how to open port 443?

Issues related to configuring your network
hopefulp
Posts: 20
Joined: 2018/07/29 12:41:54

how to open port 443?

Post by hopefulp » 2019/10/28 07:58:11

I tried to open port 443.
Super Com server opens only port 443 (maybe https). To transfer my data using git, I need to open port 443 in my computer(Centos 7).
Trying several times such as
sudo iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT https://www.digitalocean.com/community/ ... n-port-443
sudo iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
Both do not work. That is only (sudo lsof -iTCP -sTCP:LISTEN -P)
httpd 30170 root 4u IPv6 4772079 0t0 TCP *:80 (LISTEN)
httpd 30171 apache 4u IPv6 4772079 0t0 TCP *:80 (LISTEN)
No 443.

How can I open port 443 with INPUT and OUTPUT both?

-----and one more question
With twice trial, iptables and iptables.save both have changed into very short tables. How can I recover the original file "iptables"?
<iptables>
# Generated by iptables-save v1.4.21 on Mon Oct 28 16:23:43 2019
*filter
:INPUT ACCEPT [124:20351]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [9:568]
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
COMMIT
# Completed on Mon Oct 28 16:23:43 2019
<iptables.save>
# Generated by iptables-save v1.4.21 on Mon Oct 28 16:19:24 2019
*filter
:INPUT ACCEPT [259:37831]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [59:4719]
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
COMMIT
# Completed on Mon Oct 28 16:19:24 2019

User avatar
jlehtone
Posts: 2381
Joined: 2007/12/11 08:17:33
Location: Finland

Re: how to open port 443?

Post by jlehtone » 2019/10/28 08:15:03

Have you explicitly disabled firewalld.service and enabled iptables.service? If not, then you are not using the correct tool (firewall-cmd).


If your process does not listen on port 443, then firewall is not the showstopper. Server configuration or selinux is.

Another way to see listeners:

Code: Select all

sudo ss -tlpn

User avatar
TrevorH
Forum Moderator
Posts: 26934
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: how to open port 443?

Post by TrevorH » 2019/10/28 09:44:53

With those rules in place, you have NO firewall at all so if your app is not responding properly then it has nothing to do with the firewall.
CentOS 5 died in March 2017 - migrate NOW!
CentOS 6 goes EOL sooner rather than later, get upgrading!
Full time Geek, part time moderator. Use the FAQ Luke

hopefulp
Posts: 20
Joined: 2018/07/29 12:41:54

Re: how to open port 443?

Post by hopefulp » 2019/10/28 11:32:33

I have tried
systemctl stop firwalld, then disable,
then restart iptables (including iptable -A ...)
Nothing was changed.

Then what shall I do more?

User avatar
TrevorH
Forum Moderator
Posts: 26934
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: how to open port 443?

Post by TrevorH » 2019/10/28 11:38:21

Whatever your problem is, it is NOT the firewall since you have both turned it off and also configured it to be completely useless.
CentOS 5 died in March 2017 - migrate NOW!
CentOS 6 goes EOL sooner rather than later, get upgrading!
Full time Geek, part time moderator. Use the FAQ Luke

User avatar
jlehtone
Posts: 2381
Joined: 2007/12/11 08:17:33
Location: Finland

Re: how to open port 443?

Post by jlehtone » 2019/10/29 09:14:51

Background information about firewall implementations in CentOS 7:
https://access.redhat.com/documentation ... _firewalls

Firewall does not dictate, whether your process listens a port.
Firewall dictates, whether outsiders are allowed to approach a port (whether you listen or not).

Configuration of your "server process" decides what ports does that process listen.
SELinux can deny a process from using a port.

Q: "how to make Super Com server listen port 443?"
A: I have no idea.

Q: "how to open tcp port 443 (in firewall for ingress traffic)?"
A: If you had the default firewalld-setup, then:

Code: Select all

sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reload
Q: "how to get default firewall-setup?"
A: Not sure, but I would try:

Code: Select all

sudo systemctl disable iptables
sudo systemctl stop iptables
sudo systemctl start firewalld
sudo systemctl enable firewalld
in hope that you haven't overwritten firewalld's config.

hopefulp
Posts: 20
Joined: 2018/07/29 12:41:54

Re: how to open port 443?

