iptables question: restricting access to port 2500 to Apache Web Server Proxy...

Howdy,

I'm brand new to using iptables and I am trying use Apache (on port
80) as a proxy to content on port 2500 (on which I have a ruby webrick
server running). I have apache setup to proxy in content on port 2500
as:

http://subdomain.domain.com/

And that works fine. However for security reasons, I need to prevent
users from accessing port 2500 directly like this:

http://domain.com:2500/

Since this circumvents the Apache authorization I have in my
httpd.conf file.

Currently, when I run iptables -L, I see this (which I realize is
having no firewall at all):

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

How would I use iptables to restrict direct access to port 2500 and
still allow my Apache webserver to proxy it?

Thanks,

Ryan

exposhare@gmail.com (Ryan Kuykendall) writes:

> I'm brand new to using iptables and I am trying use Apache (on port 80)
> as a proxy to content on port 2500 (on which I have a ruby webrick server
> running).

Cool... :)

> I have apache setup to proxy in content on port 2500 as:
[snip]
> Currently, when I run iptables -L, I see this (which I realize is
> having no firewall at all):
[snip]
> How would I use iptables to restrict direct access to port 2500 and
> still allow my Apache webserver to proxy it?

So the difference is that anyone can access port 80, while port 2500 is
only open for connections from localhost?

Try <http://spodzone.org.uk/packages/secure/iptables.sh>; this is a
succinct tidy starting-point configuration where no new packets are
permitted inbound unless to a provided service. Observe that I allow
anything on the loopback interface (lo) so apache talking up to your ruby
server will be allowed only, and if you clone+edit the `22' line (to
provide ssh) then you'll permit access to the webserver on 80.
Hey presto, one firewall with 80 open, 2500 accessible from the box itself
only, happiness.
Integrate it into however your box normally does firewalling, as you wish. :)

~Tim
--
14:26:07 up 14 days, 22:00, 4 users, load average: 0.06, 0.04, 0.07
piglet@stirfried.vegetable.org.uk |Move a mountain / Fill the ground
http://spodzone.org.uk/cesspit/ |Take death on wheels / Re-create the land

Ryan Kuykendall wrote:

> Howdy,
>
> I'm brand new to using iptables and I am trying use Apache (on port
> 80) as a proxy to content on port 2500 (on which I have a ruby webrick
> server running). I have apache setup to proxy in content on port 2500
> as:
>
> http://subdomain.domain.com/
>
> And that works fine. However for security reasons, I need to prevent
> users from accessing port 2500 directly like this:
>
> http://domain.com:2500/
>
> Since this circumvents the Apache authorization I have in my
> httpd.conf file.
>
> Currently, when I run iptables -L, I see this (which I realize is
> having no firewall at all):
>
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
> How would I use iptables to restrict direct access to port 2500 and
> still allow my Apache webserver to proxy it?
>
> Thanks,
>
> Ryan

Iptables -A INPUT -i eth0 -p tcp --dport 2500 -j DROP
(etc)

--
Mother is far too clever to understand anything she does not like.
-- Arnold Bennett