Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 9 years ago.
Improve this question
Im new to ubuntu and using ubuntu server 12.04.
When I run nmap localhost I get the following output :
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3306/tcp open mysql
This means that port 443(https) is closed. I want to open it.
So I did the following :
I ran the command
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
And to persist the changes I saved the file using sudo sh -c "iptables-save > /etc/iptables.rules"
and then I added the following lines to etc/network/interfaces :
pre-up iptables-restore < /etc/iptables.rules
post-down iptables-save > /etc/iptables.rules
After rebooting my system I ran sudo iptables -L and the line
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:https
was visible.
However now when I run nmap localhost I still dont see 443 as open.
Please help!
I bet you have nothing listening to port 443 on your host. Try this: in one terminal run sudo nc -lk 443 and then run your nmap localhost. This may not have anything to do with an iptables firewall rule.
Related
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 2 years ago.
Improve this question
I inherited a complex iptables script acting as our gateway/router. It handles everything well, including NAT and harpin nat. It also does port forwarding. However, the port forwarding can't be specified by source IP. So if the port 25 is forwarded, every IP can connect to that port.
The FORWARD chain policy is ACCEPT. I tried to change it to DROP and built some rules. It seems that there are too much on specifying rules for every allow scenario.
What I am looking for is to specify things like this:
iptables -A FORWARD -p tcp -i $WAN_IFACE --dport 25 -s (!(1.1.1.1 and
1.1.1.2)) -j DROP
But iptables does not support and and or.
Is there any way to implement this?
You can create a new chain for all packets going to Port 25 and then do more specific filtering there:
iptables -N port25
iptables -A FORWARD -p tcp -i $WAN_IFACE --dport 25 -j port25
iptables -A port25 -s 1.1.1.1 -j ACCEPT
iptables -A port25 -s 1.1.1.2 -j ACCEPT
iptables -A port25 -j DROP
The creation of user-defined chains is the way to implement and and or rules.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 4 years ago.
Improve this question
I am running Play Framework on Linux and at the moment the URL is
http://www.example.net:9999
How do I change it to
http://www.example.net
I also want to run a ssh port
http://www.example.net:9443
Is this a linux configuration or is it on the web server?
If its linux any relevant links would be helpful.
UPDATE
Following biesiors answer below I realised that by default if you set the port to 443 for ssh then you automatically get the url
https://www.example.net
which is equivalent to
https://www.example.net:443
This however still didn't work on my ec2 instance. Following some investigation and trial and error I found that if I started my web server with root then this port was available and worked. So now I just need to figure out the permissions.
So the answer is
You need to be root (superuser) to bind to ports under 1024. That's why 9443 works, but 443 doesn't
So my question still stands at how do I run with port 9443 but have the url below and is it ok to run the webserver as root, it doesn't seem right
https://www.example.net
EDIT 2:
So the answer is that you need to remap the ports in the the IP tables
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 9000
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 9443
Although your question is very wide... I just guess you have two possible solution:
Start your application using port 80 - if it's available
If you have some common web server working on port 80 (and want to keep it) you need to configure it to work as a front-end HTTP server as described in the docs
In order to use the port 9443 instead of the default ssl port 443 for which you need to be a root or super user you will need to remap the ports in the iptables
For playframework the default port is 9000 and not 80 or 8080 so you need to remap that
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 9000
For the ssl port you need to map from 443 to 9443 so
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 9443
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 8 years ago.
Improve this question
I want redirect all outgoing traffic with port 8080 to local port 8080
for example i create server with this command nc -l -p 8080 and i want when use this command nc 1.2.3.4 8080 , nc redirect and connect to 127.0.0.1:8080
i try with this command:
iptables -t nat -A POSTROUTING -p tcp --dport 80 -o eth0 -j SNAT --to-source IP
but not worked!
how to do it?
Local originated traffic isn't passing through nat/POSTROUTING chain. You should add rule like this:
iptables -t nat -A OUTPUT -p tcp --dport 8080 -j DNAT --to-destination 127.0.0.1:8080
Additional info:
http://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg
http://www.linuxtopia.org/Linux_Firewall_iptables/index.html Chapter 4.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Closed 7 years ago.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Improve this question
I have a linux server that gets an time offset for some strange reason
I set up cron job to run and update the time using the following command
/usr/sbin/ntpdate pool.ntp.org
The problem is the command would not run because I have a firewall (iptables)
I have always use IP to allow traffic in my network:
iptables -A INPUT -p tcp -m tcp -i eth0 -s 11.11.11.11 --dport 5060 -j ACCEPT
I would like to know how to do it using a domain name in this case would be pool.ntp.org
Or maybe someone could tell me a better way to keep the clocks in sync
Please advice
Typically, iptables is setup to restrict incoming TCP and UDP connections initiated by remote hosts to the server except as needed. But, all outgoing TCP and UDP connections initiated by the server to remote hosts are allowed, and state is kept so that replies are allowed back in, like so:
# Allow TCP/UDP connections out. Keep state so conns out are allowed back in.
iptables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT
If your iptables is setup like so, it will allow ntpdate to make an outgoing connection to pool.ntp.org, and it will allow the reply back in. And, you can still block down incoming connections to the server initiated by other hosts.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
I have Kippo running on my VPS, and I can't get it to run under port 1024 due to restrictions in Linux not allowing normal accounts to use ports under 1024. If I try, it gives an error with some Python gibberish about not being able to listen on a port under 1024.
I'd rather not run Kippo run as root just in case some how they get out of the Kippo enviroment.
So what I'm looking at doing is using IPTables to "Mirror" all traffic going to port 2222 on 22 so that a "bot" can see SSH running on port 22 and do its thing.
Is that feasible? If so, how?
Use a DNAT rule:
iptables -t nat -A PREROUTING -m tcp -p tcp --dport 22 -j REDIRECT --to-port 2222
You may want to lock down further with specific IP address filters