I'm looking for a minimal iptables ruleset for a rather high volume Nginx/Varnish reverse proxy. I'd like to close down the server, so that only ports 80 and 22 are open at all for connections from the outsite.
Furthermore, I'd like to exclude the traffic on ports 80 from connection tracking, since the connection list tends to grow up. On the other side, I'd like to have the freedom to use connection tracking for other things.
How is it possible to implement a minimal ruleset that excludes the HTTP and HTTPS traffic on port 80 and 443 from connection tracking?
This is my basic ruleset:
iptables -F INPUT iptables -P INPUT DROP iptables -i lo -A INPUT -j ACCEPT iptables -i eth0 -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -i eth0 -A INPUT -p TCP --dport 22 -j ACCEPT iptables -i eth0 -A INPUT -p TCP --dport 80 -j ACCEPT iptables -i eth0 -A INPUT -p ICMP -j ACCEPT
The server runs Nginx on the public IP (10.0.0.1 for the sake of this example) on ports 80 and 443. The Nginx talks to a Varnish on 10.0.0.1:8080. The Varnish talks to a webserver on another machine (10.0.0.2:80). This backend webserver needs to talk back to Varnish in order to purge URLs.
I tried things like
iptables -F PREROUTING -t raw iptables -F OUTPUT -t raw iptables -t raw -A PREROUTING -p TCP --dport 80 -j NOTRACK iptables -t raw -A OUTPUT -p TCP --sport 80 -j NOTRACK iptables -t raw -A PREROUTING -p TCP --dport 8080 -j NOTRACK iptables -t raw -A OUTPUT -p TCP --sport 8080 -j NOTRACK
and variations with explicit mentioning source or destination IPs, but it either broke the server (by blocking some traffic) or it didn't succeed at removing all HTTP traffic from the connection tracking.
