How can I open port 443 in iptables?

Do you have SSL properly configured and enabled on your web server? Even if iptables isn't blocking port 443, if no service is listening on it, it will be closed.

(If I remember correctly, nmap would say "firewalled" if it was iptables fault… but that might be contingent on a number of variables.)

yes as far as I can tell SSL is properly enabled and configured on my server. But as soon as u put https in front of the url that is configured it says connection was refused.

You could use

netstat -an --inet

to see if anything's listening on port 443

This is all I get when I do that.

Kernel Interface table
dummy0    Link encap:Ethernet  HWaddr 00:00:00:00:00:00
          BROADCAST NOARP  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

eth0      Link encap:Ethernet  HWaddr FE:FD:46:55:81:36
          inet addr:70.85.129.54  Bcast:70.85.129.255  Mask:255.255.255.0
          inet6 addr: fe80::fcfd:46ff:fe55:8136/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:59722 errors:0 dropped:0 overruns:0 frame:0
          TX packets:44176 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:5028129 (4.7 MiB)  TX bytes:15905979 (15.1 MiB)
          Interrupt:5

eth0:2    Link encap:Ethernet  HWaddr FE:FD:46:55:81:36
          inet addr:70.85.31.66  Bcast:70.255.255.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:5

gre0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          NOARP  MTU:1476  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:828 errors:0 dropped:0 overruns:0 frame:0
          TX packets:828 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:145773 (142.3 KiB)  TX bytes:145773 (142.3 KiB)

sit0      Link encap:IPv6-in-IPv4
          NOARP  MTU:1480  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

teql0     Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          NOARP  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

tunl0     Link encap:IPIP Tunnel  HWaddr
          NOARP  MTU:1480  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

@Sipherx:

This is all I get when I do that.

Kernel Interface table
dummy0    Link encap:Ethernet  HWaddr 00:00:00:00:00:00
          BROADCAST NOARP  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

hmmm, that looks more like the output from ifconfig than from netstat.

From a quick look at my netstat man page, I'm not even sure how to make it show what yours did, so maybe you are using a different version (mine's from net-tools-1.60).

Also, based on a quick look at /proc/net/tcp I think that if

cat /proc/net/tcp | grep :01BB

shows a line similar to: (i.e. with :01BB in the same place and 0A two fields after) 6: 0100007F:01BB 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 10220 1 c88eec00 3000 0 0 2 -1 then something is listening on port 443 (hex 01BB).

hth

I get nothin when I do that… I appreciate your help if u have any ideas just post em.. thanks

@Sipherx:

I get nothin when I do that… I appreciate your help if u have any ideas just post em.. thanks
In order for SSL to work, you not only need to make sure your firewall is open on port 443, but you also have to have something listening on that port, usually Apache.

netstat -pln

The above will display what processes (buy their PIDs) are listening on which ports. See if your apache process is listening on 443.

-Chris

@Sipherx:

I get nothin when I do that… If that cat command showed nothing, my bet is that nothing is listening on port 443. The command caker posted should verify that, if his version of the netstat command works for you better than mine did.

If that's the case, there's a problem with your apache configuration. Do you have a "Listen" command for port 443 and the appropriate ip(s) in your httpd.conf file? E.g.: Listen 127.0.0.1:443

Looks like its not.

