Open ports only on specific domains - dns

I am looking for the right command to open ports only to specific domains. The domain and its subdomain, go to the same server (CentOS)
However, for security reasons, I only want to open the posts on specific subdomains.
On the other domains the ports should not be reachable, so the ftp port 21 should only be open on ftp.domain.com and not on e.g. ssh.domain.com or mysql.domain.com
So I want to block everything (exclude port 80 and 443) and only allow specific ports to specific domains.
example
21 on ftp.domain.com
22 on ssh.domain.com
3306 on mysql.domain.com
I know it should work with iptables, but unfortunately I have trouble finding the right command.
I have found this only but i will only accept incoming ports.
iptables -A OUTPUT -p udp --sport 53 -m string --string "google.com" --algo bm -j ACCEPT
Maybe you have a more elegant solution than iptables.

You can do this by using some reverse proxy server. The proxy server can filter the desired traffic to the actual service.
So how it will work is -
Let all your request come to reverse proxy server. eg. HAPROXY or nginx (both work at Layer 4 and 7)
Put a rule for the hostname in the proxy server config.
Forward the desired traffic to the actual host.

Related

load static IP without specifying port

I am using AWS lightsail for the first time. I cloned my git repository to my htdocs and opened port 3000 on my networking ipv4 firewall. What im trying to do is load my node site with my aws static IP. It currently works when I specify the specific port like: 98.222.124.4:3000 but I wanted it to load the site without having to specify the port so I followed the steps found here https://docs.bitnami.com/ibm/infrastructure/nodejs/administration/create-custom-application-nodejs/ under "Create A Custom Virtual Host" but the specified method is not working. I still need to specify the port in order for the site to load. What I basically did was edit the documentRoot and directory paths to my repositories location then restarted apache but this didn't let me access the site without the port. Where did I go wrong. How can I load the site without specifying a port in the url?
It took me a minute to land on this solution but the only method that worked was this:
First try this after installing iptables:
sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3000
What you basically did is forward all port 80 traffic to port 3000. Then check and see if site is loading without specifying the port in URL. If it works go to step 2.
Step 2:
open the /etc/rc.local file with vim or other editor and add
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3000 to the file. Notice sudo is not included because the file already runs as root. We are implementing step 2 because we want the port redirected when the machine boots up.

Redirect Port via iptables on AWS EC2 Ubuntu instance

I have a running AWS EC2 instance on an Ubuntu machine running a Nodejs server.
Everything works fine then opening the website via its public ip on port 3000 likes this:
http://XX.XXX.XXX.XXX:3000
Now I want to redirect all requests from port 80 to this port 3000 via iptables like described in this video: https://www.youtube.com/watch?v=WxhFq64FQzA via
sudo iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3000.
Unfortunately I am getting this error: http://prntscr.com/lja6hx when opening the site like this: http://XX.XXX.XXX.XXX (without port 3000 specified)
P.S.: I'm not really sure if my approach is correct. I am open to other ways of achieving a redirect from port 80 (http) to port 3000
As #Vorsprung suggested I should use an Application Load Balancer. I did this but it's still not working. Here is my setup:
My Application Load Balancer Listener
The Target Group I'm forwarding to in my ALB
My hosted zone (I've added the alias for the ALB here)
Please let me know if something is missing
either use nginx see https://nodebb.readthedocs.io/en/latest/configuring/proxies/nginx.html
or
you are on AWS! Use an ALB.. see https://docs.aws.amazon.com/elasticloadbalancing/latest/application/application-load-balancer-tutorials.html

imap.domain.com - how to forward to port?

I'm trying to make an imap server from scratch in node.js (primarily to learn about node.js and imap protocol).
How do I direct traffic from the imap subdomain (imap.mydomain.com) to port 143 on the server (where my server code is listening). I've updated iptables with this rule:
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
But it still doesn't work.
My DNS is like this:
A record - mydomain.com => 1.1.1.1 (my example ip address)
CNAME record - mail.mydomain.com => mydomain.com
mydomain.com redirects and is handled by apache. Could apache be overruling it? Maybe I need to add a host in /etc/hosts for the sub-domain?
Also, when doing telnet:
telnet 1.1.1.1 143
I get a "no route to host" error. So that tells me the route direct via the ip from the sub-domain doesn't work either...
I've checked out dovecot and postfix and it seems like they handle the port listening internally, so I couldn't see any clues from their install / config instructions.
It would be great if anyone could offer instructions on how to make sure the imap.mydomain.com subdomain properly forwards to the imap server.
Thanks!!!
There is no redirection or forwarding. IMAP is simply a different protocol than HTTP (i.e. "web") and to use IMAP the server has to listen on port 143 and the client has to connect to this port. Just look at the settings of your mail client.

Squid routing SSL traffic

Good day,
I have a setup in which I am routing my received packets at my Mikrotik router to a squid server.
I also can see the incoming traffic with Tcpdump that it is actually ariving # the correct port (443) on Squid Proxy server.
On the next step I have
iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to 10.0.2.51:3127
(that is all I have on iptable rules)
Which routes the received 443 traffic to port 3127 which is my squid SSL port.
I am getting page not found error on my browser.
Now I know that my Squid is setup correctly, because when I input the proxy server adress manually 10.0.2.51:3127 for SSL in the Mozilla browser all is working great, all SSL pages are logged with SSLbump.
Could someone please help with figuring out why this isn't working correctly, I am quite new to proxies?
You are DNATing packets going to the proxy.
But are you SNATing the packets coming back from the proxy ?

Redirect outgoing connection to localhost

Is it possible to redirect outgoing connection back to localhost using iptables?
For example, if php script requests someonlinesite.com/bla.php then it would redirect to 127.0.0.1/bla.php
OS: Debian 7
The question does not really make much sense the way it currently is asked.
Most likely you are trying to redirect a http request? Then you should take a closer look at your systems name resolution, since that is the step that translates the host name someonlinesite.com to an ip address. So that is where you want to manipulate.
You might also want to consider using a proxy as an alternative. But a pure iptables based solution is questionable, since in typical setups the local http server will not react to incoming requests to a remote ip address...
try with:
iptables -t nat -A OUTPUT -d 0/0 -p tcp --dport 80 -j DNAT --to-destination 127.0.0.1:80
Thank you for replies, i managed to do it with hosts file.
/etc/hosts
127.0.0.1 domain.com
Now it redirects always to localhost when script tryes to reach domain.com

Resources