[SOLVED] Cannot turn off firewall completely

subjectx · Nov 10, 2020

Greetings,

I tried forwarding port 80 on my public ip to specific VM onto port 80, which works, apache says hello.

Then I tried to forward port 8080 to same VM to port 80. Cannot. ERR_CONNECTION_TIMED_OUT.

I turned off FW on node, on VM and on VM-NIC.

I have next iptables rules on node (that does routing atm, will switch to some reverse proxy VM soon):

Code:

root@ark:~# iptables -vL --line-numbers
Chain INPUT (policy ACCEPT 983 packets, 88146 bytes)
num   pkts bytes target     prot opt in     out     source               destination      
1        0     0 ACCEPT     tcp  --  any    any     8*-***-***-22  anywhere             tcp dpt:ssh
2        0     0 ACCEPT     tcp  --  any    any     21*.***.***.131      anywhere             tcp dpt:ssh
3        0     0 DROP       tcp  --  any    any     anywhere             anywhere             tcp dpt:ssh
4     1876  693K ACCEPT     tcp  --  any    any     8*-***-***-22  anywhere             tcp dpt:8006
5        0     0 ACCEPT     tcp  --  any    any     21*.***.***.131      anywhere             tcp dpt:8006
6        0     0 DROP       tcp  --  any    any     anywhere             anywhere             tcp dpt:8006
7        0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:8080

Chain FORWARD (policy ACCEPT 1778 packets, 2561K bytes)
num   pkts bytes target     prot opt in     out     source               destination      

Chain OUTPUT (policy ACCEPT 1862 packets, 693K bytes)
num   pkts bytes target     prot opt in     out     source               destination

With this rules I substitued proper FW for time being, until I get pfSense VM running. Can ssh and proxmox admin from only two IPs.

Then I have forwarding rules:

Code:

root@ark:~# iptables -L -n -t nat --line-numbers
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination      
1    DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80 to:10.10.10.3:80
2    DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:8080 to:10.10.10.3:80
3    DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22 to:10.10.10.3:22

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination      

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination      

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination      
1    MASQUERADE  all  --  10.10.10.0/24        0.0.0.0/0        
2    MASQUERADE  all  --  10.9.0.0/24          0.0.0.0/0

Port 80 forwarding works, port 22 forwarding works.

Port 8080 DOESNT WORK

I guess, I still dont have it opened on some level, but I dont know where to look anymore.

FW on node:

Code:

root@ark:~# pve-firewall status
Status: disabled/stopped

FW on Ubuntu VM:

Code:

root@wp:/home/ubuntu# ufw status
Status: inactive

There is no iptables definitions on Ubuntu VM.

subjectx · Nov 12, 2020

Also, ebtables are empty, checked that too..

root@ark:~# ebtables -t filter -L
Bridge table: filter

Bridge chain: INPUT, entries: 0, policy: ACCEPT

Bridge chain: FORWARD, entries: 0, policy: ACCEPT

Bridge chain: OUTPUT, entries: 0, policy: ACCEPT
root@ark:~# ebtables -t nat -L
Bridge table: nat

Bridge chain: PREROUTING, entries: 0, policy: ACCEPT

Bridge chain: OUTPUT, entries: 0, policy: ACCEPT

Bridge chain: POSTROUTING, entries: 0, policy: ACCEPT
root@ark:~# ebtables -t broute -L
Bridge table: broute

Bridge chain: BROUTING, entries: 0, policy: ACCEPT

subjectx · Nov 12, 2020

Turns out, my ISP was doing some ACLs on their side.. Wasted 3 days on this..

jhonii · Nov 12, 2020

my ISP was doing some ACLs on their side

192.168.100.1 192.168.1.1 jpg to pdf

Search

Search

[SOLVED] Cannot turn off firewall completely

subjectx

Member

subjectx

Member

subjectx

Member

jhonii

New Member