Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hello,
I have an Apache web server running on port 443. This web server is located in an internal network and has two IP addresses. An internal IP address and an Internet IP address. I don't want anyone over the internet to be able to see the apache web server and only users within the network can connect to the web server. How can I do this through iptables?
Usually you don't need to do anything. It depends on how you're connecting with the outside internet. But usually, it will be through some sort of router, and by default the router will simply ignore incoming requests on ports 443 or 80 or whatever.
Basically, most routers will, by default, only react to incoming IP packets that are associated with previous outgoing requests. For example, if one of your internal computers sends out an HTTPS request on port 443 of google.com, the returning answer will be forwarded to that internal computer. But if it receives a packet that isn't paired with an outgoing request that it understands, the router will simply have no idea what computer to forward it to. So it just ignores it.
Most routers can be configured to forward incoming requests to a particular port to a particular internal IP address. This is useful if you WANT to run an externally accessible server. But this is something that you'll have to explicitly configure, and the way to accomplish this will depend highly on your specific router.
You can also configure apache to only listen to a specific address and port regardless of the firewall rules. Exact howto depends if you are using virtualhosts. Without details of how your rules are setup just add a rule to drop port 80/443 traffic on the internet interface / IP address.
When you configure a web server you configure it to listen on one interface, all interfaces, one IP address, or all IP addresses.
If you have not, the documentation is available at apache.org I believe. Look up the "Listen" directive in the configuration file information.
Hello,
Thank you so much for all replies.
How can I do it with iptables? For example, I only want users with IP addresses in the range of 192.168.1.1/24 to be able to connect to the web server.
IPTables? As mentioned in the other thread, the development for that has wound down, there is a long tail though. I expect that iptables rules might be something like the following (untested), but it would vary 100% depending on what you already have there:
Just to be clear, the above depends 100% on what you have or don't have in place already and will either work as-is, or lock you out, or something in between.
NFTables would be as follows, a variation the other thread.
Code:
#!/usr/sbin/nft -f
# Clear all prior state
flush ruleset
# Basic IPv4/IPv6 stateful firewall
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
# accept local host traffic
iifname "lo" ip saddr 127.0.0.0/8 ip daddr 127.0.0.0/8 \
counter accept
iifname "lo" ip6 saddr ::1 ip6 daddr ::1 \
counter accept
# Accept traffic originated from us
ct state { established, related } accept
# Drop invalid connections
ct state invalid drop
# Reject AUTH to make it fail fast
tcp dport 113 reject with icmpx type port-unreachable
tcp dport 22 ct state new limit rate 4/minute counter accept
# adjust these as needed
iifname "eth0" ip daddr 192.168.1.0/24 tcp dport 80 \
ct state new counter accept
iifname "eth0" ip daddr 192.168.1.0/24 tcp dport 443 \
ct state new counter accept
# ICMPv4
# Accept ICMP
ip protocol icmp icmp type {
echo-reply, # type 0
destination-unreachable, # type 3
echo-request, # type 8
time-exceeded, # type 11
parameter-problem, # type 12
} accept
# ICMPv6
# Accept basic IPv6 functionality
ip6 nexthdr icmpv6 icmpv6 type {
destination-unreachable, # type 1
packet-too-big, # type 2
time-exceeded, # type 3
parameter-problem, # type 4
echo-request, # type 128
echo-reply, # type 129
} accept
# Allow IPv6 SLAAC
ip6 nexthdr icmpv6 icmpv6 type {
nd-router-solicit, # type 133
nd-router-advert, # type 134
nd-neighbor-solicit, # type 135
nd-neighbor-advert, # type 136
} ip6 hoplimit 255 accept
# Allow IPv6 multicast listener discovery on link-local
ip6 nexthdr icmpv6 icmpv6 type {
mld-listener-query, # type 130
mld-listener-report, # type 131
mld-listener-reduction, # type 132
mld2-listener-report, # type 143
} ip6 saddr fe80::/10 accept
# Accept DHCPv6 replies from IPv6 link-local addresses
ip6 saddr fe80::/10 udp sport 547 udp dport 546 accept
}
chain forward {
type filter hook forward priority 0; policy drop;
}
chain output {
type filter hook output priority 0; policy accept;
}
}
include "/etc/nftables.d/*.nft"
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.