I want to open a port on Debian with iptables -A INPUT -p tcp --dport 80 -j ACCEPT, but it's not working. When I scan the localhost:
root#debian:~# nmap -p 80 localhost
Starting Nmap 6.00 ( http://nmap.org ) at 2014-08-27 12:38 CEST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00033s latency).
Other addresses for localhost (not scanned): 127.0.0.1
PORT STATE SERVICE
80/tcp closed http
Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds
I can't connect with netcat:
root#debian:~# nc -vv localhost 80
localhost [127.0.0.1] 80 (?) : Connection refused
sent 0, rcvd 0
But it's on the iptables:
root#debian:~# iptables -L
...
ACCEPT tcp -- anywhere anywhere tcp dpt:80
...
I've also opened the port to the internet with NAT on my router.
I'm using Debian 3.2.0-4 on i368.
You need something to listen this port to accept connections. Web server for example.
Run this to see if you have a running server that listen 80 port:
netstat -ntlup | grep 80
Related
tcp 0 0 :::111 :::* LISTEN
Above is the output of netstat -nl | grep 111What is the meaning of :::111 segment?
technet.microsoft.com says that:
Displays active TCP connections, ports on which the computer is
listening, Ethernet statistics, the IP routing table, IPv4 statistics
(for the IP, ICMP, TCP, and UDP protocols), and IPv6 statistics (for
the IPv6, ICMPv6, TCP over IPv6, and UDP over IPv6 protocols). Used
without parameters, netstat displays active TCP connections.
So you can find which addresses and ports are used and listening. for example you want to run a Tomcat server on port 8080. but it used. so you can run:
netstat -ano | find "8080"
output will be something like:
TCP 0.0.0.0:8080 0.0.0.0:0 LISTENING 1185
TCP [::]:8080 [::]:0 LISTENING 1185
It says that process number 1185 is using this port. If it is necessary to use this port you can shutdown the app that use this port and run your server on it by this command:
taskkill /F /PID 1185
#echo off
:myline
netstat -nob
echo.
echo.
ping 127.0.0.1 > %temp%\pingio.txt
goto myline
Put this in a batch file and run it as Administrator to monitor network processes.
I'm studying Iptables on linux, and try to reject all traffic coming to port 80.
I execute iptables -A INPUT --dport 80 -j REJECT on kali-linux.
But how can I testing the result that "all traffic to port 80 is rejected".
And what if allow traffic to port 80 and reject traffic going out through port 80.
I have Nginx on my PC.
There are many ways to check if port 80 is open.
Easiest way is to type telnet myserver.com 80 from a remote computer. It tries to open a port 80 on server. It timeout if unable to open.
Use netstat to show the processes listening on TCP or UDP ports. Scan and grep for port-80.
Something like this:
netstat -an | grep PORTNUMBER | grep -i listen
If you have an output, that means port 80 is open and listening.
External way
nmap example.com -p 80
Internal way
iptables -L -v -n --line-numbers
I have rewritten the question, using the answer from Pedro.
I am getting the error “no listening sockets available, shutting down”, when i try to execute simple script :
$ apache2ctl -f `pwd`/conf/httpd.conf -d `pwd`
on Linux Mint based on Ubuntu.
i am in the directory /usr/www/apache3/site.toddle,
The contents of /usr/www/apache3/site.toddle/conf/httpd.conf is
User www-data
Group www-data
# added to get rid of apache2: Configuration error: No MPM loaded
Include /etc/apache2/mods-enabled/*.load
Include /etc/apache2/mods-enabled/*.conf
#copied from 000-default.conf from /etc/apache2/sites-available
<VirtualHost *:1081>
ServerName my586
ServerAdmin webmaster#localhost
DocumentRoot /usr/www/apache3/site.toddle/htdocs/
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
I have followed the Pedro answer and links.
