Please provide the exact IPtables rules for this situation

splinux · 05-10-2012, 11:01 AM

My web server listening Actual port number 8080

The client must access via 80 only other all ports should be closed.

-P INPUT DROP
-P OUTPUT DROP
-P FORWARD DROP

-A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

-A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080

No one should access port 8080 from client site..

how we can write the rules for this situation ?

Kustom42 · 05-10-2012, 11:37 AM

Why is Apache listening on port 8080 if you do not want connections to be accepted on that port? This doesn't make any sense to me.

splinux · 05-10-2012, 12:03 PM

I like to hide my actual listening port from out site.

Kustom42 · 05-10-2012, 12:06 PM

Ive only ever implemented http redirects on a network level through load balancers, never have done it with firewall rules. However, you should be able to use the following rules.

Code:

--iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
--iptables -A INPUT -i eth0 -p tcp --dport 8080 -j ACCEPT
--iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080

Modify the interface if needed.

Kustom42 · 05-10-2012, 12:09 PM

And just a heads up that your listening port can still be determined through by the client using this method.

splinux · 05-10-2012, 12:51 PM

Still that port can be accessed by clients...

Kustom42 · 05-10-2012, 01:25 PM

Yep, doesn't really add any security to the box. Actually degrades the security by opening another port.

Noway2 · 05-11-2012, 04:16 AM

I agree that there is nothing to be gained, security wise, by trying to run your web server on a non standard port and then use NAT to translate it to somewhere else. Note that you could do the very same thing with a home grade router using port forwarding. There are a couple of other things that you should consider regarding your intended IPtables rules.

Code:

-P OUTPUT DROP
-A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

You need to be careful with output ports. In the case of the web server, response traffic should go out via port 80 as this was the port used to make the connection. However, most traffic will not, and you will prevent yourself from being able to do things like run updates, which will use a random, high order port. If you choose to run your port translation and obfuscation trick, your output rules will probably also prevent your web server from working as you will now mangle the port on which the response is issued. In other words, you are accepting connections on port 8080 but trying to respond on 80.

Code:

-P INPUT DROP

Be careful with input policy set to drop. You can achieve the same effect with a -A INPUT -j DROP rule as the last line of your rules with an input policy set to accept, without the risk of locking yourself out except for via a physical terminal console (not SSH).