IPTables Accept Only Redirected Packets?

I am wondering if this is possible.  I would like to have port 80 be accessible to the outside world, but redirect it to other ports internally depending on source.  I want to blanket deny all ports on the server except port 80.  So basically I want to drop anything but port 80, while still allowing the redirected ports to work.  Is this possible?  I was thinking about using connection tracking?
efadenAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
ravenplConnect With a Mentor Commented:
No.
> I want to forward 192.168.0.1:80 to 192.168.0.1:8000 while denying all access to 192.168.0.1:8000 from anywhere other than 192.168.0.1 itself
What is the point then in redirecting port80->port8000 then? Still nobody can access it...
If You forward traffic from port80 to 8000 it will actually appear on port 8000. If the port is blocked - no access.
but the rule would look like
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8000
Note however that on INPUT chain it will appear with destination port = 8000
0
 
ravenplCommented:
#allow forwarding of port 80
iptables -A FORWARD -p tcp --dport 80 -j ACCEPT
#but note, that You may already have some rules on FORWARD chain, if so, use (-I) instead of (-A)
#forward port80 to inside server depending on the source (-s parameter) - replace ethX with outside interface name
iptables -t nat -A PREROUTING -i ethX -p tcp -s 1.2.3.4/24 --dport 80 -j DNAT --to ip.of.inside:80
iptables -t nat -A PREROUTING -i ethX -p tcp -s 11.22.33.44/24 --dport 80 -j DNAT --to another.ip.of.inside:8080
#default port80 connection gets gracefuly rejected
iptables -t nat -A PREROUTING -i ethX -p tcp --dport 80 -j REJECT --reject-with tcp-reset
#or redirect to inside as well
iptables -t nat -A PREROUTING -i ethX -p tcp --dport 80 -j DNAT --to some.ip.on.inside:80
0
 
efadenAuthor Commented:
Hmmmm.  I'm not sure that is what I was trying to do.  The setup is.... Computer 1 is running on 192.168.0.1.  It is set to accept all connections on lo.  I want to forward 192.168.0.1:80 to 192.168.0.1:8000 while denying all access to 192.168.0.1:8000 from anywhere other than 192.168.0.1 itself.  Does that make sense?
0
All Courses

From novice to tech pro — start learning today.