Can't get port 443 https open in IPTABLES

mate2go · 30 October 2020 15:32

Hi!

I can't get port 443 https to be open.

I run:

sudo nmap -sS 0.0.0.0 -p 443

Output:

Host is up.
PORT STATE SERVICE
443/tcp filtered https

How to change port 443 https from 'filtered' to 'open' in IPTABLES?

I set in IPTABLES:

iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT

and
for PIHOLE:

/sbin/iptables -A INPUT -p tcp --dport 443 -j REJECT --reject-with tcp-reset
/sbin/iptables -A INPUT -p udp --dport 443 -j REJECT --reject-with icmp-port-unreachable

I can't get port 443 to be open to get an connection outside:

Error message of client-software:

dial tcp 0.0.0.0:443: connect: connection refused

Please help, THANKS!!!

gordon · 30 October 2020 19:13

First off, I hope you're not actually using 0.0.0.0 as an IP address. That address is invalid anyway. I assume you're not using 0.0.0.0 as your actual IP address, because that should toss up a different error from NMap.

With that said, could you please show us the output of iptables -L and also tell us more about where you're running Pi-Hole? Is the Pi-Hole standing between the IPTables-based system and the computer you're using to attempt connections?

We need more information like that to help you. Thank you.

mate2go · 31 October 2020 09:12

PIHOLE is running on my private/working machine on localhost.

Here are my IPTABLES rules for my firewall script on boot.

/sbin/iptables --flush
/sbin/iptables --delete-chain
/sbin/iptables -t mangle --flush
/sbin/iptables -t mangle --delete-chain
/sbin/iptables -t nat --flush
/sbin/iptables -t nat --delete-chain

/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD DROP

/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT

/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

/sbin/iptables -A INPUT -p tcp -m tcpmss --mss 1:500 -j DROP

/sbin/iptables -A INPUT -i lo -p icmp -j DROP
/sbin/iptables -A INPUT -i eth0 -p icmp -j DROP

/sbin/iptables -I INPUT -p tcp -m tcp --dport 22 -j DROP
/sbin/iptables -I OUTPUT -p udp -m udp --dport 22 -j DROP

/sbin/iptables -A OUTPUT -p udp --dport 53 -j ACCEPT

/sbin/iptables -A INPUT -p udp --dport 80 -j REJECT --reject-with icmp-port-unreachable
/sbin/iptables -A INPUT -p tcp --dport 443 -j REJECT --reject-with tcp-reset
/sbin/iptables -A INPUT -p udp --dport 443 -j REJECT --reject-with icmp-port-unreachable
/sbin/iptables -A INPUT -p tcp --dport 4711 -j ACCEPT

/sbin/iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT

Maybe I have wrong rules?

gordon · 2 November 2020 23:56

I think that blocks off incoming connections. Just humor me and try changing that to a -j ACCEPT.

mate2go · 4 November 2020 12:41

ok, got it now:

/sbin/iptables -A OUTPUT -p udp --dport 53 -j ACCEPT

/sbin/iptables -A INPUT -p udp --dport 80 -j REJECT --reject-with icmp-port-unreachable
/sbin/iptables -A INPUT -p tcp --dport 443 -j REJECT --reject-with tcp-reset
/sbin/iptables -A INPUT -p udp --dport 443 -j REJECT --reject-with icmp-port-unreachable
/sbin/iptables -A INPUT -p tcp --dport 4711 -j ACCEPT

/sbin/iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT

sudo nmap -sS 192.168.172.42

Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-04 13:37 CET
Nmap scan report for amd (192.168.172.42)
Host is up (0.000020s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
443/tcp open https