Preventing access through iptables

[linuxeth124]

I am trying to lock down our application and server with iptables. Anybody have any idea how to prevent accesses to the application from another application? Basically I opened up the ports 80 and 443 for the application server. However, the application points to other apps (ie. database, ldap). I want to limit what it can connect to or who can connect to it. Bascially I can limit who connects to the server itself but the application can still get input from outside servers.

[nplusplus]

What distro are you using? If it is a RedHat-based distro, the default iptables setup allows all outbound traffic. I believe the way to mitigate that is to modify the OUTPUT chain. Before you mess with it, you will want to have console access though, or you might lock yourself out if you are working remotely.

By default, the OUTPUT chain policy is set to ACCEPT. You could change this by running:

Code:

iptables -P OUTPUT DROP

Alternatively you could set all packets passing the OUTPUT chain to pass through a user defined chain, such as the "RH-Firewall-1-INPUT" chain that ships with the default iptables setup on a Redhat distro. i.e.:

Code:

iptables -t filter -I OUTPUT -j RH-Firewall-1-INPUT

That might be the more cautious place to start.

Hope that helps. Let me know how it works out.

Again, make sure you have console access before messing with outbound traffic, especially in a broad, sweeping way.

- N

[jlmiller]

If it's just a single application you want to restrict from leaving the local LAN, then you'll need to know what ports that application uses and with the OUTPUT table set it to DROP as someone earlier mention.

[flemmon]

You may want to check out fwbuilder on SourceForge, too. It provides a complete GUI for iptables management.

FL

[jippie]

If you're using Apache you want to check out mod_access.