Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
05-21-2008, 11:31 PM
|
#1
|
|
Member
Registered: Dec 2007
Distribution: Ibex
Posts: 93
Rep: 
|
how? redirect apache2 outbound ports to specific ports w/iptables?
does all outbound have to be open for apache2 to operate?
Incoming is fine, however i'd like to block many outbound ports and only allow X-XX outbound or so for apache2 to send the content back to the incoming connections of which outbound ports are needed.
The problem - apache2 uses too many outbound and random ports for this and the randomness is the problem and I'd like to make that random to known ports.
I hope u get what i'm trying to say.
I just can't figure out the rule..  if any..to do this... |
|
|
|
|
05-22-2008, 12:31 PM
|
#2
|
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by nowshining
does all outbound have to be open for apache2 to operate?
Incoming is fine, however i'd like to block many outbound ports and only allow X-XX outbound or so for apache2 to send the content back to the incoming connections of which outbound ports are needed.
The problem - apache2 uses too many outbound and random ports for this and the randomness is the problem and I'd like to make that random to known ports.
I hope u get what i'm trying to say.
I just can't figure out the rule.. if any..to do this... |
Your "RELATED,ESTABLISHED" rule will suffice, as long as you don't need Apache to be able to start outgoing connections on its own. In other words, you don't need to specify any ports or anything for the OUTPUT rule, especially if what you are aiming to do is tighten-up the box with regards to firewall security. Example:
Code:
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p TCP --dport 80 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
Last edited by win32sux; 05-23-2008 at 02:11 AM.
Reason: Fixed typo in second rule.
|
|
|
|
|
05-22-2008, 11:57 PM
|
#3
|
|
Member
Registered: Dec 2007
Distribution: Ibex
Posts: 93
Original Poster
Rep:
|
tried it and on ur -dport 80 rule I had to add -m state :/
other than that - it won't work except for a direct url,
however since I'm trying to imitate access thru 3rd party like urself i opted to go thru a online proxy and with that - i can't access it without outbound ports directly open.
the site i'm trying to test thru ie: the proxy is: http://www.unblocked.org/
Last edited by nowshining; 05-22-2008 at 11:59 PM.
Reason: adding proxy site
|
|
|
|
|
05-23-2008, 02:09 AM
|
#4
|
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by nowshining
tried it and on ur -dport 80 rule I had to add -m state :/
|
Yeah, looks like I accidentally left that part out - I was sort of on my way out the door when I posted that. I'll edit it.
Quote:
other than that - it won't work except for a direct url,
however since I'm trying to imitate access thru 3rd party like urself i opted to go thru a online proxy and with that - i can't access it without outbound ports directly open.
the site i'm trying to test thru ie: the proxy is: http://www.unblocked.org/
|
Weird. I mean, whether or not the server is being accessed via proxy shouldn't matter at all. It isn't an HTTPS server is it? Perhaps you should post your complete iptables configuration so we can have a look, along with snippets from your log file from when you try unsuccessfully to access the server. |
|
|
|
|
05-27-2008, 01:35 AM
|
#5
|
|
Member
Registered: Dec 2007
Distribution: Ibex
Posts: 93
Original Poster
Rep:
|
1.) I'm using arno-iptables-firewall
2.) it won't let me post my arno-config
3.)I won't post my custom-rules - as it's just basic blocking of ad ips, proxy ips (no the proxy site is not blocked) + a few performance or whatever rules, ie: non in there should affect it to where it won't let the outside connect. I'll post a few snippets from the log soon.
|
|
|
|
|
05-27-2008, 02:46 AM
|
#6
|
|
Member
Registered: Dec 2007
Distribution: Ibex
Posts: 93
Original Poster
Rep:
|
Code:
droppedIN= OUT=ppp0 SRC=4.246.211.71 DST=67.159.45.52 LEN=60 TOS=0x00 PREC=0x00 TTL=255 ID=60653 PROTO=TCP SPT=80 DPT=58555 WINDOW=5792 RES=0x00 ACK SYN URGP=0
Code:
droppedIN= OUT=ppp0 SRC=4.246.211.71 DST=67.159.45.52 LEN=60 TOS=0x00 PREC=0x00 TTL=255 ID=60663 PROTO=TCP SPT=80 DPT=34583 WINDOW=5792 RES=0x00 ACK SYN URGP=0
|
|
|
|
All times are GMT -5. The time now is 05:22 AM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
