On Centos 6.4, I want to block all incoming ports except 22, 80 and 443. 80 (external) should be redirected 8080 (internal). 443 (external) should be redirected to 8181 (internal). I used the following commands:
service iptables stop
iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8181
service iptables save
service iptables restart
However, I can still access ports 8080 and 8181. Is there a way to block ports 8080 and 8181 externally and still have open internally for redirection from 80 and 443?
There's nothing in your rules dropping any packets. You can accomplish this by setting the default policy of your
INPUTchain toDROP. By default it isACCEPT:As you do this, you may begin to notice that your outgoing connections do not work anymore.
You can add rules at the top of your
INPUTchain toACCEPTalready established traffic back in.Do so using the following:
The
RELATEDpart lets other related traffic through (for instance, ICMP packets sent as a result of something happening in anESTABLISHEDconnection)I would better create a new chain and then add my rules into this chain. You can do that by: First DROP incoming/forwarding/outgoing traffic
Then create a chain with judgment ACCEPT and add rules inside:
Then, add the redirect rules:
Do you have multiple NICs on the server or not? You can lock it down that way. You can also easily lock it down by source IPs so you can only allow "INPUT" rules to those ports from specific IPs and only all "FORWARD" or "PREROUTING" rules from others.