Please provide the exact IPtables rules for this situation
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Ive only ever implemented http redirects on a network level through load balancers, never have done it with firewall rules. However, you should be able to use the following rules.
I agree that there is nothing to be gained, security wise, by trying to run your web server on a non standard port and then use NAT to translate it to somewhere else. Note that you could do the very same thing with a home grade router using port forwarding. There are a couple of other things that you should consider regarding your intended IPtables rules.
Code:
-P OUTPUT DROP
-A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
You need to be careful with output ports. In the case of the web server, response traffic should go out via port 80 as this was the port used to make the connection. However, most traffic will not, and you will prevent yourself from being able to do things like run updates, which will use a random, high order port. If you choose to run your port translation and obfuscation trick, your output rules will probably also prevent your web server from working as you will now mangle the port on which the response is issued. In other words, you are accepting connections on port 8080 but trying to respond on 80.
Code:
-P INPUT DROP
Be careful with input policy set to drop. You can achieve the same effect with a -A INPUT -j DROP rule as the last line of your rules with an input policy set to accept, without the risk of locking yourself out except for via a physical terminal console (not SSH).
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.