Log in

No account? Create an account
iptables says port 80 should be open, but nmap shows otherwise - Linux Help Desk [entries|archive|friends|userinfo]

[ userinfo | livejournal userinfo ]
[ archive | journal archive ]

iptables says port 80 should be open, but nmap shows otherwise [Dec. 11th, 2009|05:08 pm]


I've removed httpd server and would like to forward port 80 and 443 to Tomcat via connectors.

The problem I have is that ports 80 and 443 are currently closed according to nmap:

Interesting ports on my.domain.org (
80/tcp closed http

/etc/sysconfig/iptables suggests otherwise:
[linux]# more /etc/sysconfig/iptables
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 8443 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

I've restarted the firewall, no dice.

If I install apache and start the service, port 80 and 443 are magically available again.

What's going on?

(Deleted comment)
[User Picture]From: pkbarbiedoll
2009-12-12 01:51 am (UTC)
Checked -- I set the connector to listen on 80, and another to 443. Restarted tomcat5, but still nothing listening. If I start the apache httpd service, port 80 & 443 are available again.

(Reply) (Parent) (Thread)
[User Picture]From: vickvega
2009-12-12 02:42 am (UTC)
Probably there is a misconfig at tomcat if it not listening on the ports.
(Reply) (Parent) (Thread)
[User Picture]From: eternal_leave
2009-12-12 09:02 pm (UTC)
netstat -plan|grep -v STREAM
after starting tomcat to check which ports it really listens
and look through your server.xml once again - it has quite stupid format and chance of failure is quite high
(Reply) (Thread)
[User Picture]From: eternal_leave
2009-12-12 09:04 pm (UTC)
*chance of mistake* of course :)
(Reply) (Parent) (Thread)
[User Picture]From: pkbarbiedoll
2009-12-12 11:30 pm (UTC)
server.xml was fine.
I solved the problem by forwarding 443 & 80 to tomcat via iptables.
(Reply) (Parent) (Thread)
[User Picture]From: pkbarbiedoll
2009-12-12 11:31 pm (UTC)
should add:

low numbered ports are off-limits to non-root accounts. That's why I didn't see 80 & 443 despite server.xml saying otherwise. Forwarding these two ports bypasses this restriction. :)
(Reply) (Parent) (Thread)
[User Picture]From: eternal_leave
2009-12-13 03:17 pm (UTC)
that's why I said it's quite insure to launch tomcat as root - it's needed to be able to bind ports lower that 1024. anyway your problem is now solved :)
(Reply) (Parent) (Thread)