Received this task yesterday; requirements state that you need to allow all traffic for an Nginx reverse proxy on port TCP/8093 and filter all traffic for the Apache running on port TCP/8084 that Nginx proxies back to.
Here’s the contents of
/etc/sysconfig/iptables that I’ve saved to disk and then followed with a
systemctl reload iptables to apply the config file. You will notice that I added this to allow traffic for TCP/8084 towards Nginx:
-A INPUT -p tcp -m state --state NEW -m tcp --dport 8093 -j ACCEPT. Also, this last line that was already present specifically REJECTs all other traffic, thus eliminating the need for a specific REJECT rule for Apache:
-A INPUT -j REJECT --reject-with icmp-host-prohibited. One last thing to notice is that Nginx CAN proxy back to Apache over the loopback interface as there’s a specific rule for that:
-A INPUT -i lo -j ACCEPT.
# sample configuration for iptables service # you can edit this manually or use system-config-firewall # please do not ask us to add additional ports/services to this default configuration *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 8093 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
The task is up for review here and I am not happy with the suggestion I got thus far, nor do I consider that my approach is incorrect. Even more, the current status is ‘User Error’ and I believe that this evaluation is incorrect, we are dealing with a ‘Validation Error’.
Would any of you be kind enough to take a look and advise? Once again, the task is up for review at the link below: