IPTABLES & APACHE
From: JJMMPP (null_at_no.spam)
Date: 08/09/03
- Next message: Allen Kistler: "Re: RH9: ADSL connection drops every ~50 secs if inactive."
- Previous message: Bit Twister: "Re: Can't change the f*@&#ing hostname in RedHat 9"
- Next in thread: Juha Laiho: "Re: IPTABLES & APACHE"
- Reply: Juha Laiho: "Re: IPTABLES & APACHE"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Sat, 09 Aug 2003 20:26:54 GMT
Hello,
Recently I have been trying to set up my firewall to block attempts to
access apache (running on the same machine listening on port 8080,
virtual-hosting a few domains) from a specific machine (or machines) on the
internet. I'm aware that apache can be configured to achieve a certain kind
of result through htaccess, but which I don't desire.. I'm looking to truly
block certain IPs making it appear this machine's web server isn't even
working or that there is no route to host when a blocked IP or IP's are
attempting to access it. My rules start out with a default drop policy.
I've tried the following unsuccessfully, attempting to block just one IP,
remember my server listens on 8080:
$IPTABLES -A INPUT -i $EXTIF -p TCP -s $BLOCKEDIP \
-d $EXTIP -m state --state NEW,ESTABLISHED,RELATED --dport 8080 -j REJECT
$IPTABLES -A INPUT -i $EXTIF -p UDP -s $BLOCKEDIP \
-d $EXTIP -m state --state NEW,ESTABLISHED,RELATED --dport 8080 -j DROP
I have to put a:
$IPTABLES -A INPUT -i $EXTIF -p TCP -s $UNIVERSE-d $EXTIP --dport 8080 -j
ACCEPT
in the script or nothing can access the server, but then access to the
server is still granted to the BLOCKEDIP address. This seems to make sense
as it overrides.. but...
Since none of this worked the way I hoped, I also tried the following (note
the ! not expression before the BLOCKEDIP):
$IPTABLES -A INPUT -i $EXTIF -p TCP -s ! $BLOCKEDIP \
-d $EXTIP -m state --state NEW,ESTABLISHED,RELATED --dport 8080 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p UDP -s ! $BLOCKEDIP \
-d $EXTIP -m state --state NEW,ESTABLISHED,RELATED --dport 8080 -j ACCEPT
One might expect the above two lines to allow access to port 8080 from
everywhere EXCEPT the blocked ip. But no. I must still put the same line or
nobody has access again:
$IPTABLES -A INPUT -i $EXTIF -p TCP -s $UNIVERSE -d $EXTIP --dport 8080 -j
ACCEPT
As a side note, I have also found that iptables will only DROP or REJECT if
those rules are loaded before any ACCEPT rules, and conversely if there is a
DROP or REJECT after an ACCEPT, that DROP or REJECT rule will be ignored.
Because of this, I have tried moving the 'required' UNIVERSE line above to
positions before and after the selective IP blocking lines, and have even
put it before and after in the same script at the same time. Nothing works,
of course, and the blocked IP can still access the web server. <pulling
what's left of my hair out now>
I was beginning to think Apache might bypass this, but that cannot be
possible since iptables is what controls the kernel routing. No applications
or daemons running on the system should be able to override the rules set in
iptables.
I have even created my own chain to match the IP and drop or reject, but
that also did not work. And just for the record, everything else works fine.
NAT works, and other services are available as defined in the firewall
script.
So back to the problem at hand-- Besides configuring apache to deny access
by certain IPs in htaccess- which I don't want to do, what *can* I do to
have IPTABLES make the web server not to be there when one or more blocked
IP's attempt to access it. (and please don't say to go buy a router ! hehe)
Thanks for your time and TIA,
JJ
- Next message: Allen Kistler: "Re: RH9: ADSL connection drops every ~50 secs if inactive."
- Previous message: Bit Twister: "Re: Can't change the f*@&#ing hostname in RedHat 9"
- Next in thread: Juha Laiho: "Re: IPTABLES & APACHE"
- Reply: Juha Laiho: "Re: IPTABLES & APACHE"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
