I’m trying to get port 8085 open on a Debian 10 Nginx Virtualmin 6.16 system.
I originally tried to open port 8085 with > Webmin > Networking > Firewalld but it ran into some error. So rather than troubleshoot a firewalld problem, I decided to try out nftables.
So I:
iptables-legacy_save > iptables_legacy_20210630
iptables-restore-translate -f iptables_legacy_20210630 > nftables_legacy_20210630
systemctl stop firewalld & systemctl disable firewalld
apt install nftables
nft -f nftables_legacy_20210630
iptables -F & ip6tables -F
vi /etc/modprobe.d/blacklist and blacklist iptables, ebtables, and ip6tables
. . .
nft insert rule inet filter input tcp dport 8085 accept
nft list ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy accept;
tcp dport 8085 accept
}
. . .
after I nft add rule inet into the appropriate table and chain and nft list ruleset shows the rule added, still port 8085 is closed.
I tried systemctl restart nftables, but no go, port 8085 is still closed.
● nftables.service - nftables
Loaded: loaded (/lib/systemd/system/nftables.service; enabled; vendor preset: enabled)
Active: active (exited) since Sat 2021-07-03 12:30:35 PDT; 1min 23s ago
Docs: man:nft(8)
http://wiki.nftables.org
Process: 5829 ExecStart=/usr/sbin/nft -f /etc/nftables.conf (code=exited, status=0/SUCCESS)
Main PID: 5829 (code=exited, status=0/SUCCESS)
Jul 03 12:30:35 bliss.krishnify.com systemd[1]: Starting nftables...
Jul 03 12:30:35 bliss.krishnify.com systemd[1]: Started nftables.
. . .
nmap -sT -p8085 172.93.48.66
Starting Nmap 7.70 ( https://nmap.org ) at 2021-07-03 12:32 PDT
Nmap scan report for bliss.krishnify.com (172.93.48.66)
Host is up (0.00018s latency).
PORT STATE SERVICE
8085/tcp closed unknown
. . .
There’s a whole bunch of other tables and chains in the nftables ruleset. I’m not very well versed with nftables hierarchy.
It seems like these parts are relevant:
table ip filter {
chain INPUT {
type filter hook input priority 0; policy accept;
ct state established,related counter packets 412 bytes 31660 accept
iifname "lo" counter packets 26 bytes 1787 accept
counter packets 114 bytes 8017 jump INPUT_direct
counter packets 114 bytes 8017 jump INPUT_ZONES_SOURCE
counter packets 114 bytes 8017 jump INPUT_ZONES
ct state invalid counter packets 3 bytes 120 drop
counter packets 76 bytes 5871 reject with icmp type host-prohibited
}
chain INPUT_ZONES {
iifname "docker0" counter packets 0 bytes 0 jump IN_docker
counter packets 602 bytes 41121 goto IN_public
}
chain IN_public {
counter packets 602 bytes 41121 jump IN_public_log
counter packets 602 bytes 41121 jump IN_public_deny
counter packets 602 bytes 41121 jump IN_public_allow
ip protocol icmp counter packets 0 bytes 0 accept
}
chain IN_public_allow {
tcp dport ssh ct state new,untracked counter packets 8 bytes 480 accept
tcp dport smtp ct state new,untracked counter packets 6 bytes 360 accept
tcp dport urd ct state new,untracked counter packets 1 bytes 60 accept
tcp dport ftp ct state new,untracked counter packets 0 bytes 0 accept
tcp dport pop3 ct state new,untracked counter packets 0 bytes 0 accept
tcp dport pop3s ct state new,untracked counter packets 0 bytes 0 accept
tcp dport imap2 ct state new,untracked counter packets 0 bytes 0 accept
tcp dport imaps ct state new,untracked counter packets 0 bytes 0 accept
tcp dport http ct state new,untracked counter packets 0 bytes 0 accept
tcp dport https ct state new,untracked counter packets 0 bytes 0 accept
tcp dport submission ct state new,untracked counter packets 2 bytes 120 accept
tcp dport domain ct state new,untracked counter packets 0 bytes 0 accept
tcp dport ftp-data ct state new,untracked counter packets 0 bytes 0 accept
tcp dport 2222 ct state new,untracked counter packets 0 bytes 0 accept
tcp dport 8085 ct state new,untracked counter packets 10 bytes 520 accept
tcp dport 10000-10100 ct state new,untracked counter packets 0 bytes 0 accept
tcp dport 20000 ct state new,untracked counter packets 0 bytes 0 accept
tcp dport 1025-65535 ct state new,untracked counter packets 3 bytes 120 accept
udp dport domain ct state new,untracked counter packets 5 bytes 366 accept
}
Nftables does update the counter and bytes when I go to a browser and access http://krishnify.com:8085.
Not sure where port 8085 gets dropped. Probably this statement:
ct state invalid counter packets 22 bytes 1424 drop
I don’t know what else I need to do open port 8085 and get an established state.
Does anyone have any suggestions for me?