From: "John A. Sullivan III" <john.sullivan@nexusmgmt.com>
To: Patrick <boysdk@hotmail.com>
Cc: netfilter@lists.netfilter.org
Subject: Re: Urgent: Please help me about block port 80
Date: Thu, 20 May 2004 23:16:57 -0400 [thread overview]
Message-ID: <1085109417.23610.12.camel@localhost> (raw)
In-Reply-To: <40AC6EA8.69A94AF4@hotmail.com>
On Thu, 2004-05-20 at 04:39, Patrick wrote:
> Dear sir/madam,
>
> My goal is to allow only one IP(192.168.1.10) to access my server via
> port 80 or 8080 and forward all request from port 80 to port 8080.
>
> What I do is as below.
>
> *nat
> :PREROUTING ACCEPT [1:48]
> :POSTROUTING ACCEPT [3:230]
> :OUTPUT ACCEPT [3:230]
> -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
> COMMIT
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :RH-Lokkit-0-50-INPUT - [0:0]
> -A INPUT -j RH-Lokkit-0-50-INPUT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp -s 192.168.1.10/255.255.255.255
> --dport 8080 --syn -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp -s 192.168.1.10/255.255.255.255
> --dport 80 --syn -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:1023 --syn -j REJECT
> COMMIT
>
> It seems that the port 80 and 8080 open to public after I add prerouting
> rule. Would you mind how I could acheive my goal? Thanks a lot.
>
> Best regards,
> Patrick
Indeed, it looks like there's not much to keep them out! When you change
the dport from 80 to 8080, it zips right around the one REJECT rule you
have as would any UDP traffic or any TCP traffic above 1023 for that
matter. I would suggest changing the INPUT and FORWARD policies to DROP
rather than ACCEPT. This will drop everything that is not explicitly
allowed. Right now, you are allowing everything that is not explicitly
denied. I also normally set my OUTPUT policy to DROP as well. This
way, in case someone does compromise my firewall, there is only so much
they can do (unless, of course, they change the OUTPUT rules!).
I would suggest perusing a good iptables tutorial such as Oskar
Andreasson's (there's a link to it at http://www.netfilter.org). There
is also a slide show on iptables in the training section at
http://iscs.sourceforge.net.
Good luck - John
--
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net
next prev parent reply other threads:[~2004-05-21 3:16 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-05-20 8:39 Urgent: Please help me about block port 80 Patrick
2004-05-21 3:16 ` John A. Sullivan III [this message]
2004-05-21 14:35 ` Aleksandar Milivojevic
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1085109417.23610.12.camel@localhost \
--to=john.sullivan@nexusmgmt.com \
--cc=boysdk@hotmail.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.