stunnel can only accept on port 80, possible iptables configuration

Question

I am trying to get stunnel to forward from a port (eventually via https on 443) to port 8080.

The http served on 8080 is already visible correctly by a remote browser.

I have tried some 4 versions of stunnel between 4.42 - 4.55. On Ubuntu 16 and 18.

The stunnel program output:

...
[!] bind: Address already in use (98)
[!] Error binding service [myhttp] to 0.0.0.0:9985
...

stunnel.conf (am I missing something? on the web there are various claims that this or that should be added):

cert = /etc/letsencrypt/live/<<my-domain>>/cert.pem
key = /etc/letsencrypt/live/<<my-domain>>/privkey.pem
[myhttp]
accept = 9985
connect = 8080

I have tried prefixing the ports with 127.0.0.1: or ::1:. (This has an effect in changing the 0.0.0.0 above, however same result.)

My firewall:

root@localhost:/home/my# iptables -L -v
Chain INPUT (policy ACCEPT 211 packets, 160K bytes)
pkts bytes target     prot opt in     out     source               destination
145  849K ACCEPT     all  --  lo     any     anywhere             anywhere
8874 1008K ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:ssh
248 24754 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:http
310 22151 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:https
0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:9985
0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:9986

If I add into /etc/services:

myhttp          9985/tcp

then the output of iptables -L -v contains ... tcp dpt:myhttp..., but still 0 accepts.

If i change the entry in stunnel.conf to accept = 80 then the remote browser can get an https-connection through that port, and get the page served on port 8080, and it has an ssl-lock-symbol. However using port 80 for https is no solution, I need that port to serve plain http or direct the browser to the https-port.

*"Address already in use"* - That means that something else is already listening on port 0.0.0.0:9985 - You can't have two services concurrently listen and accepting connections on the same port. Check with `sudo netstat -tnlp | grep :9985` or `ss -tnlp | grep :9985` what that is. — HBruijn, Jun 19 '19 at 08:23
There are various stunnels running on the ports i previously tried including 9985 — Bernd Elkemann, Jun 19 '19 at 08:32

score 0 · Answer 1 · answered Jun 20 '19 at 05:28

0

I finally got it working. My hosting provider adds another firewall outside this server, so in addition to configuring iptables, I also have to go to the provider's website and configure firewall settings there (and then they take some minutes to take effect, so be patient).

answered Jun 20 '19 at 05:28

Bernd Elkemann

101
2

This has absolutely nothing to do with the question you posted, though! – Michael Hampton Jun 20 '19 at 05:41
@MichaelHampton Correct. But it is the answer I wish I had gotten. It probably will help someone who describes the same already-tried's as I have. – Bernd Elkemann Jun 20 '19 at 05:48

stunnel can only accept on port 80, possible iptables configuration

1 Answers1