About nixCraft

Topics

Linux: Iptables # 11 How to Block or open http/web service

Posted by Vivek Gite [Last updated: November 2, 2006]

By default Apache webserver listen on port 80 (http) and port 443 (https i.e. secure http). Apache webserver uses the TCP protocol to transfer information/data between server and browser.

A) Allow incoming http/web traffic at port 80
SERVER_IP=”202.54.10.20”
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d $SERVER_IP --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s $SERVER_IP --sport 80 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

B) Allow incoming https/secure web traffic at port 443
SERVER_IP=”202.54.10.20”
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d $SERVER_IP --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s $SERVER_IP --sport 443 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

C) Allow outgoing http/web service traffic to port 80
SERVER_IP=”202.54.10.20”
iptables -A OUTPUT -p tcp -s $SERVER_IP --sport 1024:65535 -d 0/0 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 80 -d $SERVER_IP --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

D) Allow outgoing https/secure web service traffic to port 443
SERVER_IP=”202.54.10.20”
iptables -A OUTPUT -p tcp -s $SERVER_IP --sport 1024:65535 -d 0/0 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 443 -d $SERVER_IP --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

E-mail this to a friend      Printable version

You may also be interested in other helpful articles:

Discussion on This Article:

  1. Sunil Shrestha Says: December 29th, 2006 at 7:46 am

    grate site

  2. Uttam Shrestha Rana Says: March 1st, 2007 at 9:33 am

    How to configure Squid server with bandwidth limitation for particular network ips?
    If you response with the configuration, then it will be great help me if not also, from this site i have got lots of information. Thanks. Its a greate knowledge protal.

  3. Vasanth kumar Says: August 2nd, 2007 at 9:51 pm

    In windows how to block https site like Gmail

  4. kunal Says: February 25th, 2008 at 11:48 am

    Script to block incoming HTTP request from an IP say after 20 continue requests.

    Thanks in advance
    –kunal

  5. kunal Says: February 25th, 2008 at 11:49 am

    Just to add one more thing IP blocking should be done for certain period of time say 5 hrs and after unblock that IP.

  6. Liju Says: July 4th, 2008 at 3:39 pm

    This would be much simple and better. There is no necessary to permit the oubound traffic to be opend and can be avoided.

    # Allow incoming port 80 and 443 (http/s) traffic
    /sbin/iptables -A INPUT -p tcp –dport 80 -m state –state NEW -j ACCEPT
    /sbin/iptables -A INPUT -p tcp –dport 443 -m state –state NEW -j ACCEPT

Leave a Reply

We encourage your comments, and suggestions. But please stay on topic, be polite, and avoid spam. Thank you very much for stopping by our site!

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

*
To prove you're a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.
Click to hear an audio file of the anti-spam word

Copyright © 2004-2008 nixCraft. All rights reserved - TOS/Disclaimer - Privacy policy - Sitemap - Powered by Open source software.