0

I have attempted to open port 443 on a server I'm working on (Ubuntu 16.04):

/sbin/iptables -I INPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT

The port doesn't appear to be open:

nmap cubicverse.com

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:433 state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:https

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

I have also opened the port with ufw.

What alternative steps may be needed to open the port?

To be clearer, I am attempting to add an SSL cert for this server, and the 'SSL checker' keeps telling me I have a closed port and hence it can't validate the CSR.

Peter David Carter
  • 187
  • 1
  • 12
  • This does not look like a firewall problem. The only rule in `iptables` is the one with port 443, but ports 22 and 80 are reported open. I am afraid the firewall does not block anything. Could you add the output of `netstat -tulpan | grep ':443 '` to your question. That should show if any service is listening on port 443. – Thomas Jun 18 '17 at 17:24
  • @Thomas I would, but for some reason the command outputs nothing – Peter David Carter Jun 18 '17 at 17:27
  • @Thomas I updated my question with new info I just realised is probably important. – Peter David Carter Jun 18 '17 at 17:30
  • Then there is no service listening on port 443 and `nmap` will therefore not report port 443 to be open. Fix you service you expect on port 443 and then check your firewall settings. At the moment it does not block anything. – Thomas Jun 18 '17 at 17:31
  • Why does https://decoder.link/sslchecker/www.cubicverse.com/443 say the port is closed? – Peter David Carter Jun 18 '17 at 17:32
  • Well, your sslchecker says the port is closed because it cannot connect to the service on port 443. In your case, it is not the firewall that is blocking the sslchecker, it is simply no service listening on port 443 that could answer sslchecker. sslchecker cannot determine if it is the firewall that is blocking or if the service is running. So, what service do you expect to run on port 443? apache? nginx? ... Depending on the service you might have to install additional packages and/or configure the service to listen on port 443. – Thomas Jun 18 '17 at 18:01
  • It's a custom node server using someone else's code (they wrote the codebase I'm just helping out with it). I think this is likely the problem. Didn't realise I needed a serving process on 443, but it makes sense now. (Fixing the typo in the IP tables didn't fix the problem. – Peter David Carter Jun 19 '17 at 09:39

1 Answers1

0

There's a typo in your firewall configuration. You want to allow port 443 not port 433.

Pak
  • 901
  • 5
  • 10
  • Thanks but I fixed this and still getting the same error. Thanks for the suggestion though. – Peter David Carter Jun 19 '17 at 09:36
  • What do you get if you run `netstat -nlt | grep ":443"` on the server? – Pak Jun 19 '17 at 09:39
  • Still getting nothing. See new IP Tables output above, though. – Peter David Carter Jun 19 '17 at 09:40
  • 1
    If the netstat command returned nothing, then there is no application listening on port 443. You will need to configure your web server to listen on port 443 for SSL connections (unless you're running another service on port 443, in which case you'll have to configure that). (The changes to the `iptables` configuration is simply due to you adding further rules; you can tidy them up by removing the rules you don't need.) - I've just realised that's what @Thomas said, so go with his comment thread. – Pak Jun 19 '17 at 10:20
  • Check the IP Tables output I added to the question. The IP Tables output shows open to HTTPS traffic which I assume means 443. – Peter David Carter Jun 19 '17 at 10:21
  • Yes, it does, but it simply means that the firewall will no longer block any access to port 443. It still requires a service to be running on port 443 in order for a connection to be made, in the same way that stopping your web server (or whatever application is listening on port 80) will prevent any access to port 80 even though the firewall allows that access. – Pak Jun 19 '17 at 11:51