1

On a ubuntu 10.0.4 server runs redmine. starting webrick with:

./server webrick -e production -b lvps46-173-79-113.dedicated.hosteurope.de -d

makes redmine available in browser. as soon as we enable ufw, webrick can´t be accessed anymore. of course we allowed Port 3000 from anywhere

ufw allow 3000/tcp
ufw allow 3000/udp

find the whole iptables output here http://pastebin.com/k6WNqdPU

checking 

lsof -ni tcp:2222

tells me ruby is listening on port 3000

ruby    3457 root    5u  IPv4 864846667      0t0  TCP 46.173.79.113:3000 (LISTEN)

What else can we check? what´s wrong with the ufw rules for port 3000?

Anatol
  • 349
  • 2
  • 6
  • 19
  • 1
    The iptables test you show is pretty much meaningless, not least because it completely overlooks the possible effects of a blanket DROP policy. If you could cut and paste the entire output of `iptables -L -n -v` into your question, we may be able to shed some light. – MadHatter May 28 '14 at 14:25
  • Hi Mad thanks for this good idea, unfortunately it´s quite long is there are part which is of most interest? – Anatol May 28 '14 at 14:27
  • Because iptables rules work on first-match-wins, no part is meaningful in isolation. As long as you paste it in and use SF's built-in formatting engine to declare it as a code sample, the site will box it with its own scrollbar, so you don't need to worry too much about the length. – MadHatter May 28 '14 at 14:31
  • edited the question with iptables output ;) – Anatol May 28 '14 at 14:34
  • It looks fine, and should be allowing inbound TCP to port 3000 and outbound responses. Can you confirm that there's no *other* firewall in front of this machine? – MadHatter May 28 '14 at 15:01
  • Thanks mad, yes I can confirm and if I disable ufw. redmine is available, means it must be something wrong with the rules – Anatol May 28 '14 at 15:03
  • There's something odd going on here. When I run those iptables rules you posted through the grep you posted, I **do** get some output. That is, the data you've posted seem to me to be self-inconsistent, which makes the problem fairly hard to diagnose. Any comment? – MadHatter May 28 '14 at 15:41
  • Hi Mad, well what to reply to your comment. sounds like an endpoint … still hoping one had run into something similar. as said … turning ufw of brings webrick online, it must have something to do with ufw rules – Anatol May 28 '14 at 19:21
  • I repeat my question: do you have any idea why the `iptables` ruleset you show contains lines that contain the word "3000", but you say that when you do `iptables -Ln|grep 3000` you get no output? – MadHatter May 28 '14 at 19:40
  • double checked sorry, when I did the first grep ufw was disabled thus the 3000 was not there and could not be greped. I´ve edited my question thus the iptables of pastebin reflects the actual situation. – Anatol May 28 '14 at 19:55

1 Answers1

1

Typically, ufw will block input that isn't specifically allowed. It sounds like you "allow 3000/tcp" isn't taking affect. Take a look at ufw's status with

ufw status verbose

Make sure it says "Status: Active" and note the default policy (typically "Default: deny (incoming), allow (outgoing)").

imlepid
  • 175
  • 1
  • 3
  • 10
  • checked, also the order of the rules. any clue why else a rule can be ignored? – Anatol May 28 '14 at 15:25
  • If ufw is "Active" but you don't see any rule in iptables then I would try reloading ufw. Also, check the ufw log in /var/log/ufw.log to see if that helps any. – imlepid May 28 '14 at 16:00