iptables command to add non-standard SSL port, 444

Question

Below is my IP list output. What IP tables command should issue to enable the addition of tcp port 444, which I'm using for non-standard SSL. I tried "iptables -A INPUT -p tcp --dport 444 -j ACCEPT" than a "service iptables save" but that didn't work?!?1?! In my httpd.conf I'm listening to port 444.

   Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             127.0.0.0/8         reject-with icmp-port-unreachable 
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:30000 
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request 
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable 
SSH_CHECK  tcp  --  anywhere             anywhere            tcp dpt:ssh state NEW 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:snpp 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:ftp-data 

Chain RH-Firewall-1-INPUT (0 references)
target     prot opt source               destination         

Chain SSH_CHECK (1 references)
target     prot opt source               destination         
           all  --  anywhere             anywhere            recent: SET name: SSH side: source 
DROP       all  --  anywhere             anywhere            recent: UPDATE seconds: 180 hit_count: 3 name: SSH side: source

I think the iptables rules, "iptables -A INPUT -p tcp --dport 444 -j ACCEPT", got added because I see "ACCEPT tcp -- anywhere anywhere tcp dpt:snpp ". SNPP default port is 444. Is that an issue, or should I use another default port? — user1322092, Apr 18 '12 at 10:15

score 1 · Accepted Answer · answered Apr 18 '12 at 11:17

In your current rule set, added rules with -A won't work because you have a REJECT rule. Use -I instead of -A to be rule that the rule is inserted in the first place. Or "-I INPUT 2", is better because it inserts the rule in the second place. the ESBLISHED,RELATED one should be in the first place for performance reason.

score 0 · Answer 2 · answered Apr 18 '12 at 10:25

0

The name snpp is not the issue. Your approach should work. If you configured iptables to allow destination port 444 and configured httpd to listen on 444, your clients should be able to access the https over port 444 like https://your.ip.addr.ess:444/.

However, if you want your clients to access https URL using the default port like https://your.ip.addr.ess/, you need to add a NAT rule like:

iptables -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 444

answered Apr 18 '12 at 10:25

Khaled

36,533
8
72
99

"ACCEPT tcp -- anywhere anywhere tcp dpt:snpp" according to sys admins said this should be move up and inserted to line 1. I did this, and it work. However, when I access the site, https didn't show up. – user1322092 Apr 18 '12 at 10:53
here's a background on what i'm trying to accomplish: http://serverfault.com/questions/379544/for-enabling-ssl-for-a-single-domain-on-a-server-with-muliple-vhosts-will-this – user1322092 Apr 18 '12 at 11:07

iptables command to add non-standard SSL port, 444

2 Answers2