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:51234           0.0.0.0:*               LISTEN     11013/server_linux
tcp        0      0 0.0.0.0:37              0.0.0.0:*               LISTEN     296/inetd
tcp        0      0 0.0.0.0:14534           0.0.0.0:*               LISTEN     11013/server_linux
tcp        0      0 0.0.0.0:9               0.0.0.0:*               LISTEN     296/inetd
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN     348/mysqld
tcp        0      0 0.0.0.0:13              0.0.0.0:*               LISTEN     296/inetd
tcp        0      0 0.0.0.0:110             0.0.0.0:*               LISTEN     460/tcpserver
tcp        0      0 127.0.0.1:783           0.0.0.0:*               LISTEN     421/spamd.pid
tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN     404/vsftpd
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN     456/tcpserver
tcp6       0      0 :::993                  :::*                    LISTEN     289/couriertcpd
tcp6       0      0 :::143                  :::*                    LISTEN     276/couriertcpd
tcp6       0      0 :::80                   :::*                    LISTEN     7021/apache2
tcp6       0      0 :::22                   :::*                    LISTEN     235/sshd
udp        0      0 0.0.0.0:9               0.0.0.0:*                          296/inetd
udp        0      0 0.0.0.0:8767            0.0.0.0:*                          11013/server_linux
udp        0      0 0.0.0.0:68              0.0.0.0:*                          195/dhclient
Active UNIX domain sockets (only servers)
Proto RefCnt Flags       Type       State         I-Node PID/Program name    Path
unix  2      [ ACC ]     STREAM     LISTENING     411      348/mysqld          /var/run/mysqld/mysqld.sock
unix  2      [ ACC ]     STREAM     LISTENING     1325     413/clamd           /tmp/clamd
unix  2      [ ACC ]     STREAM     LISTENING     313      263/authdaemond.pla /var/run/courier/authdaemon/socket.tmp
pabado:~#

So now what do I do?

Well shouldnt I put that listen command under on one of my sites conf files in sites-available folder?

UPDATE:

Hey I found something called ports.conf in my apache2 folder… and it has Listen 80 in there, When I typed Listen 443 and then I tried to restart it, it said something else was using port 443.

Okay I added Listen 127.0.0.1:443 in my sites conf file.. And now when I do that netstat command it shows apache2 listening on port443.. But its still doing the same thing cause apache2 still doesnt know to open port443 because when I restart apache2 with Listen 443 in the ports.conf file it says this.

pabado:/etc/apache2# /etc/init.d/apache2 restart
Forcing reload of web server: Apache2[Wed Jun 15 09:58:39 2005] [warn] module ssl_module is already loaded, skipping
[Wed Jun 15 09:58:40 2005] [warn] module ssl_module is already loaded, skipping
(98)Address already in use: make_sock: could not bind to address [::]:443
no listening sockets available, shutting down
Unable to open logs
pabado:/etc/apache2#

Now what..

You may need to do some reading on Apache2 and SSL, to get an overview of what you're doing and what needs to be done rather than working on one step at a time.

Try:

http://www.ornl.gov/~jar/Apache/SSLinApache_2.html

or

~~[http://lists.debian.org/debian-apache/2004/09/msg00105.html" target="_blank">](http://lists.debian.org/debian-apache/2 … 00105.html">http://lists.debian.org/debian-apache/2004/09/msg00105.html](

Those are about SuSE and Debian, but the process is very much the same. If you like, google for one about your particular distribution.

@Sipherx:

Okay I added Listen 127.0.0.1:443 in my sites conf file.. And now when I do that netstat command it shows apache2 listening on port443.. But its still doing the same thing cause apache2 still doesnt know to open port443 because when I restart apache2 with Listen 443 in the ports.conf file it says this.
Well, I meant for you to replace "127.0.0.1" with whatever IP address(es) you want apache to use for SSL requests. I'm sure there's a way to have it listen on all available addresses: I don't know off the top of my head what that way is, but my guess would be by either using an "*" or "0.0.0.0" as the ip address.

I don't recognize the files you mention (e.g. ports.conf) so I'm assuming that's probably how your distribution sets up the apache config and those files are all sourced from the main config file. If so, then you'd only need the Listen line in one or the other.

At any rate, I'd agree with Xan that you'd be much better off doing a bit of reading until you have a broader understanding of how it all ties together.

Hey everyones little bit of help, really helped me out. I have it fully working now. https://www.discountcurtainrods.com. Thanks a lot guys. All your ideas and solutions helped me make one big one.