AWS security rules bug?

Question

I'm trying to put online a website with HTTPS. I have double checked AWS Security Groups, and everything looks fine.

I'm running on Node.JS, and this is the app script, so I'm pretty sure it's running on port 443.

https.createServer(options, app)
.listen(443)
.on('error', onError)
.on('listening', onListening);

iptables

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp spt:80
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp spt:443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:443
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp spt:22

ss -tlnp

State      Recv-Q Send-Q                                                   Local Address:Port                                                                  Peer Address:Port
LISTEN     0      128                                                                  *:22                                                                               *:*
LISTEN     0      128                                                                 :::22                                                                              :::*
LISTEN     0      128                                                                 :::443                                                                             :::*

And the problem is I cannot access the website, and checking in telnet got connection refused, in https://networkappers.com/tools/open-port-checker is said: 174.129.96.89 port-443 blocked

Am I missing something here? I have already open a ticket, but no answer til now.

I can't tell if you truncated the `ss -tlnp` output, but it may be listening only on IPv6. Can you compare `ss -ntlp4` and `ss -ntlp6` and report if :443 is listening on both? — jscott, Oct 26 '17 at 00:11
In fact, only in IPv6 it is appearing. However, listening on port 4000 and opening it, it worked. Any difference to 443? — Sandro Wiggers, Oct 26 '17 at 00:21
What does your network configuration look like on the server? Is this server in a public subnet? Have you double checked there are no conflicting security rules at the subnet or VPC level applied? Have you confirmed there is a public IP assigned to the instance and you are using the correct IP? — Appleoddity, Oct 26 '17 at 01:57
What about explicitly listening on IPv4? Possibly, you need to `.listen(443,'0.0.0.0')`. — Michael - sqlbot, Oct 26 '17 at 22:20
Run netstat -lt To confirm that the your node app is actually listening on the ports you expect — Nath, Oct 27 '17 at 22:39
Does your VPC have an internet gateway? Does your subnets have route tables? — Ross Williams, Jul 17 '19 at 12:54

score 2 · Answer 1 · answered Oct 26 '17 at 00:10

2

I'm pretty sure your iptables rules aren't set up right. Here's a reference on the correct rules for HTTP and HTTPS. Cutting the relevant rules from the reference:

sudo iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -p tcp --sport 443 -m conntrack --ctstate ESTABLISHED -j ACCEPT

answered Oct 26 '17 at 00:10

LHWizard

556
4
11

Sad, but did not worked either. – Sandro Wiggers Oct 26 '17 at 00:22
1

hmm, what OS are you using? Ubuntu/CentOS or something else? Maybe [this tutorial](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-using-iptables-on-ubuntu-14-04) will help – LHWizard Oct 26 '17 at 02:17

AWS security rules bug?

1 Answers1