Post by hopefulp » 2019/10/30 03:21:14

I think I have tried all these in the level of command line input and a reboot for the last time.
But I can't to check whether port 443 is open or not and netstat does not show it LISTEN.

The situation is like this,
The SuperCom ssh is blocked for outbound. I want to get data through git.

<git seems to use port 22>
x1813a01@login04:~/.ssh$ git clone joonho@chi.kaist.ac.kr:/NAS1/Repository/amp_water.git
Cloning into 'amp_water'...
ssh: connect to host chi.kaist.ac.kr port 22: Connection timed out
fatal: Could not read from remote repository.

<I am not sure git can use http: The manager said it is open for 443 and I do not know what I made a mistake for git-http setting>
x1813a01@login04:~/.ssh$ git clone http://chi.kaist.ac.kr/http_water.git
Cloning into 'http_water'...
fatal: repository 'http://chi.kaist.ac.kr/http_water.git/' not found
--- is this why http (port 80) is not used for git in Super Com or I made a wrong in configuring my repository?

<port 443 looks blocked in my computer: git clone https://andrewpeterson@bitbucket.org.... is working for other sites>
x1813a01@login04:~/.ssh$ git clone https://chi.kaist.ac.kr/http_water.git
Cloning into 'http_water'...
fatal: unable to access 'https://chi.kaist.ac.kr/http_water.git/': Failed connect to chi.kaist.ac.kr:443; Connection refused

If there is any more info, it would be grateful.

Thank for your concerns!!

User avatar
jlehtone
Posts: 2381
Joined: 2007/12/11 08:17:33
Location: Finland

Re: how to open port 443?

Post by jlehtone » 2019/10/30 07:34:58

hopefulp wrote:
2019/10/30 03:21:14
The situation is like this,
The SuperCom ssh is blocked for outbound. I want to get data through git.
The manager said it is open for 443
That is not it. Not even close.

You seem to have machine "x1813a01".
You mention machines "chi" and "bitbucket".
You mention "SuperCom firewall" that you have no control on.

Is x1813a01 inside SuperCom?
Are chi and bitbucket outside SuperCom?

On which machines have you tampered with firewall?
On which machines have you attempted to install git repository?
On which machines have you listened?

hopefulp wrote:
2019/10/30 03:21:14
But I can't to check whether port 443 is open or not and netstat does not show it LISTEN.
'netstat' is deprecated. It is replaced with 'ss'.
hopefulp wrote:
2019/10/30 03:21:14
I think I have tried all these in the level of command line input and a reboot for the last time.
What is the current status of the firewall?

Code: Select all

sudo systemctl status iptables.service
sudo systemctl status firewalld.service
sudo iptables -S
hopefulp wrote:
2019/10/30 03:21:14
I do not know what I made a mistake for git-http setting
You are the only one who knows the git-http settings that you made.
(I know nothing of git-http, so I could not comment even if you would show us what you did.)

hopefulp
Posts: 20
Joined: 2018/07/29 12:41:54

Re: how to open port 443?

Post by hopefulp » 2019/11/04 09:07:54

reply to the last advice:
x1813a01 is my ID in Supercom.
My computer is chi.

I can use git to https in Supercom, then I want to move data through git between Supercom and chi.
I tried to open port 443 but faild. But I got a new solution for that.
Simply change /etc/httpd/conf/httpd.conf
Listen 80 -> Listen 443

Then systemctl restart httpd.service
which replace 80 with 443 and netstat shows 443 is "LISTEN". Then I might use git through https to chi in Supercom.

Previously I do many tries such as "iptables, firewalld, -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT .... "
I do not know these configure gave any change but just modify "httpd.conf", port 443 is Listening. Now the situation became changed.

In Supercom
x1813a01@login01:~$ git clone http://chi.kaist.ac.kr/https_sb.git
Cloning into 'https_sb'...
fatal: unable to access 'http://chi.kaist.ac.kr/https_sb.git/': Failed connect to chi.kaist.ac.kr:80; Connection refused

x1813a01@login01:~$ git clone https://chi.kaist.ac.kr:443/https_sb.git
Cloning into 'https_sb'...
fatal: unable to access 'https://chi.kaist.ac.kr:443/https_sb.git/': SSL received a record that exceeded the maximum permissible length.

