[ale] Iptables rule for Apache Rewrite
Jerry Yu
jjj863 at gmail.com
Tue Apr 10 13:41:52 EDT 2007
- bind zope to 127.0.0.1:8080 only.
- turn off TCP_tunnel for SSH server or alike, if SSH server is
running on the server.
- iptables rule set from RHL/RHEL/Fedora allows any traffic on the
loopback interface already. If you do have a custom-made explicit
deny-all-by-default rule, you can do something like:
iptables -A INPUT -p tcp -i lo -s 127.0.0.1 -d 127.0.0.1 --source-port 1024:
--destination-port 8080 -m state --state NEW,ESTABLISHED -j ACCEPT
On 4/10/07, Jeff Hubbs <hbbs at comcast.net> wrote:
>
> I've got a server that runs Zope and has Apache doing a rewrite from
> inbound port 80 to port 8080 (this is recommended so that it's Apache
> that's taking the Internet abuse and not Zope's built-in daemon). Here
> is the rewrite rule for Apache:
>
> <VirtualHost 192.168.0.211:80>
> RewriteEngine on
> RewriteRule ^($|/.*) \
> http://127.0.0.1:8080/VirtualHostBase/\
> http/%{SERVER_NAME}:80/VirtualHostRoot$1 [L,P]
> </VirtualHost>
>
>
> The problem is that this rewriting appears to be being affected by
> iptables rules; nmap shows the machine's port 80 as open, but it won't
> respond, as port 8080 is one that's specifically blocked in the script.
> What would be a good iptables rule to open a hole back up so that *just*
> the same machine can get through to port 8080?
>
> I'm a bit leery of a situation of someone being able to access port 8080
> from over the wire by forcing an IP address collision, i.e., set an
> interface to the same as that of the server.
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Ale
mailing list