how? redirect apache2 outbound ports to specific ports w/iptables?

nowshining · 05-21-2008, 11:31 PM

does all outbound have to be open for apache2 to operate?

Incoming is fine, however i'd like to block many outbound ports and only allow X-XX outbound or so for apache2 to send the content back to the incoming connections of which outbound ports are needed.

The problem - apache2 uses too many outbound and random ports for this and the randomness is the problem and I'd like to make that random to known ports.

I hope u get what i'm trying to say.

I just can't figure out the rule..

if any..to do this...

win32sux · 05-22-2008, 12:31 PM

Quote:

Originally Posted by nowshining

does all outbound have to be open for apache2 to operate?

Incoming is fine, however i'd like to block many outbound ports and only allow X-XX outbound or so for apache2 to send the content back to the incoming connections of which outbound ports are needed.

The problem - apache2 uses too many outbound and random ports for this and the randomness is the problem and I'd like to make that random to known ports.

I hope u get what i'm trying to say.

I just can't figure out the rule..

if any..to do this...

Your "RELATED,ESTABLISHED" rule will suffice, as long as you don't need Apache to be able to start outgoing connections on its own. In other words, you don't need to specify any ports or anything for the OUTPUT rule, especially if what you are aiming to do is tighten-up the box with regards to firewall security. Example:

Code:

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A INPUT -p TCP --dport 80 -m state --state NEW -j ACCEPT

iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

nowshining · 05-22-2008, 11:57 PM

tried it and on ur -dport 80 rule I had to add -m state :/

other than that - it won't work except for a direct url,

however since I'm trying to imitate access thru 3rd party like urself i opted to go thru a online proxy and with that - i can't access it without outbound ports directly open.

the site i'm trying to test thru ie: the proxy is: http://www.unblocked.org/

win32sux · 05-23-2008, 02:09 AM

Quote:

Originally Posted by nowshining

tried it and on ur -dport 80 rule I had to add -m state :/

Yeah, looks like I accidentally left that part out - I was sort of on my way out the door when I posted that. I'll edit it.

Quote:

other than that - it won't work except for a direct url,

however since I'm trying to imitate access thru 3rd party like urself i opted to go thru a online proxy and with that - i can't access it without outbound ports directly open.

the site i'm trying to test thru ie: the proxy is: http://www.unblocked.org/

Weird. I mean, whether or not the server is being accessed via proxy shouldn't matter at all. It isn't an HTTPS server is it? Perhaps you should post your complete iptables configuration so we can have a look, along with snippets from your log file from when you try unsuccessfully to access the server.

nowshining · 05-27-2008, 01:35 AM

1.) I'm using arno-iptables-firewall

2.) it won't let me post my arno-config

3.)I won't post my custom-rules - as it's just basic blocking of ad ips, proxy ips (no the proxy site is not blocked) + a few performance or whatever rules, ie: non in there should affect it to where it won't let the outside connect. I'll post a few snippets from the log soon.

nowshining · 05-27-2008, 02:46 AM

Code:

droppedIN= OUT=ppp0 SRC=4.246.211.71 DST=67.159.45.52 LEN=60 TOS=0x00 PREC=0x00 TTL=255 ID=60653 PROTO=TCP SPT=80 DPT=58555 WINDOW=5792 RES=0x00 ACK SYN URGP=0

Code:

droppedIN= OUT=ppp0 SRC=4.246.211.71 DST=67.159.45.52 LEN=60 TOS=0x00 PREC=0x00 TTL=255 ID=60663 PROTO=TCP SPT=80 DPT=34583 WINDOW=5792 RES=0x00 ACK SYN URGP=0