-1

Some months ago I hired a Kimsufi server, I tried to forward ports without luck.

I abandon the server, some days ago I started to reconfigure everything again, but I'm having still problems.

I discovered that some ports are blocked by default, but I still don't have a clue how to unblock them.

The main problem is that I installed apache2 on a virtual machine (with Debian), if I use port 8000 to host the web eveything works well (using http://z3nth10n.net:8000).

This is my interfaces configuration (/etc/network/interfaces):

auto lo
iface lo inet loopback

iface enp4s0 inet manual

iface enp5s0 inet manual

auto vmbr0
iface vmbr0 inet static
        address  <public ip>
        netmask  24
        gateway  <public gateway>
        bridge-ports enp4s0
        bridge-stp off
        bridge-fd 0

auto vmbr1
iface vmbr1 inet static
        address  192.168.5.99
        netmask  24
        bridge-ports none
        bridge-stp off
        bridge-fd 0
        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up   iptables -t nat -A POSTROUTING -s '192.168.xx.0/24' -o vmbr0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '192.168.xx.0/24' -o vmbr0 -j MASQUERADE
        post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 8000 -j DNAT --to 192.168.xx.55:8000
        post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 8000 -j DNAT --to 192.168.xx.55:8000
        post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 80 -j DNAT --to 192.168.xx.55:80
        post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 80 -j DNAT --to 192.168.xx.55:80
        post-up iptables -A FORWARD -p tcp -d 192.168.xx.55 --dport 80 -j ACCEPT
        post-down iptables -D FORWARD -p tcp -d 192.168.xx.55 --dport 80 -j ACCEPT

I added these two lines:

        post-up iptables -A FORWARD -p tcp -d 192.168.xx.55 --dport 80 -j ACCEPT
        post-down iptables -D FORWARD -p tcp -d 192.168.xx.55 --dport 80 -j ACCEPT

But this still not working.

nmap shows that the port is open on the virtual machine, but closed on the host machine, so this is confusing me.

I read (iptables has port 80 open but nmap shows it closed) that if the port isn't on use it will not be shown as open on nmap.

Also I executed the netstat -lnp | grep 80 command, and this is the output:

HOST MACHINE

root@ns324919:~# netstat -lnp | grep 80
tcp        0      0 0.0.0.0:8006            0.0.0.0:*               LISTEN      1572/pveproxy worke
unix  2      [ ACC ]     STREAM     LISTENING     17217    980/qmeventd         /var/run/qmeventd.sock
unix  2      [ ACC ]     STREAM     LISTENING     2380     1/init               /run/rpcbind.sock
unix  2      [ ACC ]     STREAM     LISTENING     18056    991/watchdog-mux     /run/watchdog-mux.sock
unix  2      [ ACC ]     STREAM     LISTENING     34980709 1975/kvm             /var/run/qemu-server/100.vnc
unix  2      [ ACC ]     STREAM     LISTENING     23800    1665/master          private/bsmtp
unix  2      [ ACC ]     STREAM     LISTENING     23803    1665/master          private/scalemail-backend
unix  2      [ ACC ]     STREAM     LISTENING     23806    1665/master          private/mailman

VIRTUAL MACHINE

root@debian:~# netstat -lnp | grep 80
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      808/mysqld         
tcp6       0      0 :::80                   :::*                    LISTEN      14825/apache2       
unix  2      [ ACC ]     STREAM     LISTENING     12719    808/mysqld           /var/run/mysqld/mysqld.sock

So, I can assume that the port is not in use on the host machine.

Also, I disabled the firewall:

root@ns324919:~# pve-firewall status
Status: disabled/stopped

I disabled everything to make sure it was not interfering with my test, but I have doubts because of Idk if I created a DMZ network or I need to forward something by using the firewall.

z3nth10n
  • 119
  • 8

1 Answers1

1

check the httpd.conf/apache.conf file, the Listen port should be 80 rather than 8000.

Is this a cloud instance? if yes, even though you allow it with iptables it is not exposed to the world. You will need to open the port in your provider's ACL.

Vignesh SP
  • 129
  • 10
  • It's listening on the port 80. You can check it ![here](https://i.gyazo.com/b96cb926fbface1e20fc14e282335a0d.png) and ![here](https://i.gyazo.com/708bf0306fb8d1aa59370518f14dbcb5.png). (I'm using the default config)... I'm using a dedicated server on Kimsufi, what is an ACL? – z3nth10n Nov 18 '19 at 19:19
  • if it is listensing on port 80, try running `curl localhost -I`, this should return a response for 200. An ACL (access control list) defines what ports are opened in your cloud provided for your server and who can access those ports. – Vignesh SP Nov 18 '19 at 19:23
  • `curl localhost -I` displays a 200 response. I will research for that term. Thanks! – z3nth10n Nov 18 '19 at 19:28
  • It means your server is listening on port 80 and you need to allow 80 to public access. – Vignesh SP Nov 18 '19 at 19:31
  • I don't find anything related to ACL on my Kimsufi panel, can you help me to search? Thanks! – z3nth10n Nov 18 '19 at 19:41