iptables rule to block external, but accept local port (8009) connection

Discussion in 'Linux Networking' started by OtisUsenet, Feb 14, 2006.

  1. OtisUsenet

    OtisUsenet Guest

    Hello,

    I'm trying to use iptables to block external access to port 8009, while
    keeping any local communication with port 8009 open. Port 8009 is a
    servlet engine (e.g. Tomcat port). Apache (httpd) talks to Tomcat via
    port 8009. Since I have both Tomcat and Apache on the same host, I
    just want that host to be able to talk to port 8009, and nobody else.

    I'm having only partial success:
    I can successfully block external access, but I'm also noticing that my
    rules are making some (not all) connections to/from port 8009 stay in
    SYN_SENT state (netstat -tupan | grep 8009 shows this).

    Here are my rules:

    # this DROPs all packets for port 8009
    $IPTABLES -A INPUT -p TCP --dport 8009 -m state --state NEW -j DROP
    $IPTABLES -A INPUT -p UDP --dport 8009 -m state --state NEW -j DROP

    # this alone should enable all traffic to/from loopback to pass through
    # however, I don't recally know whether loopback device carries this
    traffic....
    $IPTABLES -A INPUT -i lo -j ACCEPT
    $IPTABLES -A OUTPUT -o lo -j ACCEPT

    # the above ACCEPT rules don't do it, so I've tried these
    $IPTABLES -A INPUT -i lo -p TCP -s 127.0.0.1 -j ACCEPT
    $IPTABLES -A OUTPUT -o lo -p TCP -s 127.0.0.1 -j ACCEPT
    $IPTABLES -A INPUT -i lo -p TCP -s local.ip.here -j ACCEPT
    $IPTABLES -A OUTPUT -o lo -p TCP -s local.ip.here -j ACCEPT
    $IPTABLES -A INPUT -i eth0 -p TCP -s local.ip.here -j ACCEPT
    $IPTABLES -A OUTPUT -o eth0 -p TCP -s local.ip.here -j ACCEPT

    This still doesn't do it. I see that the connection from httpd -> port
    8009 end up in SYN_SENT state, like this:

    Proto Recv-Q Send-Q Local Address Foreign Address
    State PID/Program name
    tcp 0 1 127.0.0.1:58594 127.0.0.1:8009
    SYN_SENT 24097/httpd
    tcp 0 1 127.0.0.1:58595 127.0.0.1:8009
    SYN_SENT 24099/httpd
    tcp 0 1 127.0.0.1:58592 127.0.0.1:8009
    SYN_SENT 24096/httpd
    tcp 0 1 127.0.0.1:58593 127.0.0.1:8009
    SYN_SENT 24098/httpd
    ....

    Do you see any problems with my rules?
    I've also tried using ".... -p TCP -d 127.0.0.1..." (the important
    piece here being that "-d" in addition to "-s"), also without any luck.

    Any help would be much appreciated.
    Thanks!
     
    OtisUsenet, Feb 14, 2006
    #1
    1. Advertisements

  2. OtisUsenet

    Eric Lalitte Guest

    1- you should use --syn with TCP
    2- you accept the syn in the connection, but no other packets...
    That's why you see the SYN_sent state.

    You should add first:
    $IPTABLES -A INPUT -p TCP -m state --state ESTABLISHED, RELATED
    \ -j ACCEPT

    And, a very important thing:
    The order of the rules in iptables does matter, a lot :)
    Iptables gets the firt matching rule, so be careful with the order of
    them.
     
    Eric Lalitte, Feb 14, 2006
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.