Home / server / Questions / 277509
Accepted
Astron
Asked: 2011-06-07 08:08:47 +0800 CST

Allow HTTP access to external interface

  • 772

How can I allow HTTP access to $EXTIF?

*nat
-A POSTROUTING -o "$EXTIF" -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [0:0] #If this is changed to DROP than clients cannot connect out.
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -j LOG
-A FORWARD -i "$EXTIF" -o "$INTIF" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -i "$INTIF" -o "$EXTIF" -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -j LOG
-A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -j LOG
COMMIT
http nat iptables

1 Answers

  1. Best Answer

    Allow only HTTP to $EXTIF:

    iptables -A INPUT -m state --state ESSTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i $EXTIF -p tcp --dport 80 -m state --state NEW -j ACCEPT
iptables -A INPUT -j LOG
iptables -P INPUT DROP

    This will allow outsiders only to initiate connections to port 80 (HTTP) of your server. The established/related rule will allow the server only to reply to these connections, so this satisfies your requirements, I think.

    This should also fairly effectively flood your log with packets to ports different than 80. I'd consider limit rule in the -j LOG section.

    NAT prevents any outside entity from initiating a direct connection to anything behind the NAT. You do not need to do anything extra to protect the NATted network from port scanning. Keeping the individual hosts firewalled and with a current anti-virus software (if it's a MS OS) is still a recommended thing.

    Take some time to read Rusty's Remarkably Unreliable Guides (http://people.netfilter.org/~rusty/unreliable-guides/) and iptables man pages too. They are well-written.

    • 1