Ubuntu firewall sucks, status showing allowed http, but won't



  • Hi there,

    I'm running Odoo erp on Ubuntu 18, it uses 8069 port.

    Concern is about firewall, I installed UFW to manage the Ubuntu firewall (iptables), I have to use http and https ports as well, so I have allowed port 80, 443, 8069 etc. while 8069 port is open and running fine, but port 80 is closed. Following is the status of UFW:
    ufw status.JPG

    My idea is to redirect port 80 traffic to port 8069, before I do that, I need to make sure port 80 is open, and following is the result for port checker:
    port 80 closes.JPG

    Please advise!



  • For the port to be identified as open there has to be something listening on that port, for instance a webserver. If you open the firewall but there is nothing listening it will say it's closed.

    Think of it is if you knock on the door of someones home and they don't answer. Is the door bell blocked or are they not home? How can you tell?

    Actually there are two ways to "close" a port - reject or drop incoming packets. But that is another discussion.



  • ERP is not even using port 80, so you shouldn't be able to get a response.

    Use the following netcat command on your server, port 80 connection will be refused while port 8069 will connect.

    nc -zv 127.0.0.1 80
    nc -zv 127.0.0.1 8069
    


  • @Pete-S said in Ubuntu firewall sucks, status showing allowed http, but won't:

    For the port to be identified as open there has to be something listening on that port, for instance a webserver. If you open the firewall but there is nothing listening it will say it's closed.

    Think of it is if you knock on the door of someones home and they don't answer. Is the door bell blocked or are they not home? How can you tell?

    Actually there are two ways to "close" a port - reject or drop incoming packets. But that is another discussion.

    Thanks for pointing to right and explanation.



  • @black3dynamite said in Ubuntu firewall sucks, status showing allowed http, but won't:

    ERP is not even using port 80, so you shouldn't be able to get a response.

    Use the following netcat command on your server, port 80 connection will be refused while port 8069 will connect.

    nc -zv 127.0.0.1 80
    nc -zv 127.0.0.1 8069
    

    On port 8069, successful
    On port 80, failed
    So, again what @Pete-S said above is valid?



  • @openit said in Ubuntu firewall sucks, status showing allowed http, but won't:

    @black3dynamite said in Ubuntu firewall sucks, status showing allowed http, but won't:

    ERP is not even using port 80, so you shouldn't be able to get a response.

    Use the following netcat command on your server, port 80 connection will be refused while port 8069 will connect.

    nc -zv 127.0.0.1 80
    nc -zv 127.0.0.1 8069
    

    On port 8069, successful
    On port 80, failed
    So, again what @Pete-S said above is valid?

    Yes!



  • I have ran following commands to redirect port 80 and 443, and it is working fine until next reboot:

    #!/bin/bash
    iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8069
    iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8070
    iptables-save

    So I found one more article is saying to add first two commands to /etc/rc.local file to have rules permanently, but doesn't seems to be, not sure why?
    @Pete-S @black3dynamite



  • @openit said in Ubuntu firewall sucks, status showing allowed http, but won't:

    I have ran following commands to redirect port 80 and 443, and it is working fine until next reboot:

    #!/bin/bash
    iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8069
    iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8070
    iptables-save

    So I found one more article is saying to add first two commands to /etc/rc.local file to have rules permanently, but doesn't seems to be, not sure why?
    @Pete-S @black3dynamite

    Here's how to do it using UFW.
    https://serverfault.com/a/238565
    66ee7cc6-ba0d-489b-9b1c-a73e23ca9fb3-image.png


Log in to reply