening on localhost (127.0.0.1:56113) instead of all IPs (eg 0.0.0.0:8080).
In my case the port forward rule on the host machine has to be modified to -L0.0.0.0:<lport>:<ip>:<rport> .

Can't open port 25

I have a weird issue.
I am running a mail server behind a proxy. On the proxy all mail related ports are forwarded to the mail server:
peter#proxy:~$ sudo iptables -S
[sudo] password for peter:
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -p tcp -m tcp --dport 3389 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 465 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 587 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 995 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A FORWARD -i ens192 -o ens160 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i ens160 -o ens192 -j ACCEPT
-A FORWARD -d 10.10.0.15/32 -p tcp -m tcp --dport 3389 -j ACCEPT
-A FORWARD -d 10.10.0.5/32 -p tcp -m tcp --dport 110 -j ACCEPT
-A FORWARD -d 10.10.0.5/32 -p tcp -m tcp --dport 143 -j ACCEPT
-A FORWARD -d 10.10.0.5/32 -p tcp -m tcp --dport 587 -j ACCEPT
-A FORWARD -d 10.10.0.5/32 -p tcp -m tcp --dport 465 -j ACCEPT
-A FORWARD -d 10.10.0.5/32 -p tcp -m tcp --dport 993 -j ACCEPT
-A FORWARD -d 10.10.0.5/32 -p tcp -m tcp --dport 995 -j ACCEPT
-A FORWARD -d 10.10.0.5/32 -p tcp -m tcp --dport 25 -j ACCEPT
As you can see all the mailing related ports are forwarded to the mail server (10.10.0.5). I can telnet from outside into all the ports, except 25. From the proxy I can also telnet into the mail server on port 25. So the port is blocked on the proxy side.
Nothing else is listening on port 25:
peter#proxy:~$ sudo netstat -plutn
[sudo] password for peter:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1457/sshd
tcp6 0 0 :::443 :::* LISTEN 1512/apache2
tcp6 0 0 :::587 :::* LISTEN 1508/xinetd
tcp6 0 0 :::80 :::* LISTEN 1512/apache2
tcp6 0 0 :::465 :::* LISTEN 1508/xinetd
tcp6 0 0 :::22 :::* LISTEN 1457/sshd
This is what I get when I try telneting from the outside:
peter#ubuntu-desktop:~$ telnet mx0.xyz.com 25
Trying 5.199.xxx.yyy...
telnet: Unable to connect to remote host: Connection refused
peter#ubuntu-desktop:~$ telnet mx0.xyz.com 110
Trying 5.199.xxx.yyy...
Connected to mx0.xyz.com.
Escape character is '^]'.
+OK POP3 ready
quit
+OK
Connection closed by foreign host.
Same for the other ports.
I can send emails but I cannot receive any, the gmail server reports a Connection refused error.
[mx0.xyz.com. 5.199.xxx.yyy: FAILED_PRECONDITION: connect error (111): Connection refused]
How can I figure out what's blocking port 25 and how can I open it?

How do I configure Docker to work with my ens34 network interface (instead of eth0)?

does anyone know how docker decides which NIC will work with the docker0 network? I have a node with two interfaces (eth0 and ens34), however, only the requests that go through eth0 are forwarded to the container.
When my VM was provisioned and Docker was installed, I started a very silly test: I created a centos vm, installed netcat on it and committed the image. Then I started a daemon container listening on port 8080. I used:
docker -it -p 8080:8080 --name nc-server nc-server nc -vv -l 8080
So I tried to connect to the container listening on port 8080 from another node in the same network (in the same IP address as the interface ens34). It did not work.
Whereas when I sent a request from another machine to the IP address from eth0, I saw some reaction in the container (the communication worked). I was "tailing" its output with:
docker logs -ft nc-server
My conclusion with this experiment: there's some mysterious relationship between eth0 (primary NIC) and docker0, and the requests that are sent to ens34 (10.) interface are never forwarded to the veth / docker0 interfaces, only the requests that go through eth0 (9.*). Why's that?
Also, I know I can make everything work if I use --net=host, but I don't want to use that... it doesn't feel right somehow, is it a standard practice to use the HOST mode in Docker containers? Any caveats on that?
--
UPDATE:
I managed to make it work after disabling iptables:
service iptables stop
However, I still don't get what is going on. The info below should be relevant to understand what is going on:
ifconfig
[root#mydockervm2 myuser]# ifconfig | grep -A 1 flags
docker0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.17.0.1 netmask 255.255.0.0 broadcast 0.0.0.0
--
ens34: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.1.21.18 netmask 255.255.255.0 broadcast 10.1.21.255
--
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 9.32.145.99 netmask 255.255.255.0 broadcast 9.32.148.255
--
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
--
veth8dbab2f: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::3815:67ff:fe9b:88e9 prefixlen 64 scopeid 0x20<link>
--
virbr0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 192.168.122.1 netmask 255.255.255.0 broadcast 192.168.122.255
netstat
[root#mydockervm2 myuser]# netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 9.32.145.1 0.0.0.0 UG 0 0 0 eth0
9.32.145.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.1.21.0 0.0.0.0 255.255.255.0 U 0 0 0 ens34
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 ens34
172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0
192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr0
filters
[root#mydockervm2 myuser]# iptables -t filter -vS
-P INPUT ACCEPT -c 169 106311
-P FORWARD ACCEPT -c 0 0
-P OUTPUT ACCEPT -c 110 13426
-N DOCKER
-N DOCKER-ISOLATION
-A FORWARD -c 0 0 -j DOCKER-ISOLATION
-A FORWARD -o docker0 -c 0 0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -c 0 0 -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -c 0 0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -c 0 0 -j ACCEPT
-A FORWARD -m physdev --physdev-is-bridged -c 0 0 -j ACCEPT
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8080 -c 0 0 -j ACCEPT
-A DOCKER-ISOLATION -c 0 0 -j RETURN
nat
[root#mydockervm2 myuser]# iptables -t nat -vS
-P PREROUTING ACCEPT -c 28 4818
-P INPUT ACCEPT -c 28 4818
-P OUTPUT ACCEPT -c 8 572
-P POSTROUTING ACCEPT -c 8 572
-N DOCKER
-A PREROUTING -m addrtype --dst-type LOCAL -c 2 98 -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -c 0 0 -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -c 0 0 -j MASQUERADE
-A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 8080 -c 0 0 -j MASQUERADE
-A DOCKER -i docker0 -c 0 0 -j RETURN
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 8080 -c 0 0 -j DNAT --to-destination 172.17.0.2:8080
Thoughts?

First, rule out the obvious and make sure that hosts on the other networks know how to route to your machine to reach the container network. For that, check
netstat -nr
on the source host and make sure that your docker subnet is listed with your docker host as the gateway, or that the default router handling the traffic upstream knows about your host.
If traffic is getting routed but blocked, then you're getting into forwarding and iptables. For forwarding, the following should show a 1:
cat /proc/sys/net/ipv4/ip_forward
Make sure your local host shows a route for the bridges to your container networks with the same netstat command, there should be a line for the docker0 interface and your docker subnet as the destination:
netstat -nr
For iptables, check to see if there are any interface specific nat or filter rules that need to be adjusted:
iptables -t filter -vS
iptables -t nat -vS
If your forward rule defaults to DROP instead of ACCEPT, you may want to add some logging, or just change the default to accept traffic if you believe it can be trusted (e.g. the host is behind another firewall).
This all being said, advertising ports directly on the host is a fairly common practice with containers. For the private stuff, you can setup multiple containers isolated on their internal network that can talk to each other, but no other containers, and you only expose the ports that are truly open to the rest of the world on the host with the -p flag to the run (or ports option in docker-compose).

