Find the answer to your Linux question:
Results 1 to 5 of 5
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1

    Preventing access through iptables

    I am trying to lock down our application and server with iptables. Anybody have any idea how to prevent accesses to the application from another application? Basically I opened up the ports 80 and 443 for the application server. However, the application points to other apps (ie. database, ldap). I want to limit what it can connect to or who can connect to it. Bascially I can limit who connects to the server itself but the application can still get input from outside servers.

  2. #2
    Linux Newbie nplusplus's Avatar
    Join Date
    Apr 2010
    Charlotte, NC, USA
    What distro are you using? If it is a RedHat-based distro, the default iptables setup allows all outbound traffic. I believe the way to mitigate that is to modify the OUTPUT chain. Before you mess with it, you will want to have console access though, or you might lock yourself out if you are working remotely.

    By default, the OUTPUT chain policy is set to ACCEPT. You could change this by running:

    iptables -P OUTPUT DROP
    Alternatively you could set all packets passing the OUTPUT chain to pass through a user defined chain, such as the "RH-Firewall-1-INPUT" chain that ships with the default iptables setup on a Redhat distro. i.e.:

    iptables -t filter -I OUTPUT -j RH-Firewall-1-INPUT
    That might be the more cautious place to start.

    Hope that helps. Let me know how it works out.

    Again, make sure you have console access before messing with outbound traffic, especially in a broad, sweeping way.

    - N

  3. #3
    Just Joined!
    Join Date
    Apr 2005
    Perth, Western Australia

    Restrict Application from going out

    If it's just a single application you want to restrict from leaving the local LAN, then you'll need to know what ports that application uses and with the OUTPUT table set it to DROP as someone earlier mention.

  4. $spacer_open
  5. #4
    Just Joined!
    Join Date
    May 2007
    Silicon Valley, CA

    Post fwbuilder for iptables

    You may want to check out fwbuilder on SourceForge, too. It provides a complete GUI for iptables management.


  6. #5
    Just Joined! jippie's Avatar
    Join Date
    May 2006
    Eindhoven, the Netherlands
    If you're using Apache you want to check out mod_access.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts