iptables rule to block external, but accept local port (8009) connection

Hello,

I'm trying to use iptables to block external access to port 8009, while
keeping any local communication with port 8009 open. Port 8009 is a
servlet engine (e.g. Tomcat port). Apache (httpd) talks to Tomcat via
port 8009. Since I have both Tomcat and Apache on the same host, I
just want that host to be able to talk to port 8009, and nobody else.

I'm having only partial success:
I can successfully block external access, but I'm also noticing that my
rules are making some (not all) connections to/from port 8009 stay in
SYN_SENT state (netstat -tupan | grep 8009 shows this).

Here are my rules:

# this DROPs all packets for port 8009
$IPTABLES -A INPUT -p TCP --dport 8009 -m state --state NEW -j DROP
$IPTABLES -A INPUT -p UDP --dport 8009 -m state --state NEW -j DROP

# this alone should enable all traffic to/from loopback to pass through
# however, I don't recally know whether loopback device carries this
traffic....
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT

# the above ACCEPT rules don't do it, so I've tried these
$IPTABLES -A INPUT -i lo -p TCP -s 127.0.0.1 -j ACCEPT
$IPTABLES -A OUTPUT -o lo -p TCP -s 127.0.0.1 -j ACCEPT
$IPTABLES -A INPUT -i lo -p TCP -s local.ip.here -j ACCEPT
$IPTABLES -A OUTPUT -o lo -p TCP -s local.ip.here -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p TCP -s local.ip.here -j ACCEPT
$IPTABLES -A OUTPUT -o eth0 -p TCP -s local.ip.here -j ACCEPT

This still doesn't do it. I see that the connection from httpd -> port
8009 end up in SYN_SENT state, like this:

Proto Recv-Q Send-Q Local Address Foreign Address
State PID/Program name
tcp 0 1 127.0.0.1:58594 127.0.0.1:8009
SYN_SENT 24097/httpd
tcp 0 1 127.0.0.1:58595 127.0.0.1:8009
SYN_SENT 24099/httpd
tcp 0 1 127.0.0.1:58592 127.0.0.1:8009
SYN_SENT 24096/httpd
tcp 0 1 127.0.0.1:58593 127.0.0.1:8009
SYN_SENT 24098/httpd
....

Do you see any problems with my rules?
I've also tried using ".... -p TCP -d 127.0.0.1..." (the important
piece here being that "-d" in addition to "-s"), also without any luck.

Any help would be much appreciated.
Thanks!

"OtisUsenet" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com
> # this DROPs all packets for port 8009
> $IPTABLES -A INPUT -p TCP --dport 8009 -m state --state NEW -j DROP
> $IPTABLES -A INPUT -p UDP --dport 8009 -m state --state NEW -j DROP

1- you should use --syn with TCP
2- you accept the syn in the connection, but no other packets...
That's why you see the SYN_sent state.

You should add first:
$IPTABLES -A INPUT -p TCP -m state --state ESTABLISHED, RELATED
\ -j ACCEPT

And, a very important thing:
The order of the rules in iptables does matter, a lot :-)
Iptables gets the firt matching rule, so be careful with the order of
them.



--
Posted via Mailgate.ORG Server - http://www.Mailgate.ORG