Iptables – Unable to communicate on port 443. Eventhough Outbound and INbound traffic are allowed on port 443

iptableslinux-networkingtcp

I am trying to figure out whats happening with my network and hopefully get some understanding on this issue.

So my system currently communicates to a https server over TCP port 443. So I had asked my Networking team to close all inbound and outbound traffic on all other ports except

  1. TCP IN and OUT on port 443
  2. UDP port 80
  3. ICMP

But as soon as I do that. Now my system has stopped communicating at all.

I can still perform ping.
But my simple curl request as shown below. Does not work

curl -X GET "https://www.google.com"

The error that I receive is

curl: (7) Failed to connect to www.google.com port 443: Connection refused

What I don't understand is, If my Networking team has opened in-bound and out-bound traffic on port 443. Shouldn't my packets just go through. What am I missing here? How do I debug this particular situation.

I ran these two commands to allow all communication over https:

iptables -A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp --sport 443 -m conntrack --ctstate ESTABLISHED -j ACCEPT

here is netstat result

netstat -tan
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 0.0.0.0:5355            0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN
tcp        0      1 192.168.1.45:58272      13.32.81.90:443         SYN_SENT
tcp        0      0 :::5355                 :::*                    LISTEN
tcp        0      0 :::22                   :::*                    LISTEN
tcp        0    624 ::ffff:192.168.1.45:22  ::ffff:192.168.1.31:52468 ESTABLISHED

Whats interesting to note is that I do not see any 443 port in my netstat?
I am really out of my element here. Any help regarding this is really appreciated.
Right now, I have no clear understanding as to what is happening here.
My Ethernet is ipv4 on DHCP with DNS set to 8.8.8.8

Edit1: So based on suggestions. I added the following rules

iptables -A OUTPUT -p udp -d 8.8.8.8 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT  -p udp -s 8.8.8.8 --sport 53 -m state --state ESTABLISHED     -j ACCEPT
iptables -A OUTPUT -p tcp -d 8.8.8.8 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT  -p tcp -s 8.8.8.8 --sport 53 -m state --state ESTABLISHED     -j ACCEPT

iptables -A INPUT  -p tcp -m multiport --dports 21,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m multiport --sports 21,80,443 -m state --state ESTABLISHED     -j ACCEPT


iptables -A OUTPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT  -p tcp --sport 22 -m state --state ESTABLISHED     -j ACCEPT


iptables -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT  -p icmp -m state --state ESTABLISHED,RELATED     -j ACCEPT


iptables -A OUTPUT -p udp --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT  -p udp --sport 123 -m state --state ESTABLISHED     -j ACCEPT

But I am still unable to perform my curl command

Best Answer

Your FW Rules only allow answering the established inbound requests on port 443 You need another rule where you allow Output traffic to DST Port 443 (you should also allow outbound dns traffic for the name resolving)

Related Topic