reverse proxy to local webapplication , which port must be open by iptables?

networking linux iptables port reverse-proxy

Solution 1:

A TCP connection is always between two (not more) participants. Each one is identified with an IP address and a port. So in reality, when you are using a reverse proxy, you have:

  • A connection between the client <client_IP>:<random_port> and nginx <server_public_IP>:80 through you physical interface.
  • A connections between nginx 127.0.0.1:80 and Tomcat 127.0.0.1:8080 through the loopback interface.

There is no reason for a firewall to block communication on the loopback interface. So you probably want to allow incoming traffic with destination port 80 and 443 and outbound traffic with source port 80 and 443.

However, usually, outbound traffic is not blocked (policy ACCEPT), you just need the following iptables rules:

iptables -A INPUT -i lo -j ACCEPT # loopback interface
# don't block existing traffic
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dports 80,443 -m comment nginx -j ACCEPT
# Probably you want to allow ssh
iptables -A INPUT -p tcp --dport 22 -m comment SSH -j ACCEPT
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT

PS: You can also run Tomcat directly on ports 80 and 443 with the same firewall rules.

Related

Apply Registry or ADM to Group Policy for Login to Specific Servers
Running two independent tomcats on one machine, instead of one tomcat with multiple instances
Modify DNS cache other than HOSTS file?
Editing Scheduled Tasks ntbackup .job files
Tools to manage sql 2008 database mirroring?
VirtualHost / httpd not accepting absolute paths
When creating an instance on google cloud engine, `Permission denied on 'locations/asia-northeast3-a'` error occurs
How can I create a C2 VM on GCP?
Can not connect to tomcat server externally, [closed]
Cannot install PowerShell 2 on my Vista x64 machine
postfix catchall user not found in virtual alias table
MySQL Server Not Starting on Boot