Welcome! Log In Create A New Profile

Advanced

Setup nginx successfully, do i need to setup iptables too?

Posted by chuawenching 
Forum List Message List New Topic
chuawenching
Setup nginx successfully, do i need to setup iptables too?
May 31, 2011 03:07PM
Hi everyone,

I already installed nginx to listen to port 80. Nginx will route all traffic to http://127.0.0.1:8090 (apache2).

So when i type www.company.com, it will direct to the right website.

But the problem here is if i type in www.company.com:8090, I can still access from the web browser. How can I prevent people accessing via individual ports?

I notice nmap 127.0.0.1, port 8090 is open (as i set that in apache2 ports.conf to listen 127.0.0.1:8090).

What can I do to block this port 8090 to be accessible by outside request without affecting my apache or nginx? Does IPTables play a role here? If yes, any way to get around with this?

Any help? Thanks.
Reply Quote
dgollas
Re: Setup nginx successfully, do i need to setup iptables too?
June 02, 2011 02:04PM
Yes, iptables does play a role.

With iptables, you usually begin with two things

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j DROP

First rule says accept (don't drop) all connections that have been established and their related connections (--state RELATED, ESTABLISHED). This is so your ssh connections doesn't get cut off while you are still setting things up.

Second rule says, everything else that tries to come in, drop (don't allow).

Next you insert rules at the top for all the things you do want to let through. IP table rules are quite flexible, you can allow or drop connections based on state, protocol, interface, ip etc.

On a web server and a machine you control remotely you probably need to at least HTTP (80), HTTPS (443) and SSH (22). You should bind SSH to the IP you are connecting to for added safety.

-I INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-I INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-I INPUT -p tcp -m tcp --dport 443 -j ACCEPT

Now for your case, you also have apache listening on 8090, so you need to open that up, BUT, you only what to listen to it when the source is the loopback address.

-I INPUT -s 127.0.0.1 --dport 8090 -j ACCEPT


So in the end your whole IP tables config script would look something like this (though you will have to add rules for things like SMTP if you handle your own mail etc).

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -s 127.0.0.1 --dport 8090 -j ACCEPT
-A INPUT -j DROP

-A adds the rule to the bottom, -I inserts it at the top if I recall correctly, rules are evaluated from top to bottom, if a connection matches a rule, it does what it was told (ACCEPT, DROP or others), otherwise it continues to the bottom. If it does not match anything, the connection is accepted (thats why it's important to have the catch all DROP at the bottom: everything is prohibited except for what is explicitly allowed ).

Hope that was clear.

Daniel.
Reply Quote
Newer Topic Older Topic
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 189
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready