LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 05-21-2008, 11:31 PM   #1
nowshining
Member
 
Registered: Dec 2007
Distribution: Ibex
Posts: 93

Rep: Reputation: 15
how? redirect apache2 outbound ports to specific ports w/iptables?


does all outbound have to be open for apache2 to operate?

Incoming is fine, however i'd like to block many outbound ports and only allow X-XX outbound or so for apache2 to send the content back to the incoming connections of which outbound ports are needed.

The problem - apache2 uses too many outbound and random ports for this and the randomness is the problem and I'd like to make that random to known ports.

I hope u get what i'm trying to say.

I just can't figure out the rule.. if any..to do this...
 
Old 05-22-2008, 12:31 PM   #2
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by nowshining View Post
does all outbound have to be open for apache2 to operate?

Incoming is fine, however i'd like to block many outbound ports and only allow X-XX outbound or so for apache2 to send the content back to the incoming connections of which outbound ports are needed.

The problem - apache2 uses too many outbound and random ports for this and the randomness is the problem and I'd like to make that random to known ports.

I hope u get what i'm trying to say.

I just can't figure out the rule.. if any..to do this...
Your "RELATED,ESTABLISHED" rule will suffice, as long as you don't need Apache to be able to start outgoing connections on its own. In other words, you don't need to specify any ports or anything for the OUTPUT rule, especially if what you are aiming to do is tighten-up the box with regards to firewall security. Example:
Code:
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A INPUT -p TCP --dport 80 -m state --state NEW -j ACCEPT

iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

Last edited by win32sux; 05-23-2008 at 02:11 AM. Reason: Fixed typo in second rule.
 
Old 05-22-2008, 11:57 PM   #3
nowshining
Member
 
Registered: Dec 2007
Distribution: Ibex
Posts: 93

Original Poster
Rep: Reputation: 15
tried it and on ur -dport 80 rule I had to add -m state :/

other than that - it won't work except for a direct url,

however since I'm trying to imitate access thru 3rd party like urself i opted to go thru a online proxy and with that - i can't access it without outbound ports directly open.

the site i'm trying to test thru ie: the proxy is: http://www.unblocked.org/

Last edited by nowshining; 05-22-2008 at 11:59 PM. Reason: adding proxy site
 
Old 05-23-2008, 02:09 AM   #4
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by nowshining View Post
tried it and on ur -dport 80 rule I had to add -m state :/
Yeah, looks like I accidentally left that part out - I was sort of on my way out the door when I posted that. I'll edit it.

Quote:
other than that - it won't work except for a direct url,

however since I'm trying to imitate access thru 3rd party like urself i opted to go thru a online proxy and with that - i can't access it without outbound ports directly open.

the site i'm trying to test thru ie: the proxy is: http://www.unblocked.org/
Weird. I mean, whether or not the server is being accessed via proxy shouldn't matter at all. It isn't an HTTPS server is it? Perhaps you should post your complete iptables configuration so we can have a look, along with snippets from your log file from when you try unsuccessfully to access the server.
 
Old 05-27-2008, 01:35 AM   #5
nowshining
Member
 
Registered: Dec 2007
Distribution: Ibex
Posts: 93

Original Poster
Rep: Reputation: 15
1.) I'm using arno-iptables-firewall

2.) it won't let me post my arno-config

3.)I won't post my custom-rules - as it's just basic blocking of ad ips, proxy ips (no the proxy site is not blocked) + a few performance or whatever rules, ie: non in there should affect it to where it won't let the outside connect. I'll post a few snippets from the log soon.
 
Old 05-27-2008, 02:46 AM   #6
nowshining
Member
 
Registered: Dec 2007
Distribution: Ibex
Posts: 93

Original Poster
Rep: Reputation: 15
Code:
droppedIN= OUT=ppp0 SRC=4.246.211.71 DST=67.159.45.52 LEN=60 TOS=0x00 PREC=0x00 TTL=255 ID=60653 PROTO=TCP SPT=80 DPT=58555 WINDOW=5792 RES=0x00 ACK SYN URGP=0
Code:
droppedIN= OUT=ppp0 SRC=4.246.211.71 DST=67.159.45.52 LEN=60 TOS=0x00 PREC=0x00 TTL=255 ID=60663 PROTO=TCP SPT=80 DPT=34583 WINDOW=5792 RES=0x00 ACK SYN URGP=0
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables: redirect eMule ports jordib Linux - Networking 4 04-24-2008 04:43 PM
iptables outbound traffic to all ports sunlinux Linux - Security 1 12-01-2007 10:46 AM
are outbound ports converged while local ports are ok ? inanc Linux - Networking 0 02-06-2007 10:37 AM
iptables to redirect ports? mtndew Linux - Networking 4 04-21-2006 10:03 PM
Blocking specific ports on IPTABLES stonereh Linux - Security 8 02-15-2006 10:49 AM


All times are GMT -5. The time now is 05:21 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration