0

On an Ubuntu 14.04 server I'm trying to get https running to get SSL for a website (server will be replaced in couple of weeks). Website works fine on http, but can't get it running on https. Webbrowser gives an "Unable to connect" so I'm thinking iptables is blocking the connection. I'm somewhat familiar with ufw but not with iptables.

When I do a iptables -L --line, I have the following output:

Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 38300 2312K fail2ban-ssh tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22 0 0 ACCEPT tcp -- * * x.x.x.x 0.0.0.0/0 tcp dpt:22 0 0 ACCEPT tcp -- * * x.x.x.x 0.0.0.0/0 tcp dpt:22 0 0 ACCEPT tcp -- * * x.x.x.x 0.0.0.0/0 tcp dpt:22 122 7916 ACCEPT tcp -- * * x.x.x.x 0.0.0.0/0 tcp dpt:22 0 0 ACCEPT tcp -- * * x.x.x.x 0.0.0.0/0 tcp dpt:22 0 0 ACCEPT tcp -- * * x.x.x.x 0.0.0.0/0 tcp dpt:22 0 0 ACCEPT tcp -- * * x.x.x.x 0.0.0.0/0 tcp dpt:22 0 0 ACCEPT tcp -- * * x.x.x.x 0.0.0.0/0 tcp dpt:22 0 0 ACCEPT tcp -- * * x.x.x.x 0.0.0.0/0 tcp dpt:22 37010 2251K ACCEPT tcp -- * * x.x.x.x 0.0.0.0/0 tcp dpt:22 162K 6486K DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID 11M 4302M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 50298 3001K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 6998 431K ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 106K 26M UDP udp -- * * 0.0.0.0/0 0.0.0.0/0 1057K 53M TCP tcp -- * * 0.0.0.0/0 0.0.0.0/0 106K 26M REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 194K 8099K REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset 5553 178K REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-proto-unreachable 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 ctstate NEW,ESTABLISHED 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 ctstate NEW,ESTABLISHED 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 18270 packets, 6985K bytes) pkts bytes target prot opt in out source destination 2 120 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:443 ctstate ESTABLISHED 714 80354 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 ctstate ESTABLISHED Chain TCP (1 references) pkts bytes target prot opt in out source destination 59249 3411K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 1200 64152 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306 498K 26M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:49152:49200 305K 15M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 Chain UDP (1 references) pkts bytes target prot opt in out source destination Chain fail2ban-ssh (1 references) pkts bytes target prot opt in out source destination 38300 2312K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0

Some public IP addresses have been replaced with x.x.x.x.

Under Chain INPUT (policy DROP) rule #21-25 show https, but it's an ACCEPT in the policy DROP list. Does it mean the connection is dropped or allowed to pass through? There is no rule for http in this list.

Under Chain OUTPUT (policy ACCEPT) rule #1 shows https and #2 shows http and https. Looks like this is the accepting rule. However, if the previous one is the rule to drop the connection I'm assuming rule #1 doesn't get reached.

Under Chain TCP (1 references) rule #1 shows http, but no rule for https.

Do I need to delete the rules onder policy DROP? I've tried to add the rule with iptables -A INPUT -p tcp --dport 443 -j ACCEPT but I still can't connect.

Also in /etc/iptables/rules.v4 there is a rule for port 80 (-A TCP -p tcp -m tcp --dport 80 -j ACCEPT) but none for 443. Do I need to add it manually?

