host not reachable through http, suspected iptables issueftp tls firewalled :(iptables allow http incoming connections, state NEW, ESTABLISHEDTrying to make iptables stateless is causing unforeseen filteringuse iptables to limit the number of concurrent http requests per ipFail2Ban - Iptables - Set does not existRHEL 6 Having issues forwarding port 80 to port 8080Firewall rules for ssh, ftp and webappsconnection has timed out, iptable settingsCentos 7 , Master-slave replication iptables?debian kvm server with iptables is dropping bridge packets
How to show a landlord what we have in savings?
OP Amp not amplifying audio signal
GFCI outlets - can they be repaired? Are they really needed at the end of a circuit?
Are British MPs missing the point, with these 'Indicative Votes'?
Can I hook these wires up to find the connection to a dead outlet?
How can I prove that a state of equilibrium is unstable?
How can I deal with my CEO asking me to hire someone with a higher salary than me, a co-founder?
Does Dispel Magic work on Tiny Hut?
Is this draw by repetition?
Knowledge-based authentication using Domain-driven Design in C#
Is it "common practice in Fourier transform spectroscopy to multiply the measured interferogram by an apodizing function"? If so, why?
Do Iron Man suits sport waste management systems?
Why was Sir Cadogan fired?
What is a Samsaran Word™?
How seriously should I take size and weight limits of hand luggage?
Should I tell management that I intend to leave due to bad software development practices?
What historical events would have to change in order to make 19th century "steampunk" technology possible?
How dangerous is XSS
Convert seconds to minutes
What does the same-ish mean?
Could the museum Saturn V's be refitted for one more flight?
Why are UK visa biometrics appointments suspended at USCIS Application Support Centers?
How badly should I try to prevent a user from XSSing themselves?
Unlock My Phone! February 2018
host not reachable through http, suspected iptables issue
ftp tls firewalled :(iptables allow http incoming connections, state NEW, ESTABLISHEDTrying to make iptables stateless is causing unforeseen filteringuse iptables to limit the number of concurrent http requests per ipFail2Ban - Iptables - Set does not existRHEL 6 Having issues forwarding port 80 to port 8080Firewall rules for ssh, ftp and webappsconnection has timed out, iptable settingsCentos 7 , Master-slave replication iptables?debian kvm server with iptables is dropping bridge packets
I am trying to reconfigure httpd my virtual private server but I cannot seem to access it. curl on the server itself works but trying to hit the server using chrome on another pc gives a "this site took too long to respond" error message.
My vps has centos 7 but oddly it has iptables and not firewalld installed.
this is the contents of my /etc/sysconfig/iptables file, do I need to change something to allow http on port 80 and https on 443?
# Generated by iptables-save v1.4.21 on Wed Mar 27 19:30:55 2019
*raw
:PREROUTING ACCEPT [654:52805]
:OUTPUT ACCEPT [577:72088]
COMMIT
# Completed on Wed Mar 27 19:30:55 2019
# Generated by iptables-save v1.4.21 on Wed Mar 27 19:30:55 2019
*mangle
:PREROUTING ACCEPT [654:52805]
:INPUT ACCEPT [654:52805]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [577:72088]
:POSTROUTING ACCEPT [577:72088]
COMMIT
# Completed on Wed Mar 27 19:30:55 2019
# Generated by iptables-save v1.4.21 on Wed Mar 27 19:30:55 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [44:9111]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate ESTABLISHED -j ACCEPT
COMMIT
# Completed on Wed Mar 27 19:30:55 2019
# Generated by iptables-save v1.4.21 on Wed Mar 27 19:30:55 2019
*nat
:PREROUTING ACCEPT [392:22692]
:POSTROUTING ACCEPT [14:1008]
:OUTPUT ACCEPT [14:1008]
COMMIT
# Completed on Wed Mar 27 19:30:55 2019
iptables https http httpd
edited yesterday
Michael Hampton♦
174k27319643
asked yesterday
KynrekKynrek
1033
New contributor
Kynrek is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
I am trying to reconfigure httpd my virtual private server but I cannot seem to access it. curl on the server itself works but trying to hit the server using chrome on another pc gives a "this site took too long to respond" error message.
My vps has centos 7 but oddly it has iptables and not firewalld installed.
this is the contents of my /etc/sysconfig/iptables file, do I need to change something to allow http on port 80 and https on 443?
