IPTABLES Redirect HTTP traffic to different port on same interface....
Hi everyone,
Been trying a few options today to achieve my goal and getting half of the solution working at one time or another.
Goal: Primary goal is to setup IPTABLES rules that will have all HTTP traffic coming in a port 44088 on eth0 and redirect to Port 80 on the same server interface of eth0. Secondary goal is to ensure any traffic sent to port 80 that is not from the redirect of port 44088 to be dropped unless it is from source IP Address of 192.168.1.25. Last request is want to ensure that return HTTP traffic does not indicate it is coming from port 80.
Environment: Using CentOS 6.6 with latest version of Apache.
Thank you for the help in advance.
Been trying a few options today to achieve my goal and getting half of the solution working at one time or another.
Goal: Primary goal is to setup IPTABLES rules that will have all HTTP traffic coming in a port 44088 on eth0 and redirect to Port 80 on the same server interface of eth0. Secondary goal is to ensure any traffic sent to port 80 that is not from the redirect of port 44088 to be dropped unless it is from source IP Address of 192.168.1.25. Last request is want to ensure that return HTTP traffic does not indicate it is coming from port 80.
Environment: Using CentOS 6.6 with latest version of Apache.
Thank you for the help in advance.
ASKER
Hi Arnold,
I would like to install Apache and have it listen on port 80 as the default installation provides this. I do not want my users to connect directly to port 80, I would like my users HTTP traffic to connect to the server IP using port 44088, any traffic received (assume only HTTP) on port 44088 gets redirected[proxy] to port 80 that Apache is listening on.
However I want to make sure any HTTP traffic directly to port 80 is dropped.
Hope the above clarifies my end goal, how we get there I leave up to the experts.
I have tried a few rules but can get one item working or another, though part of the issue I suspect is I am not approaching this the right way and probably overcomplicating a bit and or not understanding the best approach.
Thanks for the help.
-J
I would like to install Apache and have it listen on port 80 as the default installation provides this. I do not want my users to connect directly to port 80, I would like my users HTTP traffic to connect to the server IP using port 44088, any traffic received (assume only HTTP) on port 44088 gets redirected[proxy] to port 80 that Apache is listening on.
However I want to make sure any HTTP traffic directly to port 80 is dropped.
Hope the above clarifies my end goal, how we get there I leave up to the experts.
I have tried a few rules but can get one item working or another, though part of the issue I suspect is I am not approaching this the right way and probably overcomplicating a bit and or not understanding the best approach.
Thanks for the help.
-J
The puzzling thing it makes no sense what you are trying to achieve?
Usually different ports are default the off port you want to use might be denied on the user side.
Configure Apache to listen on the port you want and be done with it.
You have a walkway, and a front door. What you are asking is to put a block on the walkway from direct access, but setup a side route if used will allow the person access to the walkway.
Usually different ports are default the off port you want to use might be denied on the user side.
Configure Apache to listen on the port you want and be done with it.
You have a walkway, and a front door. What you are asking is to put a block on the walkway from direct access, but setup a side route if used will allow the person access to the walkway.
ASKER
Hi Arnold,
Actually makes perfect sense based on my need. As stated earlier I prefer not to change the default port on Apache for a few reasons, one being not having to change the default Apache configuration. Another is that I can stop the flow of traffic via IPtables without turning off and modifying yet another config file , in this case Apache configurations. Third I can stop inbound traffic from the Internet, yet still provide internal access to Apache for various reasons.
-J
Actually makes perfect sense based on my need. As stated earlier I prefer not to change the default port on Apache for a few reasons, one being not having to change the default Apache configuration. Another is that I can stop the flow of traffic via IPtables without turning off and modifying yet another config file , in this case Apache configurations. Third I can stop inbound traffic from the Internet, yet still provide internal access to Apache for various reasons.
-J
The --to-port 80 is the directive you will use on the input side, while on the forwarding/prerouting you
Could you provide context to tge network flow
Internet <=> router/firewall <=> LAN
The issue is that marking the packet hitting the 44088 port and then have an allow dstport 80 contingent on the mark of the packet.
If the system in question has two nice, you could apply different rules based on the NIC/interface on which the request comes in
-i eth0 wan
-i eth1 LAN
Could you provide context to tge network flow
Internet <=> router/firewall <=> LAN
The issue is that marking the packet hitting the 44088 port and then have an allow dstport 80 contingent on the mark of the packet.
If the system in question has two nice, you could apply different rules based on the NIC/interface on which the request comes in
-i eth0 wan
-i eth1 LAN
ASKER
Single NIC (eth0)
Internet traffic from customers being sent to my.public.Ip.Address:44088
Admin traffic from my IP address lets say 8.14.14.6 is allowed to connect to port 80 on eth0 , all other source ip's traffic to port 80 are dropped
Internet traffic from customers being sent to my.public.Ip.Address:44088
Admin traffic from my IP address lets say 8.14.14.6 is allowed to connect to port 80 on eth0 , all other source ip's traffic to port 80 are dropped
ASKER
BTW this is what I was trying and was able to route the traffic from 44088 to 80
iptables -t nat -A PREROUTING -p tcp --dport 44088 -j REDIRECT --to-ports 80
However I could not drop the port 80 traffic as I was hoping. So that is where I was getting stuck
-J
iptables -t nat -A PREROUTING -p tcp --dport 44088 -j REDIRECT --to-ports 80
However I could not drop the port 80 traffic as I was hoping. So that is where I was getting stuck
-J
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The redirect does not alter the source as the responses will be sent to itself.
You need to use packet tagging/marking
http://www.tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.netfilter.html
I do not see what you are trying to do.
Internet eth0 linux ?
Are you trying to handle/restrict proxy requests from inside your lan?