Application security (iptables)

Hi everyone,

Received this task yesterday; requirements state that you need to allow all traffic for an Nginx reverse proxy on port TCP/8093 and filter all traffic for the Apache running on port TCP/8084 that Nginx proxies back to.

Here’s the contents of /etc/sysconfig/iptables that I’ve saved to disk and then followed with a systemctl reload iptables to apply the config file. You will notice that I added this to allow traffic for TCP/8084 towards Nginx: -A INPUT -p tcp -m state --state NEW -m tcp --dport 8093 -j ACCEPT. Also, this last line that was already present specifically REJECTs all other traffic, thus eliminating the need for a specific REJECT rule for Apache: -A INPUT -j REJECT --reject-with icmp-host-prohibited. One last thing to notice is that Nginx CAN proxy back to Apache over the loopback interface as there’s a specific rule for that: -A INPUT -i lo -j ACCEPT.

# sample configuration for iptables service                                                                                                              
# you can edit this manually or use system-config-firewall                                                                                               
# please do not ask us to add additional ports/services to this default configuration                                                                    
:INPUT ACCEPT [0:0]                                                                                                                                      
:FORWARD ACCEPT [0:0]                                                                                                                                    
:OUTPUT ACCEPT [0:0]                                                                                                                                     
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT                                                                                                  
-A INPUT -p icmp -j ACCEPT                                                                                                                               
-A INPUT -i lo -j ACCEPT                                                                                                                                 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT                                                                                         
-A INPUT -p tcp -m state --state NEW -m tcp --dport 8093 -j ACCEPT                                                                                       
-A INPUT -j REJECT --reject-with icmp-host-prohibited                                                                                                    
-A FORWARD -j REJECT --reject-with icmp-host-prohibited                                                                                                  

The task is up for review here and I am not happy with the suggestion I got thus far, nor do I consider that my approach is incorrect. Even more, the current status is ‘User Error’ and I believe that this evaluation is incorrect, we are dealing with a ‘Validation Error’.

Would any of you be kind enough to take a look and advise? Once again, the task is up for review at the link below:!/task_review?task_id=5f69cb3b8bc68fd9830768af

Hi Dear,
Did you save the rules either with service iptables save or iptables-save ?

No, what I did was to edit /etc/sysconfig/iptables, saved the file and then issued a systemctl reload iptables to apply the change. Issuing an iptables-save would have overwritten my changes - I did not use the command.

@kiiNODA, I’m not sure the way you have done is correct, but the task has been assigned today and I have done it successfully.
Ask for review and learn how to fix your error.

I did ask for review, one of the reviewers said that my claim may be correct and I could retake the task for half the points and directed me here to raise the issue with the community if I don’t want that. Of course I could redo it, suck it up and win only 50% but I think that my solution is correct. Anyone else?

Are there senior members that could advice on the proper path to have someone from KKE take a look?

The task now appears as failed 'though I still claim I was correct in my approach. Probably reached a timeout or something. As a final step I would ask someone from KKE to kindly take a look. At this point, the review functionality seems rather limited…

cc @KodeKloud, @kodekloud-support3, @Inderpreet - thanks in advance.