On Centos 6.4, I want to block all incoming ports except 22, 80 and 443. 80 (external) should be redirected 8080 (internal). 443 (external) should be redirected to 8181 (internal). I used the following commands:
service iptables stop
iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8181
service iptables save
service iptables restart
However, I can still access ports 8080 and 8181. Is there a way to block ports 8080 and 8181 externally and still have open internally for redirection from 80 and 443?
Best Answer
There's nothing in your rules dropping any packets. You can accomplish this by setting the default policy of your
INPUT
chain toDROP
. By default it isACCEPT
:As you do this, you may begin to notice that your outgoing connections do not work anymore.
You can add rules at the top of your
INPUT
chain toACCEPT
already established traffic back in.Do so using the following:
The
RELATED
part lets other related traffic through (for instance, ICMP packets sent as a result of something happening in anESTABLISHED
connection)