Ssl – Port 443 “listening” but “not open”

I am running Apache/2.2.15 on Centos 6.6.

I have a Verizon router and checked the port forwarding and saw

    WorkstationName 192.168.1.6 HTTPS TCP Any -> 443    All Broadband Devices   Active

I went to the command line and entered

sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
sudo iptables -A OUTPUT -p tcp --sport 443 -j ACCEPT

I also entered

sudo netstat -anltp | grep LISTEN

and got

tcp        0      0 0.0.0.0:3306                0.0.0.0:*                   LISTEN      1462/mysqld         
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      2297/sshd           
tcp        0      0 :::443                      :::*                        LISTEN      2340/httpd          
tcp        0      0 :::80                       :::*                        LISTEN      2340/httpd          
tcp        0      0 :::22                       :::*                        LISTEN      2297/sshd

However, when I enter my website name (which works fine with http) as follows

https://websitename.com

it just hangs. I then go to http://www.mynetworktest.com/ports.php and click on

Test https – Port 443

and get

Port 443 is not open on my.ip.addre.ess

sudo iptables -L -n

gives

Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80 
ACCEPT     tcp  --  192.168.1.1          0.0.0.0/0           tcp flags:!0x17/0x02 
ACCEPT     udp  --  192.168.1.1          0.0.0.0/0           
ACCEPT     tcp  --  151.198.0.38         0.0.0.0/0           tcp     flags:!0x17/0x02 
ACCEPT     udp  --  151.198.0.38         0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           limit: avg 10/sec burst 5 
DROP       all  --  0.0.0.0/0            255.255.255.255     
DROP       all  --  0.0.0.0/0            192.168.1.255       
DROP       all  --  224.0.0.0/8          0.0.0.0/0           
DROP       all  --  0.0.0.0/0            224.0.0.0/8         
DROP       all  --  255.255.255.255      0.0.0.0/0           
DROP       all  --  0.0.0.0/0            0.0.0.0             
DROP       all  --  0.0.0.0/0            0.0.0.0/0           state INVALID 
LSI        all  -f  0.0.0.0/0            0.0.0.0/0           limit: avg 10/min burst 5 
INBOUND    all  --  0.0.0.0/0            0.0.0.0/0           
LOG_FILTER  all  --  0.0.0.0/0            0.0.0.0/0           
LOG        all  --  0.0.0.0/0            0.0.0.0/0           LOG flags 0     level 6 prefix `Unknown Input' 
DROP       all  --  69.84.207.246        0.0.0.0/0           
DROP       all  --  69.84.207.246        0.0.0.0/0           
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:443 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:443 

Chain FORWARD (policy DROP)
target     prot opt source               destination         
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           limit: avg 10/sec burst 5 
LOG_FILTER  all  --  0.0.0.0/0            0.0.0.0/0           
LOG        all  --  0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6 prefix `Unknown Forward' 

Chain OUTPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     tcp  --  192.168.1.4          192.168.1.1         tcp dpt:53 
ACCEPT     udp  --  192.168.1.4          192.168.1.1         udp dpt:53 
ACCEPT     tcp  --  192.168.1.4          151.198.0.38        tcp dpt:53 
ACCEPT     udp  --  192.168.1.4          151.198.0.38        udp dpt:53 
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
DROP       all  --  224.0.0.0/8          0.0.0.0/0           
DROP       all  --  0.0.0.0/0            224.0.0.0/8         
DROP       all  --  255.255.255.255      0.0.0.0/0           
DROP       all  --  0.0.0.0/0            0.0.0.0             
DROP       all  --  0.0.0.0/0            0.0.0.0/0           state INVALID 
OUTBOUND   all  --  0.0.0.0/0            0.0.0.0/0           
LOG_FILTER  all  --  0.0.0.0/0            0.0.0.0/0           
LOG        all  --  0.0.0.0/0            0.0.0.0/0           LOG flags 0     level 6 prefix `Unknown Output' 
DROP       all  --  0.0.0.0/0            69.84.207.246       
DROP       all  --  0.0.0.0/0            69.84.207.246       
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp spt:443 

Chain INBOUND (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
LSI        all  --  0.0.0.0/0            0.0.0.0/0           

Chain LOG_FILTER (5 references)
target     prot opt source               destination         

Chain LSI (2 references)
target     prot opt source               destination         
LOG_FILTER  all  --  0.0.0.0/0            0.0.0.0/0           
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound ' 
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x04 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound ' 
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x04 
LOG        icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 8 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound ' 
DROP       icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 8 
LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg     5/sec burst 5 LOG flags 0 level 6 prefix `Inbound ' 
DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain LSO (0 references)
target     prot opt source               destination         
LOG_FILTER  all  --  0.0.0.0/0            0.0.0.0/0           
LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg     5/sec burst 5 LOG flags 0 level 6 prefix `Outbound ' 
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable 

Chain OUTBOUND (1 references)
target     prot opt source               destination         
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

Best Answer

The fact is that you added the rule that allows port 443 at the end of the INPUT chain.

But you have a previous rule that drops everything :

Chain INPUT (policy DROP)
[...]
DROP       all  --  0.0.0.0/0            0.0.0.0
[...]
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:443
[...]

With iptables rules order matters!

Use iptables -I INPUT -p tcp --dport 443 -j ACCEPT to put the rule at the beginning of your INPUT chain.

The -A flag (Append) adds the rule at the end of the specified chain, which is not what you want here.

Best Answer

Related Solutions

Centos – Sendmail is not listening to any port

Ssl – Ubuntu/apache2: cannot open port 443

Related Topic