Linux – Whitelist subdomain (*.example.com) from Linux server

linuxwhitelistwildcard-subdomain

I need to do some file migration to Google Drive and our problem is that during this process Drive need to contact our images server. We have this images in a regular Apache server listening on port 80.

I tried with some fqdn in Iptables but whilst it works for the domain, Google reachs us though different proxies every time, making it impossible to whitelist due to the way iptables work. google proxies syntax: google-proxy-xx-xx.google.com

Is there any way to allow only these subdomains to access our server? thank you!

Best Answer

We made it using Squid3 and a port redirection from port 80 to 3128 (default Squid port) in IPtables.

Then we configured the wildcard in Squid config file following this article: https://kudithipudi.org/2015/12/15/how-to-enable-wildcard-domains-in-squid/

This is the most relevant part from the squid doc:

http_port 3128 accel defaultsite=<your server name> vhost
# And the IP Address for it - adjust the IP and port if necessary
cache_peer 127.0.0.1 parent 80 0 no-query originserver name=hp
acl <acl-name> srcdomain .google.com
http_access allow <acl-name>

where it says change it by your dns name, if you don't have any just modify your /etc/hosts file to point to 127.0.0.1

Keep in mind that this solution is for apache servers running in the same machine.

Related Solutions

Linux – How to run a server on port 80 as a normal user on Linux

Short answer: you can't. Ports below 1024 can be opened only by root. As per comment - well, you can, using CAP_NET_BIND_SERVICE, but that approach, applied to java bin will make any java program to be run with this setting, which is undesirable, if not a security risk.

The long answer: you can redirect connections on port 80 to some other port you can open as normal user.

Run as root:

# iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080

As loopback devices (like localhost) do not use the prerouting rules, if you need to use localhost, etc., add this rule as well (thanks @Francesco):

# iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 80 -j REDIRECT --to-ports 8080

NOTE: The above solution is not well suited for multi-user systems, as any user can open port 8080 (or any other high port you decide to use), thus intercepting the traffic. (Credits to CesarB).

EDIT: as per comment question - to delete the above rule:

# iptables -t nat --line-numbers -n -L

This will output something like:

Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination         
1    REDIRECT   tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:8080 redir ports 8088
2    REDIRECT   tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80 redir ports 8080

The rule you are interested in is nr. 2, so to delete it:

# iptables -t nat -D PREROUTING 2

Amavis-new whitelist

I do whitelisting at the MTA level (in my case postfix) rather than at the amavisd level. In my postfix/main.cf file, I have:

header_checks=pcre:/etc/postfix/whitelist.pcre

Inside whitelist.pcre, I have the following syntax:

user@example.com FILTER  SMTP:[127.0.0.1]:10025

where SMTP:[127.0.0.1]:10025 is the transport in master.cf that filtered mail is reinjected into the postfix system. My reasoning to do that is if certain messages are not to be checked for anything, I don't want amavisd to touch it.

Best Answer

Related Solutions

Linux – How to run a server on port 80 as a normal user on Linux

Amavis-new whitelist

Related Topic