Hi everyone,
Received this task yesterday; requirements state that you need to allow all traffic for an Nginx reverse proxy on port TCP/8093 and filter all traffic for the Apache running on port TCP/8084 that Nginx proxies back to.
Here’s the contents of /etc/sysconfig/iptables
that I’ve saved to disk and then followed with a systemctl reload iptables
to apply the config file. You will notice that I added this to allow traffic for TCP/8084 towards Nginx: -A INPUT -p tcp -m state --state NEW -m tcp --dport 8093 -j ACCEPT
. Also, this last line that was already present specifically REJECTs all other traffic, thus eliminating the need for a specific REJECT rule for Apache: -A INPUT -j REJECT --reject-with icmp-host-prohibited
. One last thing to notice is that Nginx CAN proxy back to Apache over the loopback interface as there’s a specific rule for that: -A INPUT -i lo -j ACCEPT
.
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 8093 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
The task is up for review here and I am not happy with the suggestion I got thus far, nor do I consider that my approach is incorrect. Even more, the current status is ‘User Error’ and I believe that this evaluation is incorrect, we are dealing with a ‘Validation Error’.
Would any of you be kind enough to take a look and advise? Once again, the task is up for review at the link below:
https://kodekloud-engineer.com/#!/task_review?task_id=5f69cb3b8bc68fd9830768af