Bienvenido! - Willkommen! - Welcome!

Bitácora Técnica de Tux&Cía., Santa Cruz de la Sierra, BO
Bitácora Central: Tux&Cía.
Bitácora de Información Avanzada: Tux&Cía.-Información
May the source be with you!

Saturday, July 3, 2010

LAMP server with IPtables

Source
configured a lamp server whit iptables.
And wish to have a redirection from external port 1977 to internal port 80.
(actualy they are both external, there is only one nic)
So far I have setup two input rules,
Accept If protocol is TCP and destination port is 80
Accept If protocol is TCP and destination port is 1977
Two NAT rules,
Prerouting
Redirect If protocol is TCP and destination port is 1977
Output
Redirect If protocol is TCP and destination port is 1977
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1977 -j ACCEPT
-A PREROUTING -p tcp -m tcp --dport 1977 -j REDIRECT --to-ports 80
-A OUTPUT -p tcp -m tcp --dport 1977 -j REDIRECT --to-ports 80
Now i can connect to http://mijipadres:80 and :1977
BUT i want :80 to be closed for the outside world so that only http://mijipadres:1977 works.
Solutions
-A INPUT -p tcp -i eth0 --dport 80 -j DROP
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
The drop drops any communication to port 80, and the redirection fails on port 1977
--------------------------------------
Add a --source 10.1.1.1/10.1.1255 to your port 80 accept rule to only accept traffic from your LAN (substituting whatever the real LAN range is of course).
If you're doing this via a bash script i'd suggest adding it as a variable just to make the script maintenance easier.
--------------------------------------
Add a --source 10.1.1.1/10.1.1255 to your port 80 accept rule to only accept traffic from your LAN (substituting whatever the real LAN range is of course).
If you're doing this via a bash script i'd suggest adding it as a variable just to make the script maintenance easier.
No lan there, its a LAMP server one IP only.
--------------------------------------
cat /etc/sysconfig/iptables
# Generated by iptables-save v1.3.5 on Tue Sep 25 04:43:56 2007
*nat
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -p tcp -m tcp ! -i lo --dport 1977 -j REDIRECT --to-ports 80
-A OUTPUT -p tcp -m tcp --dport 1977 -j REDIRECT --to-ports 80
COMMIT
# Completed on Tue Sep 25 04:43:56 2007
# Generated by iptables-save v1.3.5 on Tue Sep 25 04:43:56 2007
*mangle
:PREROUTING ACCEPT [11:1218]
:INPUT ACCEPT [11:1218]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [10:3813]
:POSTROUTING ACCEPT [11:3845]
COMMIT
# Completed on Tue Sep 25 04:43:56 2007
# Generated by iptables-save v1.3.5 on Tue Sep 25 04:43:56 2007
*filter
:FORWARD ACCEPT [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
# Accept traffic with the ACK flag set
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
# Allow incoming data that is part of a connection we established
-A INPUT -m state --state ESTABLISHED -j ACCEPT
# Allow data that is related to existing connections
-A INPUT -m state --state RELATED -j ACCEPT
# Accept responses to DNS queries
-A INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j DROP
# Accept responses to our pings
-A INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT
# Accept notifications of unreachable hosts
-A INPUT -p icmp -m icmp --icmp-type destination-unreachable -j ACCEPT
# Accept notifications to reduce sending speed
-A INPUT -p icmp -m icmp --icmp-type source-quench -j ACCEPT
# Accept notifications of lost packets
-A INPUT -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
# Accept notifications of protocol problems
-A INPUT -p icmp -m icmp --icmp-type parameter-problem -j ACCEPT
# Allow connections to our SSH server
-A INPUT -p tcp -i eth0 --dport 80 -j DROP
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1977 -j ACCEPT
COMMIT

No comments: