I'm stumped.
This is how my iptables are configured on Debian 7.
sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 8090 -j ACCEPT
-A FORWARD -d 127.0.0.1/32 -i eth0 -p tcp -m state --state NEW -m tcp --dport 8090 -j ACCEPT
-A FORWARD -d 10.1.130.5/32 -i eth0 -p tcp -m state --state NEW -m tcp --dport 8090 -j ACCEPT
Basically forwarding port 80 to port 8090.
I also have an instance of Apache Tomcat running and listening on port 8090. e.g.
sudo lsof -i :8090
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
java 15081 user1 36u IPv6 164737 0t0 TCP *:8090 (LISTEN)
However, whenever I try to connect via a browser nothing get returned. Its the same using Wget. e.g.
wget www.test.com/confluence
--2016-04-22 16:59:22-- http://www.test.com/confluence
Resolving www.test.com... 10.1.130.5
Connecting to www.test.com|10.1.130.5|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: /bootstrap/selectsetupstep.action [following]
--2016-04-22 16:59:22-- http://se- www.test.com/bootstrap/selectsetupstep.action
Reusing existing connection to www.test.com:80.
HTTP request sent, awaiting response...
There is nothing in your ruleset that actually forwards ports. You have INPUT rules, which will accept or reject packets destined for the local host, and you have FORWARD rules, which will accept or reject rules transiting the machine to another address, but you don't have anything that actually changes the target port of a connection.
If you actually want to change some aspect of a connection, this falls into the broad category of "network address translation" (NAT), which is carried out in the nat table, rather than the default filter table.
Possibly you need REDIRECT rule in your nat table:
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 \
-j REDIRECT --to-ports 8090
Note that a REDIRECT rule will only operate on traffic that does not originate on the local host. You will need to test this from another host on the network (or from inside a container or a vm).
Alternatively, you could accomplish something similar using proxy software such as haproxy.
Some additional reading:
http://www.cyberciti.biz/faq/linux-port-redirection-with-iptables/
https://serverfault.com/questions/179200/difference-beetween-dnat-and-redirect-in-iptables
https://wiki.debian.org/Firewalls-local-port-redirection
Related
I would like to restrict port 80 and 443 of ovh servers to a single ip. I have tried adding iptables rules and tried messing about with hosts.allow and hosts.deny, but nothing seems to work.
They should work but you probably do something wrong. Would be better to provide us the way you try to do it so we can see if it's wrong or not. Your question is kinda generic "ovh servers". I suppose you are referring to an ovh server and not to all of them.
iptables -A INPUT -p all -s your_ip -j ACCEPT iptables -A INPUT -s
ip_address -p tcp --dport 80 -j ACCEPT iptables -A INPUT -s ip_address
-p tcp --dport 443 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j DROP iptables -A INPUT -p tcp --dport 443 -j DROP
your_ip is the ip address your are connecting to the server via ssh
ip_address is the ip address you want to allow ports 80 and 443
Give it a try! Sorry for any wrong typos, I'm writing from my phone
In my CentOS 6 i added a IPtables rules like DROP all the policy like
iptables -P INPUT DROP
Then I allow Port NO 22,80,443 with this command,
iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
Now can access SSH with putty. But i can't access Internet. I have to know the exact problem of this.? Please help me.
Ofcourse you cannot access the Internet. You just added a rule that drops all incoming traffic (except for traffic coming in to ports 22, 80 and 443).
When you try to access the internet (if you're using a browser), your machine establishes a connection from
<local IP>:<port1> <----> <remote IP>:80
When the remote server responds to you, it will respond back to the same port1 that you sent the request from (which will NOT be 22, or 80, or 443. It will be a number usually higher than 32768), so it will get dropped by iptables.
Try these rules instead:
iptables -P INPUT DROP
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT
The second rule tells IP tables to ACCEPT traffic that is coming to us, if it's coming to a port that we used to send outgoing traffic. This will allow you to see the response from the server, which you were dropping.
However, there's still a problem with DNS traffic, since it uses UDP not TCP. You can work around that by changing the first rule to:
iptables -P INPUT -p tcp DROP
so it only drops TCP traffic but not UDP traffic. There may be other ways to work around the DNS problem, depending on what exactly you want to do.
So your final ruleset should look like this:
iptables -P INPUT -p tcp DROP
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT
I would like to block traffic to a VM running on my machine except for certain ports. I added some rules to virtual bridge to accept traffic on port 80 in the filter table in the FORWARD chain, since the virtual bridge is set up to forward traffic from the VMs.
I wrote the following:
sudo iptables -F
sudo iptables -I FORWARD -o [bridge_iface] -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
sudo iptables -I FORWARD -i [bridge_iface] -p tcp --sport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
sudo iptables -I FORWARD -o [bridge_iface] -p tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
sudo iptables -I FORWARD -i [bridge_iface] -p tcp --sport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
sudo iptables -P FORWARD DROP
When I connect tot he vm on the bridge i can't connect to an external web site. If i remove the last line, of course, everything works but everything is open too. So that's not quite right.
IF you want to drop the traffic TO your VM, why are you filtering also the other direction, do you really want to prevent your VM from accessing the internet?
iptables -I FORWARD -o [bridge_iface] -m state --state NEW,ESTABLISHED -j DROP
iptables -I FORWARD -o [bridge_iface] -p tcp -m state --state NEW,ESTABLISHED --dport 80 -j ACCEPT
iptables -I FORWARD -o [bridge_iface] -p udp -m state --state NEW,ESTABLISHED --dport 53 -j ACCEPT
Please note: DNS is using mostly UDP, not TCP, so you should filter for UDP.
The whole idea about my setup: you should ALLOW your computer to forward anything, only DROP connections to a specific interface by default, and open the specific ports also on thad device.
I suspect that you're using port forwarding on incoming connections on port 80 and 53 to be served by the VM, am i correct ?
If you want to deny your VM from accessing the internet, except for the 2 ports we just set up, you have to change -o to -i in the script.
I'm working with an Ubuntu 12.04 LTS, 64 Bit server there I have used the following commands to send all http request on port 80 to port 8080
Commands:
cat /proc/sys/net/ipv4/ip_forward #returns 1
sudo iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
sudo iptables -A INPUT -p tcp -m tcp --sport 80 -j ACCEPT
sudo iptables -A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
From there I wanted to proxy the requests based on (sub)domain to some other ports (i.e. 9000, 3000, 9615) using http-master. I'm having some problems getting this done and had it right once on a VPS on amazon aws where those ports where opened.
So what I'm asking is if it's necessary to open every port and how I can do that on the command line?
After some further research and experimentation I concluded that it's only necessary to open the port that we use as entry points. If we then route it with a proxy or even with NAT configuration to another PORT, the latter will be used only to "listen".
i have to configure my server to redirect from 80 and 443 port due to 8443 using iptables
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80:443 -j REDIRECT --to-ports 8443
when i browse like https protocol everything is working, but when from http, i can just donwnload a file, and don't see anything
8443 port is intended mainly to use as HTTPS proxy. Sending plain HTTP to this port will not work. You should keep separated HTTP and HTTPS traffic by sending them to a different port (normally 8080) of your transparent proxy.
using this rule :
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80:443 -j REDIRECT --to-ports 8443
you allowed only incoming traffic to to be sent to port 8443, but still the outgoing traffic needs to be routed