Re: block 8080, but redirect from 80 to 8080

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,

Dean Hiller a écrit :
I would like block all traffic to port 8080 except that which was redirected in the nat table from port 80 to 8080. I have a default policy of DROP on incoming. The following is what my iptables file currently has and this works, EXCEPT that 8080 is left open to anyone....

*nat table.....
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080

*filter table.....
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT

This rule seems useless : port 80 has been redirected to port 8080 in the PREROUTING chain, so no valid packet will ever enter the INPUT chain with destination port 80.

-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT

but anyone can go to http://<machine>:8080 which I want to disallow. How can I fix that?

Quick and dirty :
Drop the undesired packets in the PREROUTING chain of the 'mangle' table, before REDIRECT occurs.

iptables -t mangle -A PREROUTING -p tcp --dport 8080 -j DROP (or REJECT)

Better :
Mark the desired packets in the PREROUTING chain of the 'mangle' table before REDIRECT occurs and accept only the marked packets in the INPUT chain of the 'filter' table.

iptables -t mangle -A PREROUTING -p tcp --dport 80 -j MARK --set-mark 1
iptables -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp \
  --dport 8080 -m mark --mark 1 -j ACCEPT



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux