Hello,
Dean Hiller a écrit :
I would like block all traffic to port 8080 except that which was
redirected in the nat table from port 80 to 8080.
I have a default policy of DROP on incoming. The following is what my
iptables file currently has and this works, EXCEPT that 8080 is left
open to anyone....
*nat table.....
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
*filter table.....
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j
ACCEPT
This rule seems useless : port 80 has been redirected to port 8080 in
the PREROUTING chain, so no valid packet will ever enter the INPUT chain
with destination port 80.
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 8080
-j ACCEPT
but anyone can go to http://<machine>:8080 which I want to disallow.
How can I fix that?
Quick and dirty :
Drop the undesired packets in the PREROUTING chain of the 'mangle'
table, before REDIRECT occurs.
iptables -t mangle -A PREROUTING -p tcp --dport 8080 -j DROP (or REJECT)
Better :
Mark the desired packets in the PREROUTING chain of the 'mangle' table
before REDIRECT occurs and accept only the marked packets in the INPUT
chain of the 'filter' table.
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j MARK --set-mark 1
iptables -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp \
--dport 8080 -m mark --mark 1 -j ACCEPT
