iptables question: restricting access to port 2500 to Apache Web Server Proxy...

Howdy,

I feel like am close with a solution but I need a little help fine
tuning my iptables commands. I am running two webservers on a linux
box, Apache(1.3.29) on port 80 and WeBrick on port 2500. I have set
up a virtual host in my Apache conf file to proxy the WeBrick server.
Hence I want users coming to my site to access the content on the
WeBrick server like this:

http://subdomain.domain.com/

and prevent them from accessing it like this:

http://domain.com:2500/

These are the most recent iptables commands I have tried (this is
mostly guesswork, so please correct me if I am going about this the
wrong way...I've include comment with each):

# Lock down port 2500 to all connections...
iptables -A INPUT -p tcp --dport 2500 -m state --state
NEW,ESTABLISHED,RELATED -j REJECT

# Open it back up for connections originating from IP address
NNN.NNN.NNN.NN...
iptables -A INPUT -p tcp --dport 2500 -s NNN.NNN.NNN.NN -m state
--state NEW,ESTABLISHED,RELATED -j ACCEPT

# Probably silly redundancy, but open it up to IP address with a
source port...
iptables -A INPUT -p tcp --dport 2500 -s NNN.NNN.NNN.NN --sport 80 -m
state --state NEW,ESTABLISHED,RELATED -j ACCEPT


So the complete locking out works but then my Apache proxy cannot
connect to the port...I get this error message in a browser:

################################################## ######

Proxy Error
The proxy server received an invalid response from an upstream server.

The proxy server could not handle the request GET*/.

Reason: Could not connect to remote machine: Connection refused

Apache/1.3.29 Server at subdomain.domain.com Port 80

################################################## ######

Is there anyone out there who could help me fine tune those iptables
commands?

Many thanks,

Ryan

Ryan Kuykendall wrote:

> Howdy,
>
> I feel like am close with a solution but I need a little help fine
> tuning my iptables commands. I am running two webservers on a linux
> box, Apache(1.3.29) on port 80 and WeBrick on port 2500. I have set
> up a virtual host in my Apache conf file to proxy the WeBrick server.
> Hence I want users coming to my site to access the content on the
> WeBrick server like this:
>
> http://subdomain.domain.com/
>
> and prevent them from accessing it like this:
>
> http://domain.com:2500/
>
> These are the most recent iptables commands I have tried (this is
> mostly guesswork, so please correct me if I am going about this the
> wrong way...I've include comment with each):
>
> # Lock down port 2500 to all connections...
> iptables -A INPUT -p tcp --dport 2500 -m state --state
> NEW,ESTABLISHED,RELATED -j REJECT
>
> # Open it back up for connections originating from IP address
> NNN.NNN.NNN.NN...
> iptables -A INPUT -p tcp --dport 2500 -s NNN.NNN.NNN.NN -m state
> --state NEW,ESTABLISHED,RELATED -j ACCEPT
>
> # Probably silly redundancy, but open it up to IP address with a
> source port...
> iptables -A INPUT -p tcp --dport 2500 -s NNN.NNN.NNN.NN --sport 80 -m
> state --state NEW,ESTABLISHED,RELATED -j ACCEPT
>
>
> So the complete locking out works but then my Apache proxy cannot
> connect to the port...I get this error message in a browser:
>
> ################################################## ######
>
> Proxy Error
> The proxy server received an invalid response from an upstream server.
>
> The proxy server could not handle the request GET*/.
>
> Reason: Could not connect to remote machine: Connection refused
>
> Apache/1.3.29 Server at subdomain.domain.com Port 80
>
> ################################################## ######
>
> Is there anyone out there who could help me fine tune those iptables
> commands?
>
> Many thanks,
>
> Ryan

Just block that port outright.

--
Hark ye, Clinker, you are a most notorious offender. You stand
convicted of sickness, hunger, wretchedness, and want.
-- Tobias Smollet

In article <c507d6de.0409021016.44197eee@posting.google.com >,
Ryan Kuykendall <exposhare@gmail.com> wrote:
:Howdy,
:
:I feel like am close with a solution but I need a little help fine
:tuning my iptables commands. I am running two webservers on a linux
:box, Apache(1.3.29) on port 80 and WeBrick on port 2500. I have set
:up a virtual host in my Apache conf file to proxy the WeBrick server.
:Hence I want users coming to my site to access the content on the
:WeBrick server like this:
:
:http://subdomain.domain.com/
:
:and prevent them from accessing it like this:
:
:http://domain.com:2500/
:
:These are the most recent iptables commands I have tried (this is
:mostly guesswork, so please correct me if I am going about this the
:wrong way...I've include comment with each):
:
:# Lock down port 2500 to all connections...
:iptables -A INPUT -p tcp --dport 2500 -m state --state
:NEW,ESTABLISHED,RELATED -j REJECT
:
:# Open it back up for connections originating from IP address
:NNN.NNN.NNN.NN...
:iptables -A INPUT -p tcp --dport 2500 -s NNN.NNN.NNN.NN -m state
:--state NEW,ESTABLISHED,RELATED -j ACCEPT
:
:# Probably silly redundancy, but open it up to IP address with a
:source port...
:iptables -A INPUT -p tcp --dport 2500 -s NNN.NNN.NNN.NN --sport 80 -m
:state --state NEW,ESTABLISHED,RELATED -j ACCEPT

If you're issuing the commands in that order, then all packets to
destination port 2500 match the REJECT rule and none of the following
rules are ever used.

--
Bob Nichols AT comcast.net I am "rnichols42"