Reputation: 295
iptables redirect 80 to 8080 but block public 8080 access
I have some iptables rules which redirect requests for port 80 onto our application server (GlassFish) at port 8080 (and also SSL ports too but I've left them out for simplicity).
Whilst what we have works fine (and I don't personally have an issue with it) port 8080 is also open to the outside world if someone wished to specify it in the url. It has been mandated that port 8080 should be closed off from access from the outside world and only 80 be open.
I don't wish to change the listener on the application server (as to use port 80 this appears to need elevated permissions for the user running the app server) and the listener on port 8080 needs to know the source IP of the packet as the application audits the requests to the application (i.e. we can't change the source IP address to a local one).
The current iptables config is below. Does anyone know if there is a way to block 8080 from the public internet whilst retaining the source IP in the packets redirected to from port 80?
Many thanks in advance.
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
# allow establishment of connections initialised by my outgoing packets
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# accept anything on localhost
iptables -A INPUT -i lo -j ACCEPT
################################################################
#individual ports tcp
################################################################
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j ACCEPT
#drop everything else
iptables -A INPUT -j DROP
################################################################
#Redirection Rules
################################################################
# redirection rules (allowing forwarding from localhost)
iptables -t nat -A OUTPUT -o lo -p tcp --dport 80 -j REDIRECT --to-port 8080
# redirection http
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
Upvotes: 24
Views: 16887
Answers (3)
Reputation: 1
I know it's too late for this, but I come up with another solution which might be more straightforward for most people.
Just redirect port 8080 to another closed port (3000 for example):
iptables -t nat -A PREROUTING -p tcp --dport 8080 -j REDIRECT --to-ports 3000
iptables -A INPUT -p tcp --dport 3000 -j REJECT --reject-with tcp-reset
Then you may access the app at port 8080 for your local machine and others on the Internet may only see port 80 opened.
Upvotes: 0
Reputation: 41
I handled this in a slightly different way. I forwarded 443 to 3000 (as above) but also forwarded 3000 to 443. I then allow traffic on 3000 but block it on 443. When filtering the 443 traffic should only be originally from port 3000.
I'm using ufw so the filter rules were entered using that tool. I added the nat rules in /etc/ufw/before.rules.
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3000
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 3000 -j REDIRECT --to-ports 443
Upvotes: 4
Reputation: 246
One way I've found to accomplish this is to use the MARK target in the mangle table's PREROUTING chain.
Add a rule to tag the packets you want to block:
iptables -t mangle -A PREROUTING -p tcp --dport 8080 -j MARK --set-mark 1
Then, before you allow port 8080 add this to DROP marked packets:
iptables -A INPUT -m mark --mark 1 -j DROP
Upvotes: 23
Related Questions
- HTTP iptable PREROUTING rule is not working
- iptables block INPUT port 80
- iptables: block incoming traffic just for an apache VirtualHost domain
- block outside access to port so only apache proxy pass serves sites
- How to block access to an IP via a specific port
- Redirect outgoing connection to localhost
- Redirect port 443 (https) to IP using iptables
- aws ec2 iptables port 80 (http)
- How to limit port 80 to just one user with iptables
- iptables port redirection