# Generated by iptables-save v1.4.21 on Wed Mar 27 19:30:55 2019
*raw
:PREROUTING ACCEPT [654:52805]
:OUTPUT ACCEPT [577:72088]
COMMIT
# Completed on Wed Mar 27 19:30:55 2019
# Generated by iptables-save v1.4.21 on Wed Mar 27 19:30:55 2019
*mangle
:PREROUTING ACCEPT [654:52805]
:INPUT ACCEPT [654:52805]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [577:72088]
:POSTROUTING ACCEPT [577:72088]
COMMIT
# Completed on Wed Mar 27 19:30:55 2019
# Generated by iptables-save v1.4.21 on Wed Mar 27 19:30:55 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [44:9111]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate ESTABLISHED -j ACCEPT
COMMIT
# Completed on Wed Mar 27 19:30:55 2019
# Generated by iptables-save v1.4.21 on Wed Mar 27 19:30:55 2019
*nat
:PREROUTING ACCEPT [392:22692]
:POSTROUTING ACCEPT [14:1008]
:OUTPUT ACCEPT [14:1008]
COMMIT
# Completed on Wed Mar 27 19:30:55 2019
iptables https http httpd
edited yesterday
Michael Hampton♦
174k27319643
asked yesterday
KynrekKynrek
1033
New contributor
Kynrek is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
I would dump it and switch to firewalld.yum swap iptables-services firewalldThen yell at whoever configured that VPS.
– Michael Hampton♦
yesterday
add a comment |
I am trying to reconfigure httpd my virtual private server but I cannot seem to access it. curl on the server itself works but trying to hit the server using chrome on another pc gives a "this site took too long to respond" error message.
My vps has centos 7 but oddly it has iptables and not firewalld installed.
this is the contents of my /etc/sysconfig/iptables file, do I need to change something to allow http on port 80 and https on 443?
# Generated by iptables-save v1.4.21 on Wed Mar 27 19:30:55 2019
*raw
:PREROUTING ACCEPT [654:52805]
:OUTPUT ACCEPT [577:72088]
COMMIT
# Completed on Wed Mar 27 19:30:55 2019
# Generated by iptables-save v1.4.21 on Wed Mar 27 19:30:55 2019
*mangle
:PREROUTING ACCEPT [654:52805]
:INPUT ACCEPT [654:52805]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [577:72088]
:POSTROUTING ACCEPT [577:72088]
COMMIT
# Completed on Wed Mar 27 19:30:55 2019
# Generated by iptables-save v1.4.21 on Wed Mar 27 19:30:55 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [44:9111]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate ESTABLISHED -j ACCEPT
COMMIT
# Completed on Wed Mar 27 19:30:55 2019
# Generated by iptables-save v1.4.21 on Wed Mar 27 19:30:55 2019
*nat
:PREROUTING ACCEPT [392:22692]
:POSTROUTING ACCEPT [14:1008]
:OUTPUT ACCEPT [14:1008]
COMMIT
# Completed on Wed Mar 27 19:30:55 2019
iptables https http httpd
edited yesterday
Michael Hampton♦
174k27319643
asked yesterday
KynrekKynrek
1033
New contributor
Kynrek is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
I am trying to reconfigure httpd my virtual private server but I cannot seem to access it. curl on the server itself works but trying to hit the server using chrome on another pc gives a "this site took too long to respond" error message.
My vps has centos 7 but oddly it has iptables and not firewalld installed.
this is the contents of my /etc/sysconfig/iptables file, do I need to change something to allow http on port 80 and https on 443?
# Generated by iptables-save v1.4.21 on Wed Mar 27 19:30:55 2019
*raw
:PREROUTING ACCEPT [654:52805]
:OUTPUT ACCEPT [577:72088]
COMMIT
# Completed on Wed Mar 27 19:30:55 2019
# Generated by iptables-save v1.4.21 on Wed Mar 27 19:30:55 2019
*mangle
:PREROUTING ACCEPT [654:52805]
:INPUT ACCEPT [654:52805]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [577:72088]
:POSTROUTING ACCEPT [577:72088]
COMMIT
# Completed on Wed Mar 27 19:30:55 2019
# Generated by iptables-save v1.4.21 on Wed Mar 27 19:30:55 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [44:9111]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate ESTABLISHED -j ACCEPT
COMMIT
# Completed on Wed Mar 27 19:30:55 2019
# Generated by iptables-save v1.4.21 on Wed Mar 27 19:30:55 2019
*nat
:PREROUTING ACCEPT [392:22692]
:POSTROUTING ACCEPT [14:1008]
:OUTPUT ACCEPT [14:1008]
COMMIT
# Completed on Wed Mar 27 19:30:55 2019
iptables https http httpd
iptables https http httpd
edited yesterday
Michael Hampton♦
174k27319643
asked yesterday
KynrekKynrek
1033
New contributor
Kynrek is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited yesterday
Michael Hampton♦
174k27319643
asked yesterday
KynrekKynrek
1033
New contributor
Kynrek is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited yesterday
Michael Hampton♦
174k27319643
edited yesterday
Michael Hampton♦
174k27319643
edited yesterday
Michael Hampton♦
174k27319643
174k27319643
asked yesterday
KynrekKynrek
1033
New contributor
Kynrek is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked yesterday
KynrekKynrek
1033
asked yesterday
KynrekKynrek
1033
1033
New contributor
Kynrek is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Kynrek is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Kynrek is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
I would dump it and switch to firewalld.yum swap iptables-services firewalldThen yell at whoever configured that VPS.
– Michael Hampton♦
yesterday
add a comment |
I would dump it and switch to firewalld.yum swap iptables-services firewalldThen yell at whoever configured that VPS.
– Michael Hampton♦
yesterday
I would dump it and switch to firewalld.
yum swap iptables-services firewalld Then yell at whoever configured that VPS.– Michael Hampton♦
yesterday
I would dump it and switch to firewalld.
yum swap iptables-services firewalld Then yell at whoever configured that VPS.– Michael Hampton♦
yesterday
add a comment |
1 Answer
1
active
oldest
votes
Looks like your "allow" rule is after the "reject" rule. This part:
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
You need to move that allow rule one line up.
To troubleshoot, you can do the following:
sudo watch -n1 -d iptables -t filter -L INPUT -nvx --line-numbers
You'll see something like this:
Every 1.0s: iptables -t filter -L INPUT -nvx localhost: Mon Apr 1 14:08:04 2019
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 12 956 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
3 3 281 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
4 1 90 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
5 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 ctstate NEW,ESTABLISHED
Now watch the number of packets going through each rule, and see which one grows when you run your test. This may be your hint.
To fix this, you can do an online rule change. E.g., add that last rule as rule number 4, and then remove the last rule.
With the above output, you want to insert the "allow rule" as rule number 4.
$ sudo iptables -I INPUT 4 -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
Now check the rules again
$ sudo iptables -L INPUT -n --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 ctstate NEW,ESTABLISHED
5 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
6 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 ctstate NEW,ESTABLISHED
And now delete the last rule, which is obsolete.
$ sudo iptables -D INPUT 6
Double check your output again.
$ sudo iptables -t filter -L INPUT --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 ctstate NEW,ESTABLISHED
5 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
In all fairness, I don't see rules defaulting to "REJECT" often. A more common one is "DROP", and you can set that as a default policy. E..g,
$ sudo iptables -t filter -P INPUT DROP
Then you can remove the "reject" rule altogether
$ sudo iptables -t filter -D INPUT -j REJECT --reject-with icmp-host-prohibited
$ sudo iptables -L INPUT -n
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 ctstate NEW,ESTABLISHED
Now sure what your OS is, but you can probably sudo service iptables save to save your runtime changes to /etc/sysconfig/iptables.
answered yesterday
chutzchutz
6,1491947
Awesome work, thank you for the through explanation. I really appreciate that you took the time to explain why you ran each command and what it did. I will forever have a better understanding of iptables thanks to you!
– Kynrek
yesterday
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Kynrek is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f960878%2fhost-not-reachable-through-http-suspected-iptables-issue%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Looks like your "allow" rule is after the "reject" rule. This part:
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
You need to move that allow rule one line up.
