changing port 80 from FILTERED to OPEN to renew a lets encrypt certificate

Nicolas.P · March 27, 2025, 9:18am

Hi
I have an issue with changing port 80 from FILTERED to OPEN to renew a lets encrypt certificate !

I did all I could and running out of ideas !!! anyone can help ?

from outside network:

nmap -Pn -p80,443 my_ip_adress

PORT STATE SERVICE
80/tcp filtered http
443/tcp open https

1- check if httpd is listening on port 80
ss -tlnp | grep :80
LISTEN 512 51 *:80 : users:((“httpd”,pid=2332,fd=4))

AND
systemctl status httpd
httpd[860]: Server configured, listening on: port 443, port 80

2-check VirtualHost

<VirtualHost *:80>
ServerName MY_DOMAIN
DocumentRoot /var/www/MY_DOMAIN/public_html
ErrorLog /var/log/httpd/error.log
CustomLog /var/log/httpd/requests.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} = MY_DOMAIN
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

3- check hosting provider firewall

edge firewall → disabled

4- iptables configuration

iptables -S
-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -j DOCKER-USER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN

iptables -L INPUT -v -n
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

5- firewalld configuration

firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: cockpit dhcpv6-client ftp http https ssh
ports: 20-21/tcp 40000-40100/tcp 8080/tcp 8042/tcp 4242/tcp 3306/tcp 3000/tcp 8090/tcp 513/tcp 5222/tcp 5223/tcp 5228/tcp 4443/tcp 5443/tcp 8443/tcp 5000/tcp 80/tcp
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

6- SELinux configuration

sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33

httpd_can_network_connect (on,on) Allow httpd to can network connect

with setenforce 0
same problem !

iwalker · March 27, 2025, 9:20am

Repeat this internally, if the port is open, then it means your router/firewall for external access is blocking it or is not configured to port forward correctly.

Nicolas.P · March 27, 2025, 10:39am

As you can see in my post all the firewall for port 80 is open … this is all he issue why is it still filtered ?
Obviously there is a conflict somewhere but where ?

iwalker · March 27, 2025, 10:55am

Internal firewall on the server itself is one thing, public access is another. Thats why I asked you to check internally on the same network the server is. Since Rocky is configured to allow http and https with firewalld so it should work. That would then confirm the external access is the probelm.

Nicolas.P · March 27, 2025, 11:02am

unfortunately on the machine
nmap gives he same:
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000077s latency).

PORT STATE SERVICE
80/tcp filtered http
443/tcp open https

Nmap done: 1 IP address (1 host up) scanned in 1.32 seconds

iwalker · March 27, 2025, 11:50am

That would suggest you messed up your firewall configuration. The only thing you need to configure is:

firewall-cmd --add-service=http --add-service=https --permanent
firewall-cmd --reload

and that should be enough, an example from my server which works as intended:

nmap -Pn -p80,443 myrockyhosts
Starting Nmap 7.92 ( https://nmap.org ) at 2025-03-27 12:47 CET
Nmap scan report for myrockyhost
Host is up (0.010s latency).

PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 0.47 seconds

so the question is what exactly did you do on your Rocky server? Please provide all necessary information, commands used, etc, etc.

Nicolas.P · March 27, 2025, 12:22pm

this is my firewalld config list

firewall-cmd --list-all-zones
block
target: %%REJECT%%
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

dmz
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

docker (active)
target: ACCEPT
icmp-block-inversion: no
interfaces: docker0
sources:
services:
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

drop
target: DROP
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

external
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
forward: yes
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:

home
target: default
icmp-block-inversion: no
interfaces:
sources:
services: cockpit dhcpv6-client mdns samba-client ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

internal
target: default
icmp-block-inversion: no
interfaces:
sources:
services: cockpit dhcpv6-client http mdns samba-client ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

nm-shared
target: ACCEPT
icmp-block-inversion: no
interfaces:
sources:
services: dhcp dns ssh
ports:
protocols: icmp ipv6-icmp
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule priority=“32767” reject

public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: cockpit dhcpv6-client ftp http https ssh
ports: 20-21/tcp 40000-40100/tcp 8080/tcp 8042/tcp 4242/tcp 3306/tcp 3000/tcp 8090/tcp 513/tcp 5222/tcp 5223/tcp 5228/tcp 4443/tcp 5443/tcp 8443/tcp 5000/tcp 80/tcp
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

trusted
target: ACCEPT
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

work
target: default
icmp-block-inversion: no
interfaces:
sources:
services: cockpit dhcpv6-client ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

jlehtone · March 27, 2025, 12:24pm

One more thing: forget the “iptables”. The kernel in Rocky has “nf_tables” and the command iptables is a wrapper/translator that sees only bits of it. Both iptables and ‘firewalld’ talk to the nf_tables.

There is a command to see all rules that are just now in the kernel, i.e. the effective rules:

nft list ruleset

Nicolas.P · March 27, 2025, 12:30pm

Ok,
with nft list ruleset I get:

chain filter_IN_public_allow {
	tcp dport 22 accept
	ip6 daddr fe80::/64 udp dport 546 accept
	tcp dport 9090 accept
	tcp dport 80 accept
	tcp dport 21 ct helper set "helper-ftp-tcp"
	tcp dport 21 accept
	tcp dport 443 accept
	tcp dport 20-21 accept
	tcp dport 40000-40100 accept
	tcp dport 8080 accept
	tcp dport 8042 accept
	tcp dport 4242 accept
	tcp dport 3306 accept
	tcp dport 3000 accept
	tcp dport 8090 accept
	tcp dport 513 accept
	tcp dport 5222 accept
	tcp dport 5223 accept
	tcp dport 5228 accept
	tcp dport 4443 accept
	tcp dport 5443 accept
	tcp dport 8443 accept
	tcp dport 5000 accept
}

jlehtone · March 27, 2025, 1:18pm

Yes, and that chain is used by chain filter_IN_public, which is used by filter_INPUT_ZONES, which is used by chain filter_INPUT.

The chain filter_INPUT is of type filter on hook input with priority filter + 10.
The nf_tables, unlike netfilter, can have multiple chains on same hook, so filter_INPUT is not necessarily the only chain that can filter traffic.

The default config (by FirewallD) starts:

	chain filter_INPUT { # handle 165
		type filter hook input priority filter + 10; policy accept;
		ct state { established, related } accept # handle 169
		ct status dnat accept # handle 170
		iifname "lo" accept # handle 171
		ct state invalid drop # handle 172
		jump filter_INPUT_ZONES # handle 176

Note how localhost traffic is accepted already by “handle 171”, before jump to filter_INPUT_ZONES.
What and where makes nmap to think that that traffic is filtered?

Nicolas.P · March 27, 2025, 1:30pm

the fact is i is filtered as I cannot renew ssl cert on this server !
chain filter_INPUT look he same:
chain filter_INPUT {
type filter hook input priority filter + 10; policy accept;
ct state { established, related } accept
ct status dnat accept
iifname “lo” accept
ct state invalid drop
jump filter_INPUT_ZONES
reject with icmpx admin-prohibited
}

felfert · March 28, 2025, 8:32am

Nmap scan report for localhost (127.0.0.1)

127.0.0.1 is not your external interface, so different rules might apply. (Your “public” zone
has eth0 in it’s interface list)
=> Try the address of eth0 instead.