We have a Ubuntu server that host a php server and game server.
recently, we get a lot of dos and flood attack. so i find some rule for iptables can protect http and game port from attack.
here is my rules:
iptables -F
iptables -P INPUT DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m state --state NEW -m limit --limit 5/sec -m connlimit --connlimit-upto 15 --connlimit-mask 32 --connlimit-saddr -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state RELATED,ESTABLISHED -m connlimit --connlimit-upto 15 --connlimit-mask 32 --connlimit-saddr -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state RELATED,ESTABLISHED -m connlimit --connlimit-upto 15 --connlimit-mask 32 --connlimit-saddr -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 443 -m state --state RELATED,ESTABLISHED -m connlimit --connlimit-upto 15 --connlimit-mask 32 --connlimit-saddr -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 3724 -m state --state RELATED,ESTABLISHED -m connlimit --connlimit-upto 15 --connlimit-mask 32 --connlimit-saddr -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 25 -m state --state RELATED,ESTABLISHED -m connlimit --connlimit-upto 15 --connlimit-mask 32 --connlimit-saddr -j ACCEPT
but the problem appear when php want to open a request like Soap WebService to another server. and iptables block this connection.
I think that problem is in this line :
iptables -P INPUT DROP
but without this line all request to all other port are allowed.
and this is php Soap error :
object(SoapClient)#48 (2) { ["_soap_version"]=> int(1) ["sdl"]=> resource(97) of type (Unknown) }
I appreciate all your comment. Thanks.
The problem is that outgoing connections use a random local port to listen for replies. So if, for example, you are requesting a DNS entry on port 53, your computer will listen on port 42316 for data. If the latter port is blocked, as is the case in the above setup, the connection will fail.
This is easily solved generally allowing packets of state ESTABLISHED and RELATED connections.
iptables -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
Also, change the other rules to use state NEW, as that's most likely what you want to restrict. Otherwise it will just cripple the server's connectivty.
Related
I have been trying to connect 54.255.140.142:3000 using Socket.IO.
I tried to open port using iptables -A INPUT -p tcp --dport 3000 -j ACCEPT command.
It's giving error as "Site cannot be reached"
Check if the port 3000 is open or closed.
I've got several docker containers up and running using docker-compose.
Nginx connected to PHP through internal port-forwarding at 9000/tcp. PHP connected to mysql through internal forwarding.
Nginx is reachable at public NIC!
Another container running postfix is based on the same baseimage and configured/launched exactly the same as the Nginx-container but its ports are not accessible from the internet.
Both nginx and postfix are exposing the same way, so why is postfix not reachable??
nginx (Dockerfile)
...
EXPOSE 80/tcp 443/tcp
...
postfix (Dockerfile)
...
EXPOSE 25/tcp 465/tcp 587/tcp
...
docker-compose.yml
...nginx
ports:
- "80:80/tcp"
- "443:443/tcp"
...
and
...postfix
ports:
- "25:25/tcp"
- "465:465/tcp"
- "587:587/tcp"
...
docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
550cf81ccfc3 nginx "nginx -g 'daemon ..." 17 minutes ago Up 17 minutes 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp nginx
5b1b823c8b75 postfix "/run.sh" 17 minutes ago Up 17 minutes 0.0.0.0:25->25/tcp, 0.0.0.0:465->465/tcp, 0.0.0.0:587->587/tcp postfix
f7541058c973 php "php5-fpm -F" 17 minutes ago Up 17 minutes 9000/tcp php
ad1d1db33351 mysql "/sbin/entrypoint...." 17 minutes ago Up 17 minutes 3306/tcp mysql
netstat -a
Aktive Internetverbindungen (Nur Server)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 464/sshd
tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN 461/rsyslogd
tcp6 0 0 :::25 :::* LISTEN 24924/docker-proxy
tcp6 0 0 :::443 :::* LISTEN 24937/docker-proxy
tcp6 0 0 :::514 :::* LISTEN 461/rsyslogd
tcp6 0 0 :::587 :::* LISTEN 24899/docker-proxy
tcp6 0 0 :::80 :::* LISTEN 24975/docker-proxy
tcp6 0 0 :::465 :::* LISTEN 24912/docker-proxy
iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION
-A DOCKER -d 172.17.0.4/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 587 -j ACCEPT
-A DOCKER -d 172.17.0.6/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 465 -j ACCEPT
-A DOCKER -d 172.17.0.6/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 25 -j ACCEPT
-A DOCKER -d 172.17.0.7/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 443 -j ACCEPT
-A DOCKER -d 172.17.0.7/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 80 -j ACCEPT
Telnet on all ips:ports works fine from docker host.