To troubleshoot, you can do the following:
sudo watch -n1 -d iptables -t filter -L INPUT -nvx --line-numbers
You'll see something like this:
Every 1.0s: iptables -t filter -L INPUT -nvx localhost: Mon Apr 1 14:08:04 2019
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 12 956 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
3 3 281 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
4 1 90 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
5 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 ctstate NEW,ESTABLISHED
Now watch the number of packets going through each rule, and see which one grows when you run your test. This may be your hint.
To fix this, you can do an online rule change. E.g., add that last rule as rule number 4, and then remove the last rule.
With the above output, you want to insert the "allow rule" as rule number 4.
$ sudo iptables -I INPUT 4 -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
Now check the rules again
$ sudo iptables -L INPUT -n --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 ctstate NEW,ESTABLISHED
5 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
6 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 ctstate NEW,ESTABLISHED
And now delete the last rule, which is obsolete.
$ sudo iptables -D INPUT 6
Double check your output again.
$ sudo iptables -t filter -L INPUT --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 ctstate NEW,ESTABLISHED
5 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
In all fairness, I don't see rules defaulting to "REJECT" often. A more common one is "DROP", and you can set that as a default policy. E..g,
$ sudo iptables -t filter -P INPUT DROP
Then you can remove the "reject" rule altogether
$ sudo iptables -t filter -D INPUT -j REJECT --reject-with icmp-host-prohibited
$ sudo iptables -L INPUT -n
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 ctstate NEW,ESTABLISHED
Now sure what your OS is, but you can probably sudo service iptables save to save your runtime changes to /etc/sysconfig/iptables.
answered yesterday
chutzchutz
6,1491947
Awesome work, thank you for the through explanation. I really appreciate that you took the time to explain why you ran each command and what it did. I will forever have a better understanding of iptables thanks to you!
– Kynrek
yesterday
add a comment |
Looks like your "allow" rule is after the "reject" rule. This part:
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
You need to move that allow rule one line up.
To troubleshoot, you can do the following:
sudo watch -n1 -d iptables -t filter -L INPUT -nvx --line-numbers
You'll see something like this:
Every 1.0s: iptables -t filter -L INPUT -nvx localhost: Mon Apr 1 14:08:04 2019
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 12 956 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
3 3 281 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
4 1 90 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
5 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 ctstate NEW,ESTABLISHED
Now watch the number of packets going through each rule, and see which one grows when you run your test. This may be your hint.
To fix this, you can do an online rule change. E.g., add that last rule as rule number 4, and then remove the last rule.
With the above output, you want to insert the "allow rule" as rule number 4.
$ sudo iptables -I INPUT 4 -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
Now check the rules again
$ sudo iptables -L INPUT -n --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 ctstate NEW,ESTABLISHED
5 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
6 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 ctstate NEW,ESTABLISHED
And now delete the last rule, which is obsolete.
$ sudo iptables -D INPUT 6
Double check your output again.
$ sudo iptables -t filter -L INPUT --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 ctstate NEW,ESTABLISHED
5 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
In all fairness, I don't see rules defaulting to "REJECT" often. A more common one is "DROP", and you can set that as a default policy. E..g,
$ sudo iptables -t filter -P INPUT DROP
Then you can remove the "reject" rule altogether
$ sudo iptables -t filter -D INPUT -j REJECT --reject-with icmp-host-prohibited
$ sudo iptables -L INPUT -n
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 ctstate NEW,ESTABLISHED
Now sure what your OS is, but you can probably sudo service iptables save to save your runtime changes to /etc/sysconfig/iptables.
answered yesterday
chutzchutz
6,1491947
Awesome work, thank you for the through explanation. I really appreciate that you took the time to explain why you ran each command and what it did. I will forever have a better understanding of iptables thanks to you!
– Kynrek
yesterday
add a comment |
Looks like your "allow" rule is after the "reject" rule. This part:
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
You need to move that allow rule one line up.
To troubleshoot, you can do the following:
sudo watch -n1 -d iptables -t filter -L INPUT -nvx --line-numbers
You'll see something like this:
Every 1.0s: iptables -t filter -L INPUT -nvx localhost: Mon Apr 1 14:08:04 2019
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 12 956 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
3 3 281 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
4 1 90 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
5 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 ctstate NEW,ESTABLISHED
Now watch the number of packets going through each rule, and see which one grows when you run your test. This may be your hint.
To fix this, you can do an online rule change. E.g., add that last rule as rule number 4, and then remove the last rule.
With the above output, you want to insert the "allow rule" as rule number 4.
$ sudo iptables -I INPUT 4 -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
Now check the rules again
$ sudo iptables -L INPUT -n --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 ctstate NEW,ESTABLISHED
5 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
6 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 ctstate NEW,ESTABLISHED
And now delete the last rule, which is obsolete.
$ sudo iptables -D INPUT 6
Double check your output again.
$ sudo iptables -t filter -L INPUT --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 ctstate NEW,ESTABLISHED
5 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
In all fairness, I don't see rules defaulting to "REJECT" often. A more common one is "DROP", and you can set that as a default policy. E..g,
$ sudo iptables -t filter -P INPUT DROP
Then you can remove the "reject" rule altogether
$ sudo iptables -t filter -D INPUT -j REJECT --reject-with icmp-host-prohibited
$ sudo iptables -L INPUT -n
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 ctstate NEW,ESTABLISHED
Now sure what your OS is, but you can probably sudo service iptables save to save your runtime changes to /etc/sysconfig/iptables.
answered yesterday
chutzchutz
6,1491947
Looks like your "allow" rule is after the "reject" rule. This part:
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
You need to move that allow rule one line up.
To troubleshoot, you can do the following:
sudo watch -n1 -d iptables -t filter -L INPUT -nvx --line-numbers
You'll see something like this:
Every 1.0s: iptables -t filter -L INPUT -nvx localhost: Mon Apr 1 14:08:04 2019
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 12 956 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
3 3 281 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
4 1 90 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
5 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 ctstate NEW,ESTABLISHED
Now watch the number of packets going through each rule, and see which one grows when you run your test. This may be your hint.
To fix this, you can do an online rule change. E.g., add that last rule as rule number 4, and then remove the last rule.
With the above output, you want to insert the "allow rule" as rule number 4.
$ sudo iptables -I INPUT 4 -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
Now check the rules again
$ sudo iptables -L INPUT -n --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 ctstate NEW,ESTABLISHED
5 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
6 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 ctstate NEW,ESTABLISHED
And now delete the last rule, which is obsolete.
$ sudo iptables -D INPUT 6
Double check your output again.
$ sudo iptables -t filter -L INPUT --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 ctstate NEW,ESTABLISHED
5 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
In all fairness, I don't see rules defaulting to "REJECT" often. A more common one is "DROP", and you can set that as a default policy. E..g,
$ sudo iptables -t filter -P INPUT DROP
Then you can remove the "reject" rule altogether
$ sudo iptables -t filter -D INPUT -j REJECT --reject-with icmp-host-prohibited
$ sudo iptables -L INPUT -n
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 ctstate NEW,ESTABLISHED
Now sure what your OS is, but you can probably sudo service iptables save to save your runtime changes to /etc/sysconfig/iptables.
answered yesterday
chutzchutz
6,1491947
edited yesterday
answered yesterday
chutzchutz
6,1491947
answered yesterday
chutzchutz
6,1491947
answered yesterday
chutzchutz
6,1491947
6,1491947
Awesome work, thank you for the through explanation. I really appreciate that you took the time to explain why you ran each command and what it did. I will forever have a better understanding of iptables thanks to you!
– Kynrek
yesterday
add a comment |
Awesome work, thank you for the through explanation. I really appreciate that you took the time to explain why you ran each command and what it did. I will forever have a better understanding of iptables thanks to you!
– Kynrek
yesterday
Awesome work, thank you for the through explanation. I really appreciate that you took the time to explain why you ran each command and what it did. I will forever have a better understanding of iptables thanks to you!
– Kynrek
yesterday
Awesome work, thank you for the through explanation. I really appreciate that you took the time to explain why you ran each command and what it did. I will forever have a better understanding of iptables thanks to you!
– Kynrek
yesterday
add a comment |
Kynrek is a new contributor. Be nice, and check out our Code of Conduct.
Kynrek is a new contributor. Be nice, and check out our Code of Conduct.
Kynrek is a new contributor. Be nice, and check out our Code of Conduct.
Kynrek is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f960878%2fhost-not-reachable-through-http-suspected-iptables-issue%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
I would dump it and switch to firewalld.
yum swap iptables-services firewalldThen yell at whoever configured that VPS.– Michael Hampton♦
yesterday