It looks that port 80 is closed and port 443 is open in my computer. Anyway my trial to open port 443 is done.
But still I could not complete my aim.
It looks that it requires SSL permission but I don't have any idea. Do I need to install SSL license key? how to do that?
(to use git to transfer data to sync my com and SuperCom. You know that to copy data makes much trouble to modify the same script in here and there. If port 22 is open in Supercom, there would not be any problem.)

hopefulp
Posts: 20
Joined: 2018/07/29 12:41:54

Re: how to open port 443?

Post by hopefulp » 2019/11/04 09:13:53

sudo systemctl status iptables.service
sudo systemctl status firewalld.service
sudo iptables -S
joonho@chi:.../htdocs/https_sb.git/hooks$ sudo systemctl status iptables.service
[sudo] password for joonho:
● iptables.service
Loaded: masked (/dev/null; bad)
Active: inactive (dead)
joonho@chi:.../htdocs/https_sb.git/hooks$ sudo systemctl status firewalld.service
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2019-11-04 13:29:16 KST; 4h 42min ago
Docs: man:firewalld(1)
Main PID: 1168 (firewalld)
Tasks: 2
CGroup: /system.slice/firewalld.service
└─1168 /usr/bin/python2 -Es /usr/sbin/firewalld --nofork --nopid

joonho@chi:.../htdocs/https_sb.git/hooks$ sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N FORWARD_IN_ZONES
-N FORWARD_IN_ZONES_SOURCE
-N FORWARD_OUT_ZONES
-N FORWARD_OUT_ZONES_SOURCE
-N FORWARD_direct
-N FWDI_public
-N FWDI_public_allow
-N FWDI_public_deny
-N FWDI_public_log
-N FWDO_public
-N FWDO_public_allow
-N FWDO_public_deny
-N FWDO_public_log
-N INPUT_ZONES
-N INPUT_ZONES_SOURCE
-N INPUT_direct
-N IN_public
-N IN_public_allow
-N IN_public_deny
-N IN_public_log
-N OUTPUT_direct
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j INPUT_direct
-A INPUT -j INPUT_ZONES_SOURCE
-A INPUT -j INPUT_ZONES
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -j FORWARD_direct
-A FORWARD -j FORWARD_IN_ZONES_SOURCE
-A FORWARD -j FORWARD_IN_ZONES
-A FORWARD -j FORWARD_OUT_ZONES_SOURCE
-A FORWARD -j FORWARD_OUT_ZONES
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j OUTPUT_direct
-A FORWARD_IN_ZONES -i enp6s0f0 -g FWDI_public
-A FORWARD_IN_ZONES -g FWDI_public
-A FORWARD_OUT_ZONES -o enp6s0f0 -g FWDO_public
-A FORWARD_OUT_ZONES -g FWDO_public
-A FWDI_public -j FWDI_public_log
-A FWDI_public -j FWDI_public_deny
-A FWDI_public -j FWDI_public_allow
-A FWDI_public -p icmp -j ACCEPT
-A FWDO_public -j FWDO_public_log
-A FWDO_public -j FWDO_public_deny
-A FWDO_public -j FWDO_public_allow
-A INPUT_ZONES -i enp6s0f0 -g IN_public
-A INPUT_ZONES -g IN_public
-A IN_public -j IN_public_log
-A IN_public -j IN_public_deny
-A IN_public -j IN_public_allow
-A IN_public -p icmp -j ACCEPT
-A IN_public_allow -p tcp -m tcp --sport 443 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_public_allow -p udp -m udp --sport 443 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_public_allow -p udp -m udp --dport 631 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_public_allow -d 224.0.0.251/32 -p udp -m udp --dport 5353 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 631 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_public_allow -p udp -m udp --dport 631 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_public_allow -p udp -m udp --dport 22161 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_public_allow -p tcp -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_public_allow -p udp -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT

Post Reply

Return to “CentOS 7 - Networking Support”