nmap from outside to public ip:
25: filtered
80: open
110: filtered (although there is no service running, ~* weird *~)
443: open
465: filtered
587: filtered
uname -a
Linux h2127057 3.16.0-4-amd64 #1 SMP Debian 3.16.39-1+deb8u2 (2017-03-07) x86_64 GNU/Linux
How knows the solution??
A simple server reboot fixed it! Pretty stupid. :-(
I am running a little daft here as i have a problem with accessing database over the network.
I have deployed webapp on server A and i want to access database on server B. I have added necessary rules into iptables
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 'client ip' --dport 5432 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s 'client ip' --sport 5432 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
I have added necessary permissions into pg_hba.conf
host all all 'client ip'/32 trust
hostssl all all 'client ip'/32 trust
I am also able to connect to the database from server A via CLI
serverA:/etc/postgresql/9.4/main# psql -h 'server B Ip' -U postgres -d test
psql (9.4.5)
SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off)
Type "help" for help.
test=#
Yet my webapp when trying to access the database from Server A throws me this error:
Message: pg_connect(): Unable to connect to PostgreSQL server:
FATAL: no pg_hba.conf entry for host "ServerA ip", user "postgres", database "test", SSL on
FATAL: no pg_hba.conf entry for host "ServerA ip", user "postgres", database "test", SSL off
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 8 years ago.
Improve this question
I have two Centos VM. The IP Address on VM_1 is 10.99.0.10 and VM_2 is 10.99.0.12. Apache and PHP are in VM_1 and MySQL is in VM_2. Both are having IPTables rules. VM_2 is working fine with rules. Now I am Testing from VM_1.
First, I disabled VM_1 IPTables and connect to VM_2 MySQL (connected successfully).
[root#foster ~]# service IPTables stop
IPTables : Applying firewall rules: [ OK ]
[root#foster ~]# mysql -h 10.99.0.12 -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 16
Server version: 5.6.21 MySQL Community Server (GPL)
Next, I enabled VM_1 IPTables and connect to VM_2 MySQL (It never respond in hours and hours also).
[root#foster ~]# service IPTables start
IPTables : Applying firewall rules: [ OK ]
[root#foster ~]# mysql -h 10.99.0.12 -u root -p
Enter password:
What is wrong with my IPTables rules? My rules are in Pastebin.
The problem is in the method you enable MySQL traffic:
# Allow MySQL private Networking
sudo iptables -A INPUT -i eth1 -p tcp -s 10.99.0.12 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -o eth1 -p tcp --sport 3306 -m state --state ESTABLISHED -j ACCEPT
These rules have two issues:
They allow outgoing MySQL traffic from VM_1 only if the connection was first initiated from VM_2 (10.99.0.12).
They specify the port 3306 as the client's (VM_1) port rather than as the server's (VM_2) port.
A more suitable rule set would be as follows:
# Allow MySQL private Networking
sudo iptables -A OUTPUT -o eth1 -p tcp --dport 3306 -m state --state NEW, ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -i eth1 -p tcp -s 10.99.0.12 --sport 3306 -m state --state ESTABLISHED -j ACCEPT
I have php program which I run via CLI. The aim of program is to connect some address http and get some data. Its works OK. But I want to use other IP address of my webserver instead of primary. Is there any solution for this ?
