1

I'm having difficulties accessing a listening service (Ionic) on port 8100 from a remote browser.

I have iptables on the Ubuntu 16.04 LTS server set up as following:

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s 127.0.0.0/8 ! -i lo -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p icmp -m state --state NEW -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables_INPUT_denied: " --log-level 7
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m tcp --dport 8100 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8100 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A FORWARD -m limit --limit 5/min -j LOG --log-prefix "iptables_FORWARD_denied: " --log-level 7
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -p tcp -m tcp --sport 8100 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 8100 -m conntrack --ctstate ESTABLISHED -j ACCEPT

After this didn't work, I tried to add rules with UFW:

Status: active

To                         Action      From
--                         ------      ----
8100                       ALLOW       Anywhere                  
8100/tcp                   ALLOW       Anywhere                          
8100 (v6)                  ALLOW       Anywhere (v6)             
8100/tcp (v6)              ALLOW       Anywhere (v6)

I still get ERR_CONNECTION_REFUSED when I try to access this port from a remote browser. Port 80 and 22 works as normal.

As the for the service itself on port 8100, I have tried have it listen as follows:

dev server running: http://localhost:8100/

and:

dev server running: http://<my server's IP>:8100/

Which results in the same error.

Edit, When I run $ ss -ltnp "src :8100":

State      Recv-Q Send-Q                      Local Address:Port                                     Peer Address:Port              
LISTEN     0      128                          <server's IP address>:8100                                                *:*

edit 2, Also tried to make it listen as follows:

State      Recv-Q Send-Q                      Local Address:Port                                     Peer Address:Port              
LISTEN     0      128                                     *:8100                                                *:*
user72364
  • 121
  • 5
  • Sounds like your service is not actually listening on port 8100, or at least not on the expected interface. Add the output of `ss -ltnp "src :8100"` to your question. – jordanm Feb 20 '17 at 01:03
  • @jordanm Updated it with this info. I edited the IP out for sensitivity. Is it listening correctly? – user72364 Feb 20 '17 at 01:09
  • I'am really not a linux expert, but something seem obvious, should your iptable rules be under the port 80's rule ? as a reject rule is before your allow rule. The order seem not ok – yagmoth555 Feb 20 '17 at 02:19

1 Answers1

5

With iptables the first match wins, so,

-A INPUT -j REJECT --reject-with icmp-port-unreachable

Everything below that line in the INPUT will be rejected and you will get a Connection Refused message

Look what's below it

-A INPUT -p tcp -m tcp --dport 8100 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8100 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

Q.E.D.

user9517
  • 114,104
  • 20
  • 206
  • 289