block 8080, but redirect from 80 to 8080

Linux Netfilter discussions
 help / color / mirror / Atom feed

* block 8080, but redirect from 80 to 8080
@ 2006-08-01  4:11 Dean Hiller
  2006-08-01 10:46 ` Pascal Hambourg
  0 siblings, 1 reply; 5+ messages in thread
From: Dean Hiller @ 2006-08-01  4:11 UTC (permalink / raw)
  To: netfilter

I would like block all traffic to port 8080 except that which was 
redirected in the nat table from port 80 to 8080. 

I have a default policy of DROP on incoming.  The following is what my 
iptables file currently has and this works, EXCEPT that 8080 is left 
open to anyone....

*nat table.....
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080

*filter table.....
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j 
ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 8080 
-j ACCEPT

but anyone can go to http://<machine>:8080 which I want to disallow.  
How can I fix that?
thanks,
dean

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: block 8080, but redirect from 80 to 8080
  2006-08-01  4:11 block 8080, but redirect from 80 to 8080 Dean Hiller
@ 2006-08-01 10:46 ` Pascal Hambourg
  2006-08-01 11:42   ` Gáspár Lajos
  2006-08-01 11:54   ` Gáspár Lajos
  0 siblings, 2 replies; 5+ messages in thread
From: Pascal Hambourg @ 2006-08-01 10:46 UTC (permalink / raw)
  To: netfilter

Hello,

Dean Hiller a écrit :
> I would like block all traffic to port 8080 except that which was 
> redirected in the nat table from port 80 to 8080.
> I have a default policy of DROP on incoming.  The following is what my 
> iptables file currently has and this works, EXCEPT that 8080 is left 
> open to anyone....
> 
> *nat table.....
> -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
> 
> *filter table.....
> -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j 
> ACCEPT

This rule seems useless : port 80 has been redirected to port 8080 in 
the PREROUTING chain, so no valid packet will ever enter the INPUT chain 
with destination port 80.

> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 8080 
> -j ACCEPT
> 
> but anyone can go to http://<machine>:8080 which I want to disallow.  
> How can I fix that?

Quick and dirty :
Drop the undesired packets in the PREROUTING chain of the 'mangle' 
table, before REDIRECT occurs.

iptables -t mangle -A PREROUTING -p tcp --dport 8080 -j DROP (or REJECT)

Better :
Mark the desired packets in the PREROUTING chain of the 'mangle' table 
before REDIRECT occurs and accept only the marked packets in the INPUT 
chain of the 'filter' table.

iptables -t mangle -A PREROUTING -p tcp --dport 80 -j MARK --set-mark 1
iptables -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp \
   --dport 8080 -m mark --mark 1 -j ACCEPT


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: block 8080, but redirect from 80 to 8080
  2006-08-01 10:46 ` Pascal Hambourg
@ 2006-08-01 11:42   ` Gáspár Lajos
  2006-08-01 12:11     ` Pascal Hambourg
  2006-08-01 11:54   ` Gáspár Lajos
  1 sibling, 1 reply; 5+ messages in thread
From: Gáspár Lajos @ 2006-08-01 11:42 UTC (permalink / raw)
  To: Netfilter IPtableMailinglist


> Quick and dirty :
> Drop the undesired packets in the PREROUTING chain of the 'mangle' 
> table, before REDIRECT occurs.
>
> iptables -t mangle -A PREROUTING -p tcp --dport 8080 -j DROP (or REJECT)
>
I would recomment NOT TO DO any ACCEPT or DROP/REJECT in other than the
filter table...



^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: block 8080, but redirect from 80 to 8080
  2006-08-01 11:42   ` Gáspár Lajos
@ 2006-08-01 12:11     ` Pascal Hambourg
  0 siblings, 0 replies; 5+ messages in thread
From: Pascal Hambourg @ 2006-08-01 12:11 UTC (permalink / raw)
  To: Netfilter IPtableMailinglist

Gáspár Lajos a écrit :
> 
>> Quick and dirty :
>> Drop the undesired packets in the PREROUTING chain of the 'mangle' 
>> table, before REDIRECT occurs.
>>
>> iptables -t mangle -A PREROUTING -p tcp --dport 8080 -j DROP (or REJECT)
>>
> I would recomment NOT TO DO any ACCEPT or DROP/REJECT in other than the
> filter table...

I agree, that's why I mentionned "quick and _dirty_" and suggested a 
better solution based on marks. However I think ACCEPT is an acceptable 
target in any table, not only in 'filter'.

By the way, I made a mistake : REJECT is a valid target only in the 
'filter' table, showing if necessary that the other tables are not 
intended for filtering.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: block 8080, but redirect from 80 to 8080
  2006-08-01 10:46 ` Pascal Hambourg
  2006-08-01 11:42   ` Gáspár Lajos
@ 2006-08-01 11:54   ` Gáspár Lajos
  1 sibling, 0 replies; 5+ messages in thread
From: Gáspár Lajos @ 2006-08-01 11:54 UTC (permalink / raw)
  To: Netfilter IPtableMailinglist


> Quick and dirty :
> Drop the undesired packets in the PREROUTING chain of the 'mangle' 
> table, before REDIRECT occurs.
>
> iptables -t mangle -A PREROUTING -p tcp --dport 8080 -j DROP (or REJECT)
>
I would recomment NOT TO DO any ACCEPT or DROP/REJECT in other than the
filter table...




^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2006-08-01 12:11 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-08-01  4:11 block 8080, but redirect from 80 to 8080 Dean Hiller
2006-08-01 10:46 ` Pascal Hambourg
2006-08-01 11:42   ` Gáspár Lajos
2006-08-01 12:11     ` Pascal Hambourg
2006-08-01 11:54   ` Gáspár Lajos

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox