how? redirect apache2 outbound ports to specific ports w/iptables?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
how? redirect apache2 outbound ports to specific ports w/iptables?
does all outbound have to be open for apache2 to operate?
Incoming is fine, however i'd like to block many outbound ports and only allow X-XX outbound or so for apache2 to send the content back to the incoming connections of which outbound ports are needed.
The problem - apache2 uses too many outbound and random ports for this and the randomness is the problem and I'd like to make that random to known ports.
I hope u get what i'm trying to say.
I just can't figure out the rule.. if any..to do this...
does all outbound have to be open for apache2 to operate?
Incoming is fine, however i'd like to block many outbound ports and only allow X-XX outbound or so for apache2 to send the content back to the incoming connections of which outbound ports are needed.
The problem - apache2 uses too many outbound and random ports for this and the randomness is the problem and I'd like to make that random to known ports.
I hope u get what i'm trying to say.
I just can't figure out the rule.. if any..to do this...
Your "RELATED,ESTABLISHED" rule will suffice, as long as you don't need Apache to be able to start outgoing connections on its own. In other words, you don't need to specify any ports or anything for the OUTPUT rule, especially if what you are aiming to do is tighten-up the box with regards to firewall security. Example:
Code:
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p TCP --dport 80 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
Last edited by win32sux; 05-23-2008 at 02:11 AM.
Reason: Fixed typo in second rule.
tried it and on ur -dport 80 rule I had to add -m state :/
other than that - it won't work except for a direct url,
however since I'm trying to imitate access thru 3rd party like urself i opted to go thru a online proxy and with that - i can't access it without outbound ports directly open.
tried it and on ur -dport 80 rule I had to add -m state :/
Yeah, looks like I accidentally left that part out - I was sort of on my way out the door when I posted that. I'll edit it.
Quote:
other than that - it won't work except for a direct url,
however since I'm trying to imitate access thru 3rd party like urself i opted to go thru a online proxy and with that - i can't access it without outbound ports directly open.
Weird. I mean, whether or not the server is being accessed via proxy shouldn't matter at all. It isn't an HTTPS server is it? Perhaps you should post your complete iptables configuration so we can have a look, along with snippets from your log file from when you try unsuccessfully to access the server.
3.)I won't post my custom-rules - as it's just basic blocking of ad ips, proxy ips (no the proxy site is not blocked) + a few performance or whatever rules, ie: non in there should affect it to where it won't let the outside connect. I'll post a few snippets from the log soon.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.