1

I need port 443 open to the internet on my server.

When I check internally via netstat -tulpn | grep "nginx", I see that nginx is indeed LISTENing on that port. However, trying nmap -p443 mysite.com from an external machine tells me port 443 is filtered. Likewise, doing telnet <IP Address> 443 times out. How do I ensure this port is open?

FYI in /etc/iptables/rules.v4 I have the following:

*filter
# Allow all outgoing, but drop incoming and forwarding packets by default
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

# Custom per-protocol chains
:UDP - [0:0]
:TCP - [0:0]
:ICMP - [0:0]

# Acceptable UDP traffic

# Acceptable TCP traffic
-A TCP -p tcp --dport 22 -j ACCEPT
-A TCP -p tcp --dport 80 -j ACCEPT
-A TCP -p tcp --dport 443 -j ACCEPT

# Acceptable ICMP traffic

# Boilerplate acceptance policy
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i lo -j ACCEPT

# Drop invalid packets
-A INPUT -m conntrack --ctstate INVALID -j DROP

# Pass traffic to protocol-specific chains
## Only allow new connections (established and related should already be handled)
## For TCP, additionally only allow new SYN packets since that is the only valid
## method for establishing a new TCP connection
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
-A INPUT -p icmp -m conntrack --ctstate NEW -j ICMP

# Reject anything that's fallen through to this point
## Try to be protocol-specific w/ rejection message
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable

# Commit the changes
COMMIT

*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT

*security
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT

*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT

What am I doing wrong?

Note that mine is a set up where the web application (Django) and the database (postgresql) reside in two separate virtual machines. My webserver is already configured for HTTPS.

Hassan Baig
  • 2,033
  • 11
  • 27
  • 47

2 Answers2

2

If that is your loaded firewall and you are connecting via IPv4 then there is another firewall between you and your server that is doing the filtering.

user9517
  • 114,104
  • 20
  • 206
  • 289
0

By default port 443 is listed LISTEN in the configuration file of all web servers and binded to sites using SSL.

All you need is to bind the port or open the port in firewall.

Use Telnet to check whether port is open.

root@ping# telnet IP adress 443

Check if port is open, and still you are not connecting then check your bindings of IP address and domain with port 443 are listed correctly in /etc/httpd/conf/httpd.conf and IIS for windows.

If not then allow this port using iptables

iptables -I INPUT -p tcp --dport 443 -j Accept (for linux)

Make a custom firewall rule in control panel and allow port 443 for all incoming connections (for Windows).

imvikasmunjal
  • 695
  • 7
  • 14