Jump to content

Stealth port 80 to the internet


alphaomega

Recommended Posts

alphaomega

This should work to accomplish what I want right?Am I missing anything?I have a hardware router between my lan webserver and the internet.If I want to say allow a specific ip address from the internet...access the webserver on the lan...I could:1. temporarily configure the router to forward port 80 to the lan webserver.2. on the lan webserver...use iptables to accepttcp traffic with a destination port of 80 from the source ip address.3. on the lan webserver...use iptables to drop all the other tcp traffic with a destination port of 80.Using a shell script...something like this:

#!/bin.shiptables -Fiptables -X# allow from a machine on the laniptables -A INPUT -s 192.168.nnn.nnn -p tcp --dport 80 -j ACCEPT# allow from a machine on the internetiptables -A INPUT -s nnn.nnn.nnn.nnn -p tcp --dport 80 -j ACCEPT# drop the restiptables -A INPUT -p tcp --dport 80 -j DROP

Would I need to worry about someone spoofing their source ipand pretending to be from the ip address I want to allow into the webserver?Trying out this configuration...I can access the webserverusing it's lan address in the 192.168 range.Probing my box using grc...shows port 80 as stealth.Now I just need to get this tested from the outside in?Thanks in advance for any information...CheersP.S. And could I not also use something similar...to allow me to access the ssh and proftp daemon...from a remote machine on the internet..(as long as I have the remote machines' ip address so I can configure iptables)?

Edited by alphaomega
Link to comment
Share on other sites

You could also use grc to check connectivity by allowing their IP temporarily, if you can't just ping from the specified address. Yes you can allow/ deny any service this way.I always use Shorewall to config iptables. It's basically a script with text config files. To allow say, SSH, all you need is "ssh/ACCEPT " in your rules file. However it is powerful and versatile too. The Shorewall site has excellent documentation. :thumbsup: :thumbsdown:

Edited by sunrat
Link to comment
Share on other sites

alphaomega
You could also use grc to check connectivity by allowing their IP temporarily, if you can't just ping from the specified address.
:thumbsup: duh...slap me with a stupid stick...LOLcheers
Link to comment
Share on other sites

alphaomega

I think... I've got it...by temporarily forwarding the ports at the router and...using the following rules with iptables...

#!/bin/shiptables -Fiptables -X# allow lan machineiptables -A INPUT -s 192.168.nnn.nnn -p tcp --dport 21 -j ACCEPTiptables -A INPUT -s 192.168.nnn.nnn -p tcp --dport 22 -j ACCEPTiptables -A INPUT -s 192.168.nnn.nnn -p tcp --dport 80 -j ACCEPT# allow specific internet ip  iptables -A INPUT -s nnn.nnn.nnn.nnn -p tcp --dport 21 -j ACCEPT iptables -A INPUT -s nnn.nnn.nnn.nnn -p tcp --dport 22 -j ACCEPT iptables -A INPUT -s nnn.nnn.nnn.nnn -p tcp --dport 80 -j ACCEPT# allow grc iptables -A INPUT -s 4.79.142.192/28 -p tcp --dport 21 -j ACCEPT iptables -A INPUT -s 4.79.142.192/28 -p tcp --dport 22 -j ACCEPT iptables -A INPUT -s 4.79.142.192/28 -p tcp --dport 80 -j ACCEPT# drop the restiptables -A INPUT -p tcp --dport 21 -j DROPiptables -A INPUT -p tcp --dport 22 -j DROPiptables -A INPUT -p tcp --dport 80 -j DROP

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...