Configuring IPtables for PHP-FPM - linux

So I have a CentOS server with Nginx and now want to run Nginx with PHP-FPM. By default it's configured to port 9000 but I'm going to use 9001. I need to know how to open port 9001 for loopback in my iptables. Which of the following are correct, are they the same, or both wrong? Any help will be appreciated, thanks :)
iptables -A INPUT -p tcp -s 127.0.0.0 --dport 9001 -j ACCEPT
or
iptables -A INPUT -i lo --dport 9001 -j ACCEPT

You shouldn't need to open the firewall to connect to localhost, as it shouldn't be firewalled anyway (as a general rule).
But I would suggest following the above advice to use sockets instead.
Edit /etc/php5/fpm/php5-fpm.conf and search for these two lines:
listen = /var/run/php5-fpm.sock
;listen = 127.0.0.1:9000
Comment out the port one and uncomment the sock one - restart php-fpm :)

Related

How to make correct iptable rule like browser port configuration

After searching the forums with no matching results, I asking hear.
I want to redirect every browser request in destination port 80 to another port (for example 8080). all in the localhost.
My workplace is linux, and I want to use the iptables rules and python code server.
The rule I used is:
iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 8080.
I also tried some other flags like specific ip source and server etc.
The server listening on port 8080 is:
#!/usr/bin/env python
import SimpleHTTPServer
import SocketServer
def redirect_factory():
class RedirectServer(SimpleHTTPServer.SimpleHTTPRequestHandler):
def do_GET(self):
self.send_response(301)
self.send_header('Location', 'www.IdontCare.IdontKnow')
self.end_headers()
return RedirectServer
redirectServer = redirect_factory()
handler = SocketServer.TCPServer(('', 8080), redirectServer)
print("serving at port %s" % 8080)
handler.serve_forever()
The problem is that it works well when I configure my browser in the connection settings (without adding the iptables rules) like this:
But when I use the iptables rules it says that it have a broken pipe, and the browser request didn't received at all in the server. So if I write in the URL in the browser www.google.com I can't see it with the self.path value.
EDIT:
Here is the iptables -t nat -nvL --line-numbers output:
the rule is working, but it not done what I suppose.
I play a little with the rules, and if I put one of the next rules I can see in the CNAME in the self.headers value.
the rules is (I can just choose one of them):
iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 80
iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination 127.0.0.1
If I not mistake, both of them done the same thing.
what am I do wrong ?
and how to make it work with iptables rules like the configuration of the browser?
Thanks!

How can i restrict ports 80 and 443 in xenservers to a single source?

I would like to restrict port 80 and 443 of ovh servers to a single ip. I have tried adding iptables rules and tried messing about with hosts.allow and hosts.deny, but nothing seems to work.
They should work but you probably do something wrong. Would be better to provide us the way you try to do it so we can see if it's wrong or not. Your question is kinda generic "ovh servers". I suppose you are referring to an ovh server and not to all of them.
iptables -A INPUT -p all -s your_ip -j ACCEPT iptables -A INPUT -s
ip_address -p tcp --dport 80 -j ACCEPT iptables -A INPUT -s ip_address
-p tcp --dport 443 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j DROP iptables -A INPUT -p tcp --dport 443 -j DROP
your_ip is the ip address your are connecting to the server via ssh
ip_address is the ip address you want to allow ports 80 and 443
Give it a try! Sorry for any wrong typos, I'm writing from my phone

Allow MongoDB remote access for specific IP

I have an application server with some PHP code on it which needs to access a distant MongoDB server.
In order to do this I want to allow remote access on my MongoDB server, but only for the application server IP.
I understand that I need to change the bind_ip value located in /etc/mongodb.conf in order to do this.
I changed it from bind_ip=127.0.0.1 to bind_ip=111.222.33.44 (where 111.222.33.44 is my application server IP), but it doesn't work (my PHP code says "Connection refused"). However, if I set the value to bind_ip=0.0.0.0, it works. Why? I don't want to let anyone try to connect on my MongoDB server.
The bind_ip tells the mongod on which IP address to listen on for incoming connections. So if you set it to 127.0.0.1, the mongod would only listen on localhost, and – vice versa – you could only connect when on the same machine.
When setting it to a different IP address, each host able to communicate with said IP can connect to MongoDB.
In order to make sure only your application server can talk to your MongoDB instance, you need to configure a firewall either on the server running MongoDB or somewhere in front of it.
As far as I see mongodb only allow you to set a single IP for connection (or 0.0.0.0 for any IP)
What you can do to secure your mongo instance is to use firewall like iptables to only allow specific IP's.
Run the following commands for every IP you want to allow:
iptables -A INPUT -s 111.222.33.44 -p tcp --destination-port 27017 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -d 111.222.33.44 -p tcp --source-port 27017 -m state --state ESTABLISHED -j ACCEPT
and than to block all else (blocked some other ports used by mongodb)
iptables -A INPUT -p tcp --dport 27017 -j DROP
iptables -A INPUT -p tcp --dport 27018 -j DROP
iptables -A INPUT -p tcp --dport 27019 -j DROP
have a look at the Make iptables Rules Persistent section of the mongo guide on how to make those rules survive reboot.

Is it necessary to open all used ports when using one Node.JS application to route from port 80 to apps on different ones?

I'm working with an Ubuntu 12.04 LTS, 64 Bit server there I have used the following commands to send all http request on port 80 to port 8080
Commands:
cat /proc/sys/net/ipv4/ip_forward #returns 1
sudo iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
sudo iptables -A INPUT -p tcp -m tcp --sport 80 -j ACCEPT
sudo iptables -A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
From there I wanted to proxy the requests based on (sub)domain to some other ports (i.e. 9000, 3000, 9615) using http-master. I'm having some problems getting this done and had it right once on a VPS on amazon aws where those ports where opened.
So what I'm asking is if it's necessary to open every port and how I can do that on the command line?
After some further research and experimentation I concluded that it's only necessary to open the port that we use as entry points. If we then route it with a proxy or even with NAT configuration to another PORT, the latter will be used only to "listen".

Iptables: Redirect to port 8080 and ACCEPT only one IP address

Background Info: I have rooted an android phone and installed droidwall to get access to iptables. The kernel version is 2.6.35.7-perf.
Objective: Test the efficiency of a proxy (on port 8080) from a comparison of the traffic flow with and without the proxy.
I am able to get a test without going through the proxy with the rules from here
Method: I have creating a test website on a single IP address. I am using an application that monitors how many packets/bytes have been transmitted and recieved by the phone.
Problem: Due to unknown background traffic, unwanted packets are being sent and recieved.
Solution: Use iptables to only allow a connection to one website so I can properly monitor the traffic.
How would I go about this?
Try the following:
iptables -t nat -A PREROUTING -p tcp -s 1.2.3.4 -j REDIRECT --to-port 8080
iptables -A INPUT -p tcp -s 1.2.3.4 --dport 8080 -j ACCEPT
The first rule should redirect al traffic from 1.2.3.4 to the port 8080, while the second states to accept such packet.
Now you should set on DROP the default policy for INPUT so that every other packet is discarded:
iptables -P INPUT DROP
Be careful. This is a very restrictive rule.

Resources