EDIT Webserver has multiple ip address. I want to use any of them I choose at any request. If not possible at least 1 specific one. I have tried CURL_INTERFACE, and its not sending data while i give other ip than primary
HOSTNAME=server.xxxx.net
TERM=xterm
SHELL=/bin/bash
HISTSIZE=1000
SSH_CLIENT=<my ip> 23929 22
SSH_TTY=/dev/pts/1
USER=root
LS_COLORS=<blah blah>
MAIL=/var/spool/mail/root
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
PWD=/root
LANG=en_US.UTF-8
HISTCONTROL=ignoredups
HTTP_PROXY_REQUEST_FULLURI=0
SHLVL=1
HOME=/root
LOGNAME=root
CVS_RSH=ssh
SSH_CONNECTION=<my ip> 23929 <server ip> 22
LESSOPEN=|/usr/bin/lesspipe.sh %s
G_BROKEN_FILENAMES=1
_=/usr/bin/printenv
IPTable rules
xx.xx.xx.xx is servers primary ip address
*filter
:INPUT ACCEPT [85405:31617594]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [92024:84346360]
:acctboth - [0:0]
-A INPUT -j acctboth
-A OUTPUT -j acctboth
-A acctboth -s xx.xxx.xx.xx/32 ! -i lo -p tcp -m tcp --dport 80
-A acctboth -d xx.xxx.xx.xx/32 ! -i lo -p tcp -m tcp --sport 80
-A acctboth -s xx.xxx.xx.xx/32 ! -i lo -p tcp -m tcp --dport 25
-A acctboth -d xx.xxx.xx.xx/32 ! -i lo -p tcp -m tcp --sport 25
-A acctboth -s xx.xxx.xx.xx/32 ! -i lo -p tcp -m tcp --dport 110
-A acctboth -d xx.xxx.xx.xx/32 ! -i lo -p tcp -m tcp --sport 110
-A acctboth -s xx.xxx.xx.xx/32 ! -i lo -p icmp
-A acctboth -d xx.xxx.xx.xx/32 ! -i lo -p icmp
-A acctboth -s xx.xxx.xx.xx/32 ! -i lo -p tcp
-A acctboth -d xx.xxx.xx.xx/32 ! -i lo -p tcp
-A acctboth -s xx.xxx.xx.xx/32 ! -i lo -p udp
-A acctboth -d xx.xxx.xx.xx/32 ! -i lo -p udp
-A acctboth -s xx.xxx.xx.xx/32 ! -i lo
-A acctboth -d xx.xxx.xx.xx/32 ! -i lo
-A acctboth ! -i lo
COMMIT
Depends on http server you are using , you can bind your "virtual host" configurations to specific address and port.
in Apache2 for example :
<VirtualHost **127.0.0.10:8080**>
ServerAdmin myemail#mywebsite.com
ServerName mywebsite.com
ServerAlias www.mywebsite.com
DirectoryIndex index.php index.htm
DocumentRoot /var/websites/mywebsite.com/www
<Directory "/var/websites/mywebsite.com/www">
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
Allow from all
</Directory>
ErrorLog logs/mywebsite.com-error_log
</VirtualHost>
With nginx , something like :
server
{
server_name example.com www.example.com;
**listen 66.113.100.140:80;**
access_log /var/log/ngnix/example.log;
error_log /var/log/nginx/example.error.log;
location /site {
alias /data/www/content/site/example;
}
location / {
proxy_pass_header Server;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_connect_timeout 10;
proxy_read_timeout 10;
proxy_pass http://10.15.20.10:8107/;
}
}
Also starting from PHP 5.4 there is build in web server that could be used for testing purposes. Generally you can bind to any local address as following :
$ cd ~/public_html
$ php -S 127.0.1.1:8000
If you can use curl for outgoing http requests, you can set an option in curl: CURLOPT_INTERFACE
curl_setopt($curlh, CURLOPT_INTERFACE, "xxx.xxx.xxx.xxx");
**CURLOPT_INTERFACE**: The name of the outgoing network interface to use. This can be an interface name, an IP address or a host name.
PHP Manual: curl_setopt