This question already has an answer here:
Add firewall rule programmatically
(1 answer)
Closed 5 years ago.
In my Application, i need to block firewall such a way that it should block all the url and allow certain URL,
this is the rule i am wring
assuming i don't want to block www.google.com , www.facebook.com
ipfw 12164 deny tcp from any to any
ipfw 12156 allow tcp from any to www.google.com
ipfw 12157 allow tcp from any to www.facebook.com
but its blocking all the connection, what should be the firewall rule to have such a scenario.
Using ipfw to filter the traffic isn't a good idea. ipfw only works with IP address: when you add a rule with a hostname, the hostname is resolved and the current IP address in used.
Some hostname can have multiple IP addresses (test the command host www.google.com) or the IP address my change, or the server may return link to resources stored on other addresses.
If you want to filter the website the user can access, you can use parental controls or Managed Client (MCX).
But if you still want to use ipfw, you should accept ingoing TCP traffic. Your rules only accept outgoing TCP traffic to www.google.com and www.facebook.com and block any response.
You should write the first rule like this:
ipfw 12164 deny tcp from any to any out
Related
I am using digitalocean account and a non sudo user.
My current port is 8090
What i want is using iptables i could access 8090 http data by requesting from port 80
For more clearly. I am non sudo user
In development i have started my server at port 8090. Now want to run it on 80 so that visiting user should not include port number along with my domain name
What is now
http://www.site.tk:8090/
What I Want
http://www/site.tk/
PS: I can use non sudo ports only
I ran into a problem I'm not able to fix. I have a server with some applications (a ghost blog and gogs for example) that are listening on specific ports. I want apache to handle them via proxypass. So far so good, I can specify a subdomain and let the requests through to the applications. But all my applications are still reachable via the specific port they run on. I can't let apache listen to this ports because, well, the ports are in use by the applications.
I'm just wondering is there a way to let any apllications just listen on a port and be reachable from locahost (so that only apache can reach them with that port) or is there any other way to limit the access to my applications so that they are only reachable through apache? Is there a solution I can use for all applications or do I have to tweak every single app myself?
Googling it just didn't get me the rights answers (lots of port 80 to https and so on)
Thank you for every answer / tipp / nudge in the right direction you can give me.
Best regards.
Allright, the biggest problem is always in front of the computer :)
I never thought about iptables, I don't know why, because I'm quite familiar with it. For anyone else having the same stupidity problem I had:
Make a rule that allows localhost to access this port:
iptables -A INPUT -p tcp -s localhost --dport 25 -j ACCEPT
Then just block every connection on that port with iptables
iptables -A INPUT -p tcp --dport 25 -j DROP
Don't forget to change 25 to your specific port.
Best regards.
I am trying to write an iptables rule which states that block a specific IP address from accessing the administrative console of Joomla, Wordpress and PhpMyAdmin.
For instance, in the following rule, I state that block all TCP accesses to port 8080 (Apache Tomcat).
sudo iptables -A INPUT -p tcp -s 172.24.21.133 --dport 8080 -j DROP
This will block access to the service running on port 8080.
But, now, if Joomla, Wordpress and PhpMyAdmin, all of them are running on port 80, is there any additional parameter that I can specify to block access only to one service among Joomla, Wordpress or PhpMyAdmin? Or I shall judiciously assume the fact that if I were to block access to one service, then I will have to compromise on the other two?
IPtables does not (to my knowledge) have any module for matching based on the URL inside an HTTP packet. Your better bet would be to use IP-based access control in your webserver configuration. If you are using Apache, you would use rules something like this in an .htaccess file in your Joomla/WordPress/PHPMyAdmin directory:
Order allow,deny
Deny from 172.24.21.133
Allow from all
This will prohibit HTTP access to anything in those directories from that specified IP address. You can also have multiple Deny lines to block multiple IP addresses.
In android, i have a proxy daemon which listens on a dedicated port and would like to relay the visit of some specific domains,but not for others, for example: this proxy will relay the request for www.yahoo.com, but does not affect www.google.com.
Is it possible to use iptables to implement this?
Normally it can't do that. Iptables routes/blocks traffic from/to IP's/Ports. Maybe a plugin can do that, but I am not firm with iptables plugins, and I don't know anything about iptables on android.
Apache can forward connections to, maybe that's the right choice for you.
I have a website on the internet that I only want to be accessible from my house.
Could I have htaccess be restricted to the MAC address of my router? If not, are there any other options?
I don't think I could use IP address because my ISP changes it all the time.
You can't use the MAC because it won't get past the next router. Usually, even if you have a dynamic IP, your ISP gives you a hostname that is fixed, something like customer1337.newyork.bestisp.com. See what it is here, and use that in the htaccess.
Since you cannot use your MAC address or your IP Address, your best solution is to use DNS to maintain a host record. You can use dyndns or freedns to set up a dynamic dns record. Many routers these days actually allow you to configure your router to ping these sites to update your host record.
Suppose on freedns.afraid.org you set it up so that gregmyhome.mooo.com points to your router. Then you can update the htaccess file to allow access from that hostname. Apache will perform a reverse dns lookup upon your visiting the site, and let you in.
I will say, however, that there may be a delay which may cause you to be restricted for some time. This problem may force you to look to other authentication mechanisms, such as digest auth, client certificate, or even ssh tunnelling.
In addition to Bart, you could just use a .htpasswd file and set a username and password for the site, so that only you can login.
you probably could but that's not what htaccess is for, in my opinion. unless you set up authentication using htaccess. but then your website will be accessible from everywhere that has the password.
iptables can do mac address filtering though. why don't you set that up?
so if your router's mac is xyz,
first set the default policy:
iptables -P INPUT DROP
then specifically allow yours:
iptables -A INPUT -p tcp –destination-port 80 -m mac –mac-source xyz -j ACCEPT