Re: iptables redirect with a caveat

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MAmit Nepal at <-
M 
Attachments:
Message as email
+ (text/plain)
+ (text/html)
+ (text/plain)
Delete this message
Reply to this message
Author: Stephen Partington
Date:  
To: Main PLUG discussion list
Subject: Re: iptables redirect with a caveat
This is what I recall as a best practice, ideally you want to drop anything
you are not using.

/sbin/iptables -A INPUT -p tcp --destination-port 80 -j DROP

On Sep 17, 2017 9:53 PM, "Amit Nepal" <> wrote:

> I have not tested but you can probably use mark to accomplish this. Mark
> any request coming directly to port 7778, drop anything with mark set and
> then redirect request on port 80 to 7778.
> iptables -t mangle -A PREROUTING -p tcp --dport 7778 -j MARK --set-mark 1
> iptables -A INPUT -m mark --mark 1 -j DROP
> iptables -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports
> 7778
>
> Thank You
>
> Amit K Nepal
> (CISM, CISSP, RHCE, CCENT, C|EH, C|HFI, GIAC ISO 27000 Specialist)
>
>
> On 9/17/2017 8:58 PM, Daniel Stasinski wrote:
>
> Right after I posted, I figured out a solution.
>
> I just added redirect from 7778 to 80. Since 80 is not active, it drops it
>
> A PREROUTING -p tcp -m tcp --dport 7778-j REDIRECT --to-ports 80
>
> *Daniel P. Stasinski*
>
> I 💛✞
>
> On Sun, Sep 17, 2017 at 8:24 PM, Daniel Stasinski <
> > wrote:
>
>>
>> On my server, I am redirecting incoming port 80 to port 7778 via
>> iptables, but I'm unsure how to block connects directly to port 7778 from
>> the outside. I've hit a brick wall in my understanding of pre and post
>> routing.
>>
>> I could use a little wisdom here. Thanks. :)
>>
>> #/etc/sysconfig/iptables
>> *nat
>> :PREROUTING ACCEPT [15:1051]
>> :POSTROUTING ACCEPT [63:4394]
>> :OUTPUT ACCEPT [63:4394]
>> -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 7778
>> COMMIT
>> *filter
>> :INPUT ACCEPT [0:0]
>> :FORWARD ACCEPT [0:0]
>> :OUTPUT ACCEPT [1661:376223]
>> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>> -A INPUT -p icmp -j ACCEPT
>> -A INPUT -i lo -j ACCEPT
>> -A INPUT -p tcp -m state --state NEW -m tcp --dport 7778 -j ACCEPT
>> -A INPUT -j REJECT --reject-with icmp-host-prohibited
>> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
>> COMMIT
>>
>> *Daniel P. Stasinski*
>>
>> I 💛✞
>>
>
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list -
> To subscribe, unsubscribe, or to change your mail settings:http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list -
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>
---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss
This message was posted to the following mailing lists:
Plug Discuss
Mailing List Info | Nearby Messages		<-Re: iptables redirect with a caveatRe: OT: video player with controls on other monitor->
Some Mailing List Archive administrated by UnconfiguredLurker (version 2.3)