11

I want to open port 443 in my Debian 8 server but i get permission denied error.

my rules.v4 file looks like:

# Generated by iptables-save v1.4.21 on Wed Feb 15 14:42:03 2017 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [208710:151335680] -A INPUT -p icmp -m comment --comment "000 accept all icmp" -j ACCEPT -A INPUT -i lo -m comment --comment "001 accept all to lo interface" -j ACCEPT -A INPUT -m comment --comment "002 accept related established rules" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m multiport --dports 22 -m comment --comment "099 allow ssh access" -j ACCEPT -A INPUT -p tcp -m multiport --dports 80,443 -m comment --comment "100 allow http and https access" -j ACCEPT -A INPUT -p tcp -m multiport --dports 1122 -m comment --comment "150 allow phpmyadmin access" -j ACCEPT -A INPUT -m comment --comment "999 drop all" -j DROP COMMIT # Completed on Wed Feb 15 14:42:03 2017

After making the changes in /etc/iptables/rules.v4 i tried to save with

sudo iptables-save > /etc/iptables/rules.v4

I get error message -bash: /etc/iptables/rules.v4: Permission denied

I tried with sudo bash -C "iptables-save > /etc/iptables/rules.v4" i get no such file or directory when the file exists.

I also tried with tee

sudo tee iptables-save > /etc/iptables/rules.v4

and

sudo sh -c "iptables-save > /etc/iptables/rules.v4"

when i do netstat -tulnp | grep 443 i get no output.

Improve this question
3
  • It looks to me that there is no /etc/iptables/ directory. Check that first and move further. Commented Feb 15, 2017 at 14:15
  • /etc/iptables does exist... i have rules.v4 and rules.v6 files inside Commented Feb 15, 2017 at 14:33
  • see unix.stackexchange.com/questions/148592/… Commented Feb 15, 2017 at 16:51

4 Answers 4

Reset to default
14

There are 2 permissions involved in this operation:

  1. permission to read iptables-save
  2. permission to write to /etc/iptables/rules.v4

You cannot use sudo on the second permission needed.

The last command you posted should work, just change -C to -c, otherwise drop to root shell with

sudo su -
Improve this answer
5
  • okay, I am now working with root privileges... But still the port is not open Commented Feb 15, 2017 at 14:39
  • How do you determine that the port is not open? Do you have a webserver with ssl active? did you check with netstat? Commented Feb 15, 2017 at 14:45
  • yes i have ssl active and i did check with netstat -tulnp | grep 443 Commented Feb 15, 2017 at 14:51
  • I can't find -u in the manual of my netstat, it is a flag I never use. Also, what do you mean by ssl active? Apache with a virtualhost listening on port 443? Commented Feb 15, 2017 at 15:03
  • 2
    -u checks for UDP look here yes apache with listening on port 443 Commented Feb 15, 2017 at 15:17
5

You're using tee incorrectly. The iptables-save command creates the contents of what should be saved and sends it to stdout. The tee command needs to read the stdout of iptables-save and write it to the designated file.

The correct way to save the routes without needing to use root shell is to have iptables-save pipe the content to tee which will then save the stdout to file.

sudo iptables-save | sudo tee /etc/iptables/rules.v4

Improve this answer
3
  • @berndbausch - You must be mixing up OP's question with something else. Their title specifically says "saving iptable rules". Then they go on to say "I also tried with tee". You should re-read the question and consider removing your comment. Commented Feb 25, 2021 at 16:13
  • 1
    Indeed, tee appears in the question, and I managed to overlook it. Upon re-reading the whole question, it is at least ambiguous to me. The last remark "when i do netstat -tulnp | grep 443 i get no output." indicates that OP wanted to put in place new rules, which requires iptables-restore, but the rest of the question seems to be a tangle of confusion. Nothing we can do with a four years old question. You feedback has validity, and I will indeed remove my comment. Sorry. Commented Feb 25, 2021 at 23:09
  • @berndbausch - No problem. I've misread posts before and even continued to misread them after someone pointed out my error. I reread this one 5 times to make sure I wasn't doing that again. Have a great day :) Commented Feb 26, 2021 at 12:32
0

I´ve had same problem, which I solved:

  1. Change group to user on rules.v4

    sudo chgrp "usergroup" /etc/iptables/rules.v*

  2. Enable writting permission to group

    sudo chmod 664 /etc/iptables/rules.v*

  3. Try again

    sudo iptables-save > /etc/iptables/rules.v4

This worked for me, I hope it helps.

Improve this answer
0

An old question but I needed a simple answer without changing file properties. At some point I found something which worked under UBUNTU 24.04.1. However, changes should be made with the iptables commands, and not directly in the created file...

$ sudo sh # iptables-save > rules.v4 # exit

After server restart, all iptables rules were still there.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.