<div dir="auto">This is what I recall as a best practice, ideally you want to drop anything you are not using.<div dir="auto"><br></div><div dir="auto"><span style="color:rgb(33,37,41);font-family:inconsolata,monospace;font-size:14px;background-color:rgb(245,247,248)">/sbin/iptables -A INPUT -p tcp --destination-port 80 -j DROP</span><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Sep 17, 2017 9:53 PM, "Amit Nepal" <<a href="mailto:amit@amitnepal.com">amit@amitnepal.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>I have not tested but you can probably use mark to accomplish
this. Mark any request coming directly to port 7778, drop
anything with mark set and then redirect request on port 80 to
7778.<br>
</p>
<font face="monospace, monospace">iptables -t mangle -A PREROUTING
-p tcp --dport 7778 -j MARK --set-mark 1<br>
iptables -A INPUT -m mark --mark 1 -j DROP<br>
iptables -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT
--to-ports 7778 </font><font face="monospace, monospace"><br>
<br>
Thank You<br>
</font>
<pre class="m_-2613923187855093520moz-signature" cols="72">Amit K Nepal
(CISM, CISSP, RHCE, CCENT, C|EH, C|HFI, GIAC ISO 27000 Specialist)
</pre>
<div class="m_-2613923187855093520moz-cite-prefix">On 9/17/2017 8:58 PM, Daniel Stasinski
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Right after I posted, I figured out a solution.
<div><br>
</div>
<div>I just added redirect from 7778 to 80. Since 80 is not
active, it drops it</div>
<div><br>
</div>
<div><span style="font-family:monospace,monospace;font-size:12.8px">A
PREROUTING -p tcp -m tcp --dport 7778-j REDIRECT --to-ports
80</span><br>
</div>
<div><span style="font-family:monospace,monospace;font-size:12.8px"><br>
</span></div>
<div><b style="font-size:12.8px">Daniel P. Stasinski</b><br>
</div>
<div class="gmail_extra">
<div>
<div class="m_-2613923187855093520gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div><a href="mailto:daniel@GenericInbox.com" target="_blank">daniel@GenericInbox.com</a><br>
</div>
<font size="4">I</font> 💛<font size="4">✞</font></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<div class="gmail_quote">On Sun, Sep 17, 2017 at 8:24 PM,
Daniel Stasinski <span dir="ltr"><<a href="mailto:daniel@genericinbox.com" target="_blank">daniel@genericinbox.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div><br>
</div>
<div>On my server, I am redirecting incoming port 80 to
port 7778 via iptables, but I'm unsure how to block
connects directly to port 7778 from the outside.
I've hit a brick wall in my understanding of pre and
post routing.</div>
<div><br>
</div>
<div>I could use a little wisdom here. Thanks. :)<br>
</div>
<div><br>
</div>
<div><font face="monospace, monospace">#<span style="color:rgb(0,0,0)">/etc/sysconfig/iptables</span></font></div>
<div>
<div><font face="monospace, monospace"><span style="color:rgb(0,0,0)">*nat
</span><br>
:PREROUTING ACCEPT [15:1051]
<br>
:POSTROUTING ACCEPT [63:4394]
<br>
:OUTPUT ACCEPT [63:4394]
<br>
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT
--to-ports 7778
<br>
COMMIT
<br>
*filter
<br>
:INPUT ACCEPT [0:0]
<br>
:FORWARD ACCEPT [0:0]
<br>
:OUTPUT ACCEPT [1661:376223]
<br>
-A INPUT -m state --state RELATED,ESTABLISHED -j
ACCEPT
<br>
-A INPUT -p icmp -j ACCEPT
<br>
-A INPUT -i lo -j ACCEPT
<br>
-A INPUT -p tcp -m state --state NEW -m tcp
--dport 7778 -j ACCEPT
<br>
-A INPUT -j REJECT --reject-with
icmp-host-prohibited
<br>
-A FORWARD -j REJECT --reject-with
icmp-host-prohibited
<br>
COMMIT<br>
</font></div>
</div>
<div><br>
</div>
<div>
<div class="m_-2613923187855093520m_8966898144488848888gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div><b style="font-size:12.8px">Daniel
P. Stasinski</b><br>
<a href="mailto:daniel@GenericInbox.com" target="_blank">daniel@GenericInbox.com</a><br>
</div>
<font size="4">I</font> 💛<font size="4">✞</font></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
<br>
<fieldset class="m_-2613923187855093520mimeAttachmentHeader"></fieldset>
<br>
<pre>------------------------------<wbr>---------------------
PLUG-discuss mailing list - <a class="m_-2613923187855093520moz-txt-link-abbreviated" href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank">PLUG-discuss@lists.phxlinux.<wbr>org</a>
To subscribe, unsubscribe, or to change your mail settings:
<a class="m_-2613923187855093520moz-txt-link-freetext" href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" target="_blank">http://lists.phxlinux.org/<wbr>mailman/listinfo/plug-discuss</a></pre>
</blockquote>
<br>
</div>
<br>------------------------------<wbr>---------------------<br>
PLUG-discuss mailing list - <a href="mailto:PLUG-discuss@lists.phxlinux.org">PLUG-discuss@lists.phxlinux.<wbr>org</a><br>
To subscribe, unsubscribe, or to change your mail settings:<br>
<a href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" rel="noreferrer" target="_blank">http://lists.phxlinux.org/<wbr>mailman/listinfo/plug-discuss</a><br></blockquote></div></div>