Skip to content

Latest commit

 

History

History

Application Security

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
readme.md
readme.md
 
 

readme.md

TASK

We have a backup management application UI hosted on Nautilus's backup server in Stratos DC. That backup management application code is deployed under Apache on the backup server itself, and Nginx is running as a reverse proxy on the same server. Apache and Nginx ports are 6300 and 8095, respectively. We have iptables firewall installed on this server. Make the appropriate changes to fulfill the requirements mentioned below:

We want to open all incoming connections to Nginx's port and block all incoming connections to Apache's port. Also make sure rules are permanent.

SOLUTION

ssh clint@stbkp01

sudo su -

systemctl status iptables


ss -tlnp

# State       Recv-Q Send-Q      Local Address:Port                     Peer Address:Port
# LISTEN      0      128                     *:22                                  *:*                   users:(("sshd",pid=478,fd=3))
# LISTEN      0      4096           127.0.0.11:37403                               *:*
# LISTEN      0      511                     *:6300                                *:*                   users:(("httpd",pid=525,fd=3),("httpd",pid=524,fd=3),("httpd",pid=523,fd=3),("httpd",pid=522,fd=3),("httpd",pid=521,fd=3),("httpd",pid=520,fd=3))
# LISTEN      0      511                     *:8095                                *:*                   users:(("nginx",pid=578,fd=6),("nginx",pid=577,fd=6),("nginx",pid=576,fd=6),("nginx",pid=575,fd=6),("nginx",pid=574,fd=6),("nginx",pid=573,fd=6),("nginx",pid=572,fd=6),("nginx",pid=571,fd=6),("nginx",pid=570,fd=6),("nginx",pid=569,fd=6),("nginx",pid=568,fd=6),("nginx",pid=567,fd=6),("nginx",pid=566,fd=6),("nginx",pid=565,fd=6),("nginx",pid=564,fd=6),("nginx",pid=563,fd=6),("nginx",pid=562,fd=6),("nginx",pid=561,fd=6),("nginx",pid=560,fd=6),("nginx",pid=559,fd=6),("nginx",pid=558,fd=6),("nginx",pid=557,fd=6),("nginx",pid=556,fd=6),("nginx",pid=555,fd=6),("nginx",pid=554,fd=6),("nginx",pid=553,fd=6),("nginx",pid=552,fd=6),("nginx",pid=551,fd=6),("nginx",pid=550,fd=6),("nginx",pid=549,fd=6),("nginx",pid=548,fd=6),("nginx",pid=547,fd=6),("nginx",pid=546,fd=6),("nginx",pid=545,fd=6),("nginx",pid=544,fd=6),("nginx",pid=543,fd=6),("nginx",pid=542,fd=6))
# LISTEN      0      128                  [::]:22                               [::]:*                   users:(("sshd",pid=478,fd=4))

systemctl start iptables

systemctl status iptables

iptables -A INPUT -p tcp --dport 6300 -m conntrack --ctstate NEW -j REJECT

iptables -A INPUT -p tcp --dport 8095 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

iptables -L --line-numbers

# Chain INPUT (policy ACCEPT)
# num  target     prot opt source               destination
# 1    ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
# 2    ACCEPT     icmp --  anywhere             anywhere
# 3    ACCEPT     all  --  anywhere             anywhere
# 4    ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
# 5    REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited
# 6    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bmc-grx ctstate NEW,ESTABLISHED
# 7    REJECT     tcp  --  anywhere             anywhere             tcp dpt:bmc-grx ctstate NEW reject-with icmp-port-unreachable
# 8    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8095 ctstate NEW,ESTABLISHED

# Chain FORWARD (policy ACCEPT)
# num  target     prot opt source               destination
# 1    REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

# Chain OUTPUT (policy ACCEPT)
# num  target     prot opt source               destination


iptables-save > /etc/sysconfig/iptables


cat /etc/sysconfig/iptables

# # Generated by iptables-save v1.4.21 on Sun Nov 27 15:42:51 2022
# *filter
# :INPUT ACCEPT [0:0]
# :FORWARD ACCEPT [0:0]
# :OUTPUT ACCEPT [78:11376]
# -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# -A INPUT -p icmp -j ACCEPT
# -A INPUT -i lo -j ACCEPT
# -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
# -A INPUT -j REJECT --reject-with icmp-host-prohibited
# -A INPUT -p tcp -m tcp --dport 6300 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
# -A INPUT -p tcp -m tcp --dport 6300 -m conntrack --ctstate NEW -j REJECT --reject-with icmp-port-unreachable
# -A INPUT -p tcp -m tcp --dport 8095 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
# -A FORWARD -j REJECT --reject-with icmp-host-prohibited
# COMMIT
# # Completed on Sun Nov 27 15:42:51 2022
# # Generated by iptables-save v1.4.21 on Sun Nov 27 15:42:51 2022
# *nat
# :PREROUTING ACCEPT [1:60]
# :INPUT ACCEPT [1:60]
# :OUTPUT ACCEPT [2:148]
# :POSTROUTING ACCEPT [10:725]
# :DOCKER_OUTPUT - [0:0]
# :DOCKER_POSTROUTING - [0:0]
# -A OUTPUT -d 127.0.0.11/32 -j DOCKER_OUTPUT
# -A POSTROUTING -d 127.0.0.11/32 -j DOCKER_POSTROUTING
# -A DOCKER_OUTPUT -d 127.0.0.11/32 -p tcp -m tcp --dport 53 -j DNAT --to-destination 127.0.0.11:37403
# -A DOCKER_OUTPUT -d 127.0.0.11/32 -p udp -m udp --dport 53 -j DNAT --to-destination 127.0.0.11:57553
# -A DOCKER_POSTROUTING -s 127.0.0.11/32 -p tcp -m tcp --sport 37403 -j SNAT --to-source :53
# -A DOCKER_POSTROUTING -s 127.0.0.11/32 -p udp -m udp --sport 57553 -j SNAT --to-source :53
# COMMIT
# # Completed on Sun Nov 27 15:42:51 2022