sounds about right, if you're serving https only, then that's the one that you need to leave open. however, only application started with a root account can listen to ports below 1024, so you have two options here:
- start your ruby app as root - not a good idea
- have it behind apache - might be better, but depends on what you want to do, this may be just an additional overhead
- run ruby app as other user on different port, say 8443 and have iptables to portforward requests from 443 to 8443 - this i guess is what you want to do
below is how you do port forwarding (you can do the same with 80 to 8080, for example):
iptables -t nat -A PREROUTING -i $EXT_IF -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443
other than that, there's no need to open any other ports to the internet, just make sure you leave ssh on the other interface open, so you can access and manage the server.
as for firewall application, iptables comes with ubuntu and just use it, no need for any other fancy tool i'd say.
I have a similar setup to you, and here's what I'm doing and everything works:
External IP1, Port 80/TCP is NAT/PAT to Standard server port 8080/TCP
External IP1, Port 443/TCP is NAT/PAT to Standard server port 4443/TCP
Since you're not using a TMG server, your firewall must do port translation so that external requests hit the correct site in IIS on your Standard (frontend) server.
External IP2, 443/TCP, 5061/TCP, 3478/UDP, TCP/UDP 50000-59999 Static NAT to Edge server, no port translation
Firewall rules permit the Edge server to talk to the standard edition frontend server.
I'd have to go back and look at my topology, but I believe I used separate URLs and IPs for each of the different services/media. Most of the Lync headaches are in the DNS misconfigurations, sometimes it won't accept CNAMES where you need A records, and vice versa.
If you're going to have a lot of clients (more than 100) than you probably should use a TMG or "insert reverse proxy here" to protect your frontend.
The image below may help you, as will the source that drew it:
http://ucken.blogspot.com/2011/07/configuring-lync-for-external-access.html
Best Answer
Port 80: Port 80 needs to be open so that the Nginx can redirect to port 443. If you block port 80 clients trying to connect via http will time out.
There is a website dedicated to argue that ICMP should not be blocked.
ACK is the last step in the three-way handshake TCP uses to establish a connection. The port range
32768-65535is for ephemeral ports. So that firewall rule should not be touched.These rules look different from AWS security group rules because AWS security group rule are set for inbound or outbound traffic.