I am trying to figure out whats happening with my network and hopefully get some understanding on this issue.
So my system currently communicates to a https server over TCP port 443. So I had asked my Networking team to close all inbound and outbound traffic on all other ports except
- TCP IN and OUT on port 443
- UDP port 80
- ICMP
But as soon as I do that. Now my system has stopped communicating at all.
I can still perform ping.
But my simple curl request as shown below. Does not work
curl -X GET "https://www.google.com"
The error that I receive is
curl: (7) Failed to connect to www.google.com port 443: Connection refused
What I don't understand is, If my Networking team has opened in-bound and out-bound traffic on port 443. Shouldn't my packets just go through. What am I missing here? How do I debug this particular situation.
I ran these two commands to allow all communication over https:
iptables -A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 443 -m conntrack --ctstate ESTABLISHED -j ACCEPT
here is netstat result
netstat -tan
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:5355 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN
tcp 0 1 192.168.1.45:58272 13.32.81.90:443 SYN_SENT
tcp 0 0 :::5355 :::* LISTEN
tcp 0 0 :::22 :::* LISTEN
tcp 0 624 ::ffff:192.168.1.45:22 ::ffff:192.168.1.31:52468 ESTABLISHED
Whats interesting to note is that I do not see any 443 port in my netstat?
I am really out of my element here. Any help regarding this is really appreciated.
Right now, I have no clear understanding as to what is happening here.
My Ethernet is ipv4 on DHCP with DNS set to 8.8.8.8
Edit1: So based on suggestions. I added the following rules
iptables -A OUTPUT -p udp -d 8.8.8.8 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -s 8.8.8.8 --sport 53 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -d 8.8.8.8 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s 8.8.8.8 --sport 53 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dports 21,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m multiport --sports 21,80,443 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p udp --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp --sport 123 -m state --state ESTABLISHED -j ACCEPT
But I am still unable to perform my curl command
Best Answer
Your FW Rules only allow answering the established inbound requests on port 443 You need another rule where you allow Output traffic to DST Port 443 (you should also allow outbound dns traffic for the name resolving)