i have to configure my server to redirect from 80 and 443 port due to 8443 using iptables
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80:443 -j REDIRECT --to-ports 8443
when i browse like https protocol everything is working, but when from http, i can just donwnload a file, and don't see anything
8443 port is intended mainly to use as HTTPS proxy. Sending plain HTTP to this port will not work. You should keep separated HTTP and HTTPS traffic by sending them to a different port (normally 8080) of your transparent proxy.
using this rule :
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80:443 -j REDIRECT --to-ports 8443
you allowed only incoming traffic to to be sent to port 8443, but still the outgoing traffic needs to be routed
Related
I'm new to iptables and Linux-firewall in general. Can somebody help me with it?
I want to write a table using iptables that will log outgoing TCP connections to a specific IP address, except these that go through port 80 (HTTP).
Her is what I have so far:
iptables -N LOGGING
iptables -A OUTPUT -j LOGGING
iptables -A LOGGING -p tcp -m tcp --dport 80 -j DROP
iptables -A LOGGING -p tcp -m tcp -d 149.20.4.69 -j LOG --log-prefix "My logging: " --log-level 4
Here is my previous try. This should log all outgoing connections to the chosen IP but I don't know how to filter out port 80 (HTTP).
iptables -A OUTPUT -p tcp -s 149.20.4.69 -j LOG —log-prefix 'OUTPUT TCP: ' —log-level 4
You could just use a not condition to exclude port 80
# Log TCP traffic to x.x.x.x for all destination ports except 80
iptables -A OUTPUT -p tcp -d x.x.x.x ! --dport 80 -j LOG
I would like to restrict port 80 and 443 of ovh servers to a single ip. I have tried adding iptables rules and tried messing about with hosts.allow and hosts.deny, but nothing seems to work.
They should work but you probably do something wrong. Would be better to provide us the way you try to do it so we can see if it's wrong or not. Your question is kinda generic "ovh servers". I suppose you are referring to an ovh server and not to all of them.
iptables -A INPUT -p all -s your_ip -j ACCEPT iptables -A INPUT -s
ip_address -p tcp --dport 80 -j ACCEPT iptables -A INPUT -s ip_address
-p tcp --dport 443 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j DROP iptables -A INPUT -p tcp --dport 443 -j DROP
your_ip is the ip address your are connecting to the server via ssh
ip_address is the ip address you want to allow ports 80 and 443
Give it a try! Sorry for any wrong typos, I'm writing from my phone
I'm stumped.
This is how my iptables are configured on Debian 7.
sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 8090 -j ACCEPT
-A FORWARD -d 127.0.0.1/32 -i eth0 -p tcp -m state --state NEW -m tcp --dport 8090 -j ACCEPT
-A FORWARD -d 10.1.130.5/32 -i eth0 -p tcp -m state --state NEW -m tcp --dport 8090 -j ACCEPT
Basically forwarding port 80 to port 8090.
I also have an instance of Apache Tomcat running and listening on port 8090. e.g.
sudo lsof -i :8090
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
java 15081 user1 36u IPv6 164737 0t0 TCP *:8090 (LISTEN)
However, whenever I try to connect via a browser nothing get returned. Its the same using Wget. e.g.
wget www.test.com/confluence
--2016-04-22 16:59:22-- http://www.test.com/confluence
Resolving www.test.com... 10.1.130.5
Connecting to www.test.com|10.1.130.5|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: /bootstrap/selectsetupstep.action [following]
--2016-04-22 16:59:22-- http://se- www.test.com/bootstrap/selectsetupstep.action
Reusing existing connection to www.test.com:80.
HTTP request sent, awaiting response...
There is nothing in your ruleset that actually forwards ports. You have INPUT rules, which will accept or reject packets destined for the local host, and you have FORWARD rules, which will accept or reject rules transiting the machine to another address, but you don't have anything that actually changes the target port of a connection.
If you actually want to change some aspect of a connection, this falls into the broad category of "network address translation" (NAT), which is carried out in the nat table, rather than the default filter table.
Possibly you need REDIRECT rule in your nat table:
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 \
-j REDIRECT --to-ports 8090
Note that a REDIRECT rule will only operate on traffic that does not originate on the local host. You will need to test this from another host on the network (or from inside a container or a vm).
Alternatively, you could accomplish something similar using proxy software such as haproxy.
Some additional reading:
http://www.cyberciti.biz/faq/linux-port-redirection-with-iptables/
https://serverfault.com/questions/179200/difference-beetween-dnat-and-redirect-in-iptables
https://wiki.debian.org/Firewalls-local-port-redirection
In my CentOS 6 i added a IPtables rules like DROP all the policy like
iptables -P INPUT DROP
Then I allow Port NO 22,80,443 with this command,
iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
Now can access SSH with putty. But i can't access Internet. I have to know the exact problem of this.? Please help me.
Ofcourse you cannot access the Internet. You just added a rule that drops all incoming traffic (except for traffic coming in to ports 22, 80 and 443).
When you try to access the internet (if you're using a browser), your machine establishes a connection from
<local IP>:<port1> <----> <remote IP>:80
When the remote server responds to you, it will respond back to the same port1 that you sent the request from (which will NOT be 22, or 80, or 443. It will be a number usually higher than 32768), so it will get dropped by iptables.
Try these rules instead:
iptables -P INPUT DROP
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT
The second rule tells IP tables to ACCEPT traffic that is coming to us, if it's coming to a port that we used to send outgoing traffic. This will allow you to see the response from the server, which you were dropping.
However, there's still a problem with DNS traffic, since it uses UDP not TCP. You can work around that by changing the first rule to:
iptables -P INPUT -p tcp DROP
so it only drops TCP traffic but not UDP traffic. There may be other ways to work around the DNS problem, depending on what exactly you want to do.
So your final ruleset should look like this:
iptables -P INPUT -p tcp DROP
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT
I bought a domain on GoDaddy but developed the website using Node.js. So, I bought a VPS on VPSGet and deployed the server. I managed to link the domain name to the VPS IP address. However, since my node.js application is running a particular port number I needed to do port forwarding so that www.domain-name.com will redirect to the process and port on the VPS. I tried to configure my firewall as follows
*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 7497
COMMIT
*filter
# Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
# Accept all established inbounds connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow all outbounds traffic
-A OUTPUT -j ACCEPT
# Allow HTTP and HTTPS connections from anywhere. Here, we use normal ports for http and ssl
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
# Allow http connections to node.js app
-A INPUT -p tcp --dport 7497 -j ACCEPT
-A INPUT -p tcp --dport 7525 -j ACCEPT
-A INPUT -p tcp --dport 2368 -j ACCEPT
# Allow forwarding to port 7497
-A FORWARD -p tcp -m tcp --dport 7497 -j ACCEPT
# Allow ports for testing
-A INPUT -p tcp --dport 8080:8099 -j ACCEPT
# Allow ports for mobile shell
-A INPUT -p tcp --dport 60000:61000 -j ACCEPT
# Allow ssh connections
-A INPUT -p tcp -m state --state NEW --dport 7112 -j ACCEPT
# Allow Ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied:" --log-level 7
# Reject all other outbounds
-A INPUT -j REJECT
-A FORWARD -j REJECT
COMMIT
However, the redirection is not working. Could someone tell me what I am doing wrong? Please note that I am running a Ubuntu 12.04 on the VPS.
Thanks,
José
Have you tried to create the support request with detailed explanation to vpsget.com ?
Regarding to the wiki
http://wiki.vpsget.com/index.php/Forward_(redirect/nat)_traffic_with_iptables
you should use venet0 instead eth0