1) using sudo gedit /etc/apache2/ports.conf added to the /etc/apache2/ports.conf the line and saved the file:
#original: Listen 80
Listen 1081
2) restarted apache using $ sudo /etc/init.d/apache2 restart
3) configured iptables using Pedro example for port 1081:
sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 1081
sudo iptables-save
sudo iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 80 -j REDIRECT --to-ports 1081
sudo iptables-save
But running the command: apache2ctl -fpwd/conf/httpd.conf -dpwd
gives the error "no listening sockets available, shutting down
AH00015: Unable to open logs
Action '-f /usr/www/apache3/site.toddle/conf/httpd.conf -d /usr/www/apache3/site.toddle' failed."
Checking with netstat, gives that apache listens to the port 1081:
$ sudo netstat -ltnp | grep ':1081'
tcp6 0 0 :::1081 :::* LISTEN 3160/apache2
The rules that have always worked for me for redirecting incoming traffic on port 80 to an apache server on port 1080 are:
sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 1080
sudo iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 80 -j REDIRECT --to-ports 1080
You could test these rules by listening with netcat on port 1080 on your server, and trying to connect to your server on port 80 using netcat from a different machine.
Then make sure that your apache server has it's config set to you port 1080.
See this post for setting Apache to run on different port:
Configure apache to listen on port other than 80
I'm working with an Ubuntu 12.04 LTS, 64 Bit server there I have used the following commands to send all http request on port 80 to port 8080
Commands:
cat /proc/sys/net/ipv4/ip_forward #returns 1
sudo iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
sudo iptables -A INPUT -p tcp -m tcp --sport 80 -j ACCEPT
sudo iptables -A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
From there I wanted to proxy the requests based on (sub)domain to some other ports (i.e. 9000, 3000, 9615) using http-master. I'm having some problems getting this done and had it right once on a VPS on amazon aws where those ports where opened.
So what I'm asking is if it's necessary to open every port and how I can do that on the command line?
After some further research and experimentation I concluded that it's only necessary to open the port that we use as entry points. If we then route it with a proxy or even with NAT configuration to another PORT, the latter will be used only to "listen".
This is Ubuntu 12.04 env. I have a TCP service running on port 8020 on the box:
My question is:
Why port 8020 is not discovered in nmap as an open port while nestat says it's listening?
if i run
netstat -tuplen
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
tcp 0 0 127.0.0.1:9001 0.0.0.0:* LISTEN 0 10564 1917/python
tcp 0 0 127.0.0.1:8020 0.0.0.0:* LISTEN 117 29259 4448/java
But if i run
nmap -v -sT 127.0.0.1
Starting Nmap 5.21 ( http://nmap.org ) at 2012-08-10 08:51 PDT
Initiating Connect Scan at 08:51
Scanning localhost (127.0.0.1) [1000 ports]
Discovered open port 53/tcp on 127.0.0.1
Discovered open port 22/tcp on 127.0.0.1
Discovered open port 9000/tcp on 127.0.0.1
Discovered open port 631/tcp on 127.0.0.1
Discovered open port 9001/tcp on 127.0.0.1
Completed Connect Scan at 08:51, 0.04s elapsed (1000 total ports)
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00046s latency).
rDNS record for 127.0.0.1: hadoop-namenode-01
Not shown: 995 closed ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
631/tcp open ipp
9000/tcp open cslistener
9001/tcp open tor-orport
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds
Raw packets sent: 0 (0B) | Rcvd: 0 (0B)
By default nmap doesn't scan all ports. try this one.
nmap -sT -sU -p- 127.0.0.1
#Satish, you don't need to add -sU which will scan the UDP ports too, and take a while.
nmap -v -p 8020 127.0.0.1
This should be enough and instant.
By default nmap scans only the well know ports.
You specify a port by using the -p parameter.
To scan all ports : nmap -v -p "*" 127.0.0.1
To scan only port 8020 : nmap -v -p 8020 127.0.0.1