telnet refused on specific port on AWS instances

I'm tryign to telnet from one linux env (10.205.116.141) to 10.205.117.246 on port 7199 but keep getting a connection refused. I did a chkconfig iptables off on both servers and even make sure iptables if stopped as well.
what else should I be looking at?
[root#ip-10-205-116-141 bin]# telnet 10.205.117.246 7199
Trying 10.205.117.246...
telnet: connect to address 10.205.117.246: Connection refused
trace route seems to be working as well...
[root#ip-10-205-116-141 bin]# traceroute 10.205.117.246 -p 7199
traceroute to 10.205.117.246 (10.205.117.246), 30 hops max, 60 byte packets
1 ip-10-205-117-246.xyz.cxcvs.com (10.205.117.246) 0.416 ms 0.440 ms 0.444 ms
also, I'm on a aws vpc so we don't get public IPs provisioned for use...
checked my security group and it looks like all ports are open as well
EDIT:
here is netstat as well, they look the same on both nodes:
[ec2-user#ip-10-205-116-141 ~]$ netstat -an | grep LISTEN
tcp 0 0 127.0.0.1:46626 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:9160 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:36523 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:9042 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:2738 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 10.205.116.141:7000 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:8089 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:4445 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:7199 0.0.0.0:* LISTEN
shouldn't 127.0.0.1:7199 really be 10.205.116.141:7199?
sorry, can't post a sc of the security groups...

Nodejs site cannot be shown in browser

I have set up a nodejs site on RHEL6. Everything looks fine but I cannot view our site in browsers (all fail in Chrome, Safari and IE9). I can use curl getting correct html response. Here is the test result with different tools.
Did anyone meet the same situation before?
~]$ nmap -v -A 123.150.207.18 -p80
Starting Nmap 5.21 ( http://nmap.org ) at 2013-06-13 07:51 CST
NSE: Loaded 36 scripts for scanning.
Initiating Ping Scan at 07:51
Scanning 123.150.207.18 [2 ports]
Completed Ping Scan at 07:51, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 07:51
Completed Parallel DNS resolution of 1 host. at 07:51, 4.00s elapsed
Initiating Connect Scan at 07:51
Scanning 123.150.207.18 [1 port]
Discovered open port 80/tcp on 123.150.207.18
Completed Connect Scan at 07:51, 0.00s elapsed (1 total ports)
Initiating Service scan at 07:51
Scanning 1 service on 123.150.207.18
Completed Service scan at 07:51, 11.13s elapsed (1 service on 1 host)
NSE: Script scanning 123.150.207.18.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 07:51
Completed NSE at 07:51, 0.03s elapsed
NSE: Script Scanning completed.
Nmap scan report for 123.150.207.18
Host is up (0.00057s latency).
PORT STATE SERVICE VERSION
80/tcp open http?
|_http-favicon: Unknown favicon MD5: 1D0E785BFCEDDE5326C2460E9F9B261D
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port80-TCP:V=5.21%I=7%D=6/13%Time=51B90999%P=x86_64-redhat-linux-gnu%r(
SF:GetRequest,233B,"HTTP/1\.1\x20200\x20OK\r\nX-Powered-By:\x20Express\r\n
SF:Content-Type:\x20text/html;\x20charset=utf-8\r\nContent-Length:\x208714
SF:\r\nETag:\x20\"891558458\"\r\nSet-Cookie:\x20connect\.sid=s%3AkL3pj-Tzt
SF:rF-hh7Mtjhc85Br\.Nfkgt%2FzHRJ%2FIFiIIqNqW0sSQ7%2F%2Brx%2FWldcrVkNrhQLA;
SF:\x20Path=/;\x20HttpOnly\r\nDate:\x20Wed,\x2012\x20Jun\x202013\x2023:51:
SF:53\x20GMT\r\nConnection:\x20close\r\n\r\n<!DOCTYPE\x20html>\n<html\x20l
SF:ang=\"en\">\n<head>\n\x20\x20\x20\x20<meta\x20charset=\"utf-8\">\n\x20\
SF:x20\x20\x20<meta\x20http-equiv=\"content-type\"\x20content=\"text/html;
SF:\x20charset=UTF-8\">\n\x20\x20\x20\x20<meta\x20name=\"viewport\"\x20con
SF:tent=\"width=device-width,\x20initial-scale=1\.0\">\n\x20\x20\x20\x20<m
SF:eta\x20name=\"description\"\x20content=\"\">\n\x20\x20\x20\x20<meta\x20
SF:name=\"author\"\x20content=\"\">\n\x20\x20\x20\x20<title>\xe7\x95\xaa\x
SF:e8\x8c\x84\xe5\xbf\xab\xe8\xb7\x91\x20--\x20\xe4\xb8\xad\xe5\x9b\xbd\xe
SF:6\x9c\x80\xe5\xb0\x8f\xe5\xb7\xa7\xe7\x9a\x84\xe6\x97\xb6\xe9\x97\xb4\x
SF:e7\xae\xa1\xe7\x90\x86\xe5\xb7\xa5\xe5\x85\xb7</title>\n\x20\x20\x20\x2
SF:0<link\x20rel=\"shortcut\x20icon\"\x20href=\"\./tomatodo/img/tomato_32\
SF:.png\">\n\x20\x20\x20\x20<link\x20rel=\"stylesheet\"\x20href=\"\./boots
SF:trap/css/bootstrap\.css\">\n\x20\x20\x20\x20<link\x20rel=\"stylesheet\"
SF:\x20href=\"\./bootstrap/css/bootstrap-responsive\.css\">\n\x20\x20\x20\
SF:x20<link\x20rel=\"styleshee")%r(HTTPOptions,109,"HTTP/1\.1\x20404\x20No
SF:t\x20Found\r\nX-Powered-By:\x20Express\r\nContent-Type:\x20text/plain\r
SF:\nSet-Cookie:\x20connect\.sid=s%3A_s6k4167c1xZ4bmi6GaUW0ld\.OcixsFK4HAI
SF:53dXqebPJ%2FNp0EPpGtDMPsFRvTFkLj8A;\x20Path=/;\x20HttpOnly\r\nDate:\x20
SF:Wed,\x2012\x20Jun\x202013\x2023:51:53\x20GMT\r\nConnection:\x20close\r\
SF:n\r\nCannot\x20OPTIONS\x20/")%r(FourOhFourRequest,12A,"HTTP/1\.1\x20404
SF:\x20Not\x20Found\r\nX-Powered-By:\x20Express\r\nContent-Type:\x20text/p
SF:lain\r\nSet-Cookie:\x20connect\.sid=s%3AiYSdu5oWddVC54Rergi65gAg\.TOE5n
SF:nutt90l1Xjv%2BG28sy%2BA230zvU9ccDqNTgQEQco;\x20Path=/;\x20HttpOnly\r\nD
SF:ate:\x20Wed,\x2012\x20Jun\x202013\x2023:51:53\x20GMT\r\nConnection:\x20
SF:close\r\n\r\nCannot\x20GET\x20/nice%20ports%2C/Tri%6Eity\.txt%2ebak");
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.36 seconds
~]$ sudo netstat -plunt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2183/sshd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 2073/cupsd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2259/master
tcp 0 0 0.0.0.0:56378 0.0.0.0:* LISTEN 1924/rpc.statd
tcp 0 0 0.0.0.0:27017 0.0.0.0:* LISTEN 20904/mongod
tcp 0 0 0.0.0.0:6379 0.0.0.0:* LISTEN 11590/redis-server
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1903/rpcbind
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 21220/node
tcp 0 0 0.0.0.0:28017 0.0.0.0:* LISTEN 20904/mongod
tcp 0 0 :::22 :::* LISTEN 2183/sshd
tcp 0 0 ::1:631 :::* LISTEN 2073/cupsd
tcp 0 0 ::1:25 :::* LISTEN 2259/master
tcp 0 0 :::40334 :::* LISTEN 1924/rpc.statd
tcp 0 0 :::111 :::* LISTEN 1903/rpcbind
udp 0 0 0.0.0.0:55512 0.0.0.0:* 1924/rpc.statd
udp 0 0 0.0.0.0:111 0.0.0.0:* 1903/rpcbind
udp 0 0 0.0.0.0:631 0.0.0.0:* 2073/cupsd
udp 0 0 0.0.0.0:806 0.0.0.0:* 1903/rpcbind
udp 0 0 0.0.0.0:828 0.0.0.0:* 1924/rpc.statd
udp 0 0 :::49640 :::* 1924/rpc.statd
udp 0 0 :::111 :::* 1903/rpcbind
udp 0 0 :::806 :::* 1903/rpcbind
~]$ sudo /sbin/service iptables status
Table: nat
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
5 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
6 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport ports 80,8080
7 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
~]$ curl 123.150.207.18:80
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="description" content="">
<meta name="author" content="">
......

It resolved after I correct the iptables settings. No issue in other configurations.

Resources