Find the answer to your Linux question:
Results 1 to 5 of 5
I am trying to lock down our application and server with iptables. Anybody have any idea how to prevent accesses to the application from another application? Basically I opened up ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jun 2010
    Posts
    6

    Preventing access through iptables


    I am trying to lock down our application and server with iptables. Anybody have any idea how to prevent accesses to the application from another application? Basically I opened up the ports 80 and 443 for the application server. However, the application points to other apps (ie. database, ldap). I want to limit what it can connect to or who can connect to it. Bascially I can limit who connects to the server itself but the application can still get input from outside servers.

  2. #2
    Linux Newbie nplusplus's Avatar
    Join Date
    Apr 2010
    Location
    Charlotte, NC, USA
    Posts
    106
    What distro are you using? If it is a RedHat-based distro, the default iptables setup allows all outbound traffic. I believe the way to mitigate that is to modify the OUTPUT chain. Before you mess with it, you will want to have console access though, or you might lock yourself out if you are working remotely.

    By default, the OUTPUT chain policy is set to ACCEPT. You could change this by running:

    Code:
    iptables -P OUTPUT DROP
    Alternatively you could set all packets passing the OUTPUT chain to pass through a user defined chain, such as the "RH-Firewall-1-INPUT" chain that ships with the default iptables setup on a Redhat distro. i.e.:

    Code:
    iptables -t filter -I OUTPUT -j RH-Firewall-1-INPUT
    That might be the more cautious place to start.

    Hope that helps. Let me know how it works out.

    Again, make sure you have console access before messing with outbound traffic, especially in a broad, sweeping way.

    - N

  3. #3
    Just Joined!
    Join Date
    Apr 2005
    Location
    Perth, Western Australia
    Posts
    11

    Restrict Application from going out

    If it's just a single application you want to restrict from leaving the local LAN, then you'll need to know what ports that application uses and with the OUTPUT table set it to DROP as someone earlier mention.

  4. #4
    Just Joined!
    Join Date
    May 2007
    Location
    Silicon Valley, CA
    Posts
    1

    Post fwbuilder for iptables

    You may want to check out fwbuilder on SourceForge, too. It provides a complete GUI for iptables management.

    FL

  5. #5
    Just Joined! jippie's Avatar
    Join Date
    May 2006
    Location
    Eindhoven, the Netherlands
    Posts
    76
    If you're using Apache you want to check out mod_access.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •