Urgent: Please help me about block port 80

All of lore.kernel.org
 help / color / mirror / Atom feed

* Urgent: Please help me about block port 80
@ 2004-05-20  8:39 Patrick
  2004-05-21  3:16 ` John A. Sullivan III
  2004-05-21 14:35 ` Aleksandar Milivojevic
  0 siblings, 2 replies; 3+ messages in thread
From: Patrick @ 2004-05-20  8:39 UTC (permalink / raw)
  To: netfilter

Dear sir/madam,

My goal is to allow only one IP(192.168.1.10) to access my server via
port 80 or 8080 and forward all request from port 80 to port 8080.

What I do is as below.

*nat
:PREROUTING ACCEPT [1:48]
:POSTROUTING ACCEPT [3:230]
:OUTPUT ACCEPT [3:230]
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Lokkit-0-50-INPUT - [0:0]
-A INPUT -j RH-Lokkit-0-50-INPUT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp -s 192.168.1.10/255.255.255.255
--dport 8080 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp -s 192.168.1.10/255.255.255.255
--dport 80 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:1023 --syn -j REJECT
COMMIT

It seems that the port 80 and 8080 open to public after I add prerouting
rule.  Would you mind how I could acheive my goal?  Thanks a lot.

Best regards,
Patrick


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Urgent: Please help me about block port 80
  2004-05-20  8:39 Urgent: Please help me about block port 80 Patrick
@ 2004-05-21  3:16 ` John A. Sullivan III
  2004-05-21 14:35 ` Aleksandar Milivojevic
  1 sibling, 0 replies; 3+ messages in thread
From: John A. Sullivan III @ 2004-05-21  3:16 UTC (permalink / raw)
  To: Patrick; +Cc: netfilter

On Thu, 2004-05-20 at 04:39, Patrick wrote:
> Dear sir/madam,
> 
> My goal is to allow only one IP(192.168.1.10) to access my server via
> port 80 or 8080 and forward all request from port 80 to port 8080.
> 
> What I do is as below.
> 
> *nat
> :PREROUTING ACCEPT [1:48]
> :POSTROUTING ACCEPT [3:230]
> :OUTPUT ACCEPT [3:230]
> -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
> COMMIT
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :RH-Lokkit-0-50-INPUT - [0:0]
> -A INPUT -j RH-Lokkit-0-50-INPUT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp -s 192.168.1.10/255.255.255.255
> --dport 8080 --syn -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp -s 192.168.1.10/255.255.255.255
> --dport 80 --syn -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:1023 --syn -j REJECT
> COMMIT
> 
> It seems that the port 80 and 8080 open to public after I add prerouting
> rule.  Would you mind how I could acheive my goal?  Thanks a lot.
> 
> Best regards,
> Patrick
Indeed, it looks like there's not much to keep them out! When you change
the dport from 80 to 8080, it zips right around the one REJECT rule you
have as would any UDP traffic or any TCP traffic above 1023 for that
matter.  I would suggest changing the INPUT and FORWARD policies to DROP
rather than ACCEPT.  This will drop everything that is not explicitly
allowed.  Right now, you are allowing everything that is not explicitly
denied.  I also normally set my OUTPUT policy to DROP as well.  This
way, in case someone does compromise my firewall, there is only so much
they can do (unless, of course, they change the OUTPUT rules!).
I would suggest perusing a good iptables tutorial such as Oskar
Andreasson's (there's a link to it at http://www.netfilter.org).  There
is also a slide show on iptables in the training section at
http://iscs.sourceforge.net.
Good luck - John
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net 



^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Urgent: Please help me about block port 80
  2004-05-20  8:39 Urgent: Please help me about block port 80 Patrick
  2004-05-21  3:16 ` John A. Sullivan III
@ 2004-05-21 14:35 ` Aleksandar Milivojevic
  1 sibling, 0 replies; 3+ messages in thread
From: Aleksandar Milivojevic @ 2004-05-21 14:35 UTC (permalink / raw)
  To: Patrick; +Cc: netfilter

Patrick wrote:
> Dear sir/madam,
> 
> My goal is to allow only one IP(192.168.1.10) to access my server via
> port 80 or 8080 and forward all request from port 80 to port 8080.
> 
> What I do is as below.
> 
> *nat
> :PREROUTING ACCEPT [1:48]
> :POSTROUTING ACCEPT [3:230]
> :OUTPUT ACCEPT [3:230]
> -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
> COMMIT
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :RH-Lokkit-0-50-INPUT - [0:0]
> -A INPUT -j RH-Lokkit-0-50-INPUT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp -s 192.168.1.10/255.255.255.255
> --dport 8080 --syn -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp -s 192.168.1.10/255.255.255.255
> --dport 80 --syn -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:1023 --syn -j REJECT
> COMMIT
> 
> It seems that the port 80 and 8080 open to public after I add prerouting
> rule.  Would you mind how I could acheive my goal?  Thanks a lot.

Ditch the lokkit.  It is intended for *very* basic firewall 
configuration.  What you want to do is rather simple, however it is 
above the "basic" level of usage lokkit is intended for.  Mixing lokkit 
with hand-made configuration can screw things (or overwrite your 
configuration, I believe it inserts a comment in the file along the 
lines "do not hand edit").  Just remove everything with RH-Lokkit in it, 
and don't use lokkit utility.

In filter table, I'd probably change policy for all three builtin chains 
(INPUT, FORWARD, OUTPUT) to DROP.  And than I'd insert the rules to 
allow only traffic that I want to allow.  That way, anything that isn't 
explicitly allowed is droped.  Which is (IMHO) better approach than 
patching the gaping holes.  For example, this might be one way to 
rewrite filter table:

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]

# This will handle returning packets, etc
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# To allow unrestricted access from this machine uncomment line bellow
# or add more explicit rules to OUTPUT chain if you want to control
# what you allow to go out
# -A OUTPUT -m state --state NEW -j ACCEPT

# Now, allow only 80 and 8080 for 192.168.1.10
-A INPUT -s 192.168.1.10 -p tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -s 192.168.1.10 -p tcp --dport 8080 -m state --state NEW -j ACCEPT

Note that above is just an idea.  I'm not using anything similar to this 
(other than having default policies set to DROP), nor have I tested it. 
  So you might have to do some adjustments.  I just typed this, so there 
might be a typo or two (should be easy to catch ;-) ).

-- 
Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2004-05-21 14:35 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-05-20  8:39 Urgent: Please help me about block port 80 Patrick
2004-05-21  3:16 ` John A. Sullivan III
2004-05-21 14:35 ` Aleksandar Milivojevic

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.