4

On Centos 6.4, I want to block all incoming ports except 22, 80 and 443. 80 (external) should be redirected 8080 (internal). 443 (external) should be redirected to 8181 (internal). I used the following commands:

service iptables stop
iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8181
service iptables save
service iptables restart

However, I can still access ports 8080 and 8181. Is there a way to block ports 8080 and 8181 externally and still have open internally for redirection from 80 and 443?

Steve
  • 200

3 Answers3

6

There's nothing in your rules dropping any packets. You can accomplish this by setting the default policy of your INPUT chain to DROP. By default it is ACCEPT:

iptables -P INPUT DROP

As you do this, you may begin to notice that your outgoing connections do not work anymore.

You can add rules at the top of your INPUT chain to ACCEPT already established traffic back in.

Do so using the following:

iptables -A INPUT -m state --state ESTABLISHED,RELATED

The RELATED part lets other related traffic through (for instance, ICMP packets sent as a result of something happening in an ESTABLISHED connection)

gparent
  • 3,652
0

I would better create a new chain and then add my rules into this chain. You can do that by: First DROP incoming/forwarding/outgoing traffic

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

Then create a chain with judgment ACCEPT and add rules inside:

iptables -N myrules # Create a new chain
iptables -A myrules -m state --state ESTABLISHED,RELATED
iptables -A myrules -j LOG --log-prefix="Myrules: " # Just a log prefix
iptables -A myrules -j ACCEPT # Packets matching this rule will be ACCEPTed
iptables -A INPUT -i eth0 -p tcp --dport 22 -j myrules

Then, add the redirect rules:

iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8181
philippe
  • 2,483
-2

Do you have multiple NICs on the server or not? You can lock it down that way. You can also easily lock it down by source IPs so you can only allow "INPUT" rules to those ports from specific IPs and only all "FORWARD" or "PREROUTING" rules from others.

Eric
  • 1,403
  • 3
  • 19
  • 34