Hello,
I've been strugging for days trying to open a port for nginx on a Proxmox host. I've checked that iptables is in use and not nftables as I thought maybe there was some conflict between the two - My way of doing this was "iptables -V" and I received back "iptables v1.8.9 (legacy)" - from what I've read, this indicated iptables is in use and not ebtables or nftables. I also checked if firewalld is anywhere in use and it does not appear to be so.
This proxmox host is directly connected to the cable modem (outside interface) and I have a custom firewall script with iptables. I have been able to, as I have done for years, forward incoming ports from outside to a host on the LAN. This works for many ports that I have done it with. However, I am not able to allow, say port 9405, from the outside. The rule I am using is:
/sbin/iptables -A INPUT -s 1.2.3.4 -p tcp --dport 9405 -j ACCEPT
(obviously 1.2.3.4 represents the IP address I am attempting to connect from)
I have confirmed nginx is running and listening on all interfaces (netstat -atulpn | grep nginx) - I see it is bound to 0.0.0.0:9405. I can telnet to localhost port 9405 and nginx answers. I have even tried stopping nginx and running "nc -l 9405" to listen on that port and still cannot reach the host from the outside (WAN/internet) side of things.
What is interesting is that I *am* able to put ssh on a nonstandard port (in /etc/ssh/sshd_config) and reach that from the outside/WAN if I open the same port using the method mentioned above.
SELinux reports it is in permissive mode ("SELINUX=permissive" is indicated in /etc/selinux/config) - so I am not suspecting interference from that.
Tcpdump shows the SYN packets are received and nothing further happens. With my troubleshooting and trying different things, I was able to see a tcp flag [R.] immediately after the SYN packet, and an immediate connection refused from the outside machine which is trying to connect. However I forget what set of rules I had which created that situation.
I'm pretty much at a loss here, I am convinced there is some kind of firewall framework running aside from iptables which is aware of common protocols (such as when I change the port on SSH) and as such allows those ports as they are configured. However when I just try to open a port, I presume this keeps the port closed and continues to conflict with what I am trying to do. This is speculation, however I have really beat on this for days and days and have no other ideas left to explore, so this is where my focus is at for now for efforts to resolve this.
Does anyone else have any ideas or theory or perhaps actually know how the network is set up and can offer some insight as to what is happening? I believe I am on proxmox 8.1.2 but can check for sure when I get home later today. It is definitely 8.x. uname -a shows "Linux firewall 6.8.4-2-pve #1 SMP PREEMPT_DYNAMIC PMX 6.8.4-2 (2024-04-10T17:36Z) x86_64 GNU/Linux"
Thanks for any help or ideas
I've been strugging for days trying to open a port for nginx on a Proxmox host. I've checked that iptables is in use and not nftables as I thought maybe there was some conflict between the two - My way of doing this was "iptables -V" and I received back "iptables v1.8.9 (legacy)" - from what I've read, this indicated iptables is in use and not ebtables or nftables. I also checked if firewalld is anywhere in use and it does not appear to be so.
This proxmox host is directly connected to the cable modem (outside interface) and I have a custom firewall script with iptables. I have been able to, as I have done for years, forward incoming ports from outside to a host on the LAN. This works for many ports that I have done it with. However, I am not able to allow, say port 9405, from the outside. The rule I am using is:
/sbin/iptables -A INPUT -s 1.2.3.4 -p tcp --dport 9405 -j ACCEPT
(obviously 1.2.3.4 represents the IP address I am attempting to connect from)
I have confirmed nginx is running and listening on all interfaces (netstat -atulpn | grep nginx) - I see it is bound to 0.0.0.0:9405. I can telnet to localhost port 9405 and nginx answers. I have even tried stopping nginx and running "nc -l 9405" to listen on that port and still cannot reach the host from the outside (WAN/internet) side of things.
What is interesting is that I *am* able to put ssh on a nonstandard port (in /etc/ssh/sshd_config) and reach that from the outside/WAN if I open the same port using the method mentioned above.
SELinux reports it is in permissive mode ("SELINUX=permissive" is indicated in /etc/selinux/config) - so I am not suspecting interference from that.
Tcpdump shows the SYN packets are received and nothing further happens. With my troubleshooting and trying different things, I was able to see a tcp flag [R.] immediately after the SYN packet, and an immediate connection refused from the outside machine which is trying to connect. However I forget what set of rules I had which created that situation.
I'm pretty much at a loss here, I am convinced there is some kind of firewall framework running aside from iptables which is aware of common protocols (such as when I change the port on SSH) and as such allows those ports as they are configured. However when I just try to open a port, I presume this keeps the port closed and continues to conflict with what I am trying to do. This is speculation, however I have really beat on this for days and days and have no other ideas left to explore, so this is where my focus is at for now for efforts to resolve this.
Does anyone else have any ideas or theory or perhaps actually know how the network is set up and can offer some insight as to what is happening? I believe I am on proxmox 8.1.2 but can check for sure when I get home later today. It is definitely 8.x. uname -a shows "Linux firewall 6.8.4-2-pve #1 SMP PREEMPT_DYNAMIC PMX 6.8.4-2 (2024-04-10T17:36Z) x86_64 GNU/Linux"
Thanks for any help or ideas