Update Added requested information, replaced some domain names with example.com

Chain INPUT (policy DROP 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 38723 2341K fail2ban-ssh tcp -- any any anywhere anywhere multiport dports ssh 2 0 0 ACCEPT tcp -- any any example.com anywhere tcp dpt:ssh 3 0 0 ACCEPT tcp -- any any example.com anywhere tcp dpt:ssh 4 0 0 ACCEPT tcp -- any any example.com anywhere tcp dpt:ssh 5 122 7916 ACCEPT tcp -- any any example.com anywhere tcp dpt:ssh 6 0 0 ACCEPT tcp -- any any x.x.x.x/26 anywhere tcp dpt:ssh 7 0 0 ACCEPT tcp -- any any example.com anywhere tcp dpt:ssh 8 0 0 ACCEPT tcp -- any any example.com anywhere tcp dpt:ssh 9 0 0 ACCEPT tcp -- any any example.com anywhere tcp dpt:ssh 10 0 0 ACCEPT tcp -- any any example.com anywhere tcp dpt:ssh 11 37418 2278K ACCEPT tcp -- any any example.com anywhere tcp dpt:ssh 12 168K 6750K DROP all -- any any anywhere anywhere ctstate INVALID 13 12M 4492M ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED 14 51339 3063K ACCEPT all -- lo any anywhere anywhere 15 7249 445K ACCEPT icmp -- any any anywhere anywhere icmp echo-request 16 108K 27M UDP udp -- any any anywhere anywhere 17 1084K 54M TCP tcp -- any any anywhere anywhere 18 108K 27M REJECT udp -- any any anywhere anywhere reject-with icmp-port-unreachable 19 201K 8383K REJECT tcp -- any any anywhere anywhere reject-with tcp-reset 20 5669 181K REJECT all -- any any anywhere anywhere reject-with icmp-proto-unreachable 21 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:https 22 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:https ctstate NEW,ESTABLISHED 23 0 0 ACCEPT tcp -- any any anywhere anywhere multiport dports http,https ctstate NEW,ESTABLISHED 24 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:https 25 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:https Chain FORWARD (policy DROP 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 381K packets, 210M bytes) num pkts bytes target prot opt in out source destination 1 2 120 ACCEPT tcp -- any any anywhere anywhere tcp spt:https ctstate ESTABLISHED 2 718 80790 ACCEPT tcp -- any any anywhere anywhere multiport dports http,https ctstate ESTABLISHED Chain TCP (1 references) num pkts bytes target prot opt in out source destination 1 60377 3478K ACCEPT tcp -- any any anywhere anywhere tcp dpt:http 2 1202 64232 ACCEPT tcp -- any any anywhere anywhere tcp dpt:mysql 3 510K 26M ACCEPT tcp -- any any anywhere anywhere tcp dpts:49152:49200 4 311K 16M ACCEPT tcp -- any any anywhere anywhere tcp dpt:ftp Chain UDP (1 references) num pkts bytes target prot opt in out source destination Chain fail2ban-ssh (1 references) num pkts bytes target prot opt in out source destination 1 38723 2341K RETURN all -- any any anywhere anywhere

ports.conf from apache:

Listen 80 Listen 443 http

I have to add http to the 443 port otherwise Apache won't start (based on this answer). This error then happens:

 AH02240: Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] ((null):0)

Host configuration:

<VirtualHost *:443> ServerName www.example.com #ServerAdmin [email protected] DocumentRoot /var/www/test ErrorLog /var/log/apache2/www.example.com-ssl-error.log CustomLog /var/log/apache2/www.example.com-ssl-access.log combined <Directory /var/www/test > Options Indexes FollowSymLinks AllowOverride All Order allow,deny allow from all </Directory> SSLEngine On SSLCertificateFile /etc/ssl/cert/www_example_com.crt SSLCertificateKeyFile /etc/ssl/cert/www_example_com_com.key SSLCertificateChainFile /etc/ssl/cert/www_example_com_com.ca-bundle </VirtualHost>

There are no log entries for www.example.com-ssl*.log

Improve this question
6
  • perhaps "iptables -L -v --line-numbers" would provide something worthwile investigating. Commented Jul 16, 2020 at 11:44
  • Is your webserver even listening on Port 443? Unable to connect does not sound like a firewall issue. Commented Jul 16, 2020 at 13:33
  • It looks like you've "added" rules for https, but you should have inserted them before the reject lines. That's where the line-numbers come in handy. You can't move lines, you'll need to delete them or the rejects, and respectively insert or add them. Commented Jul 16, 2020 at 14:40
  • BTW, it's better to drop than to reject, to spite the bots. Commented Jul 16, 2020 at 14:42
  • That makes sense, the REJECT rules are the last ones that will be matched? And http is being accepted, because it's in the TCP group? Would it be better to add 443 also to the TCP group? Commented Jul 16, 2020 at 14:51

2 Answers 2

Reset to default
2

All your iptables rules for the https port are below 3 REJECT rules for UDP, TCP and ALL, so they match your https traffic and reject the connection.

Move the https rules above those (inserting them at least at the 18th position) or move the REJECT rules below the https ones.

NOTE: if Gerard H. Pille creates a similar answer as me, please, give him the credit.

EDIT: To clean all that up:

this would add the https port to the already defined http port on the TCP group:

iptables -R TCP 1 -p tcp -m multiport --dports 80,443 -j ACCEPT

this would delete all the unnecesary rules you appended into the INPUT chain (order of commands is important):

iptables -D INPUT 25 iptables -D INPUT 24 iptables -D INPUT 23 iptables -D INPUT 22 iptables -D INPUT 21

OUTPUT chain does not need any of those rules since it has a default policy of ACCEPT (ssh works and you do not have any OUTPUT rule for ssh, do you?), so you could delete both of them safely:

iptables -D OUTPUT 2 iptables -D OUTPUT 1
Improve this answer
1
  • I won't do that, first come, first served. Besides, you're more in need of credits than I am ;-) Commented Jul 16, 2020 at 14:36
0

ports.conf should be

Listen 0.0.0.0:80 Listen 0.0.0.0:443 https

but it is not necessary to define those ports at all in the ports.conf because:

You only need to set the protocol if you are running on non-standard ports. For example, running an https site on port 8443

https://httpd.apache.org/docs/2.4/bind.html#protocol

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.