0

I'm using a software which is accessible by http://server_ip:certain_port I want it to be accessible internally only, by http://localhost:port.

How can I block those ports from the outside?

Viacheslav
  • 187
  • 3
  • 8
  • 1
    Found the solution here http://serverfault.com/questions/248851/iptables-block-port-8080-but-not-for-localhost iptables -A INPUT ! -s 127.0.0.1 -p tcp -m tcp --dport YOUR_PORT -j DROP – Viacheslav Jun 29 '14 at 10:40

3 Answers3

2

You should tell Apache to listen on the lo interface only.

Listen 127.0.0.1:80

Reference

bcj
  • 71
  • 1
  • 1
    You're assuming that the software that needs to be blocked uses Apache, and that there are no other websites on the server that should be visible from the outside. Both assumptions are not the case in my case. I answered my question with the comment at the top. – Viacheslav Jun 29 '14 at 16:41
  • 1
    True, you didn't supply enough information on what was running and I made the assumption. Although, the logic still applies. Unless your software is poorly written and binds to all interfaces without the option to configure, you should only bind what you need. Why run two processes to accomplish what should be done with one? – bcj Jun 29 '14 at 16:49
0

Firewall. If you are on Ubuntu or debian, ufw is a good choice. Set the firewall to allow ports by default but deny the particular port as a rule.

CameronNemo
  • 399
  • 1
  • 6
0

With my own experience of Web server, the most clean solution is to use Apache directive to restrict access via .htaccess directives file or in the site configuration.

Advantages :

  1. No need to fight with IPtables or any other kernel-level firewall rules
  2. Apache is still listening on all interfaces of your server, so you can have in the same Apache instance other web sites without this localhost access-only limitation

The directive you need to use are :

<Location />
  order Deny, Allow
  deny from all
  Allow from localhost
  Allow from 127.0.0.1
</Location>

These directive will deny access to the whole web site, only connection coming from localhost (127.0.0.1) will be allowed. You can use the name or the IP address in the URI, they will be recognized as such by both Allow rules.

Where to put these directives :

  1. In an .htaccess file in the top directory containing the files for your web site you want to protect
  2. If you have more than one virtual host configured into your Apache configuration file, put these directives inside the section relative to this web site

Remark :

For the .htaccess file be able to be loaded by the web server, you must have defined this web site with an AllowOverride Limit or AllowOverride all in the definition of the web site. Also, .htaccess is the default name used for this and can be overriden by the Apache directive AccessFileName <filename>

Benoit
  • 396
  • 2
  • 10
  • Appreciate the effort but this doesn't answer the question because the software that needs too be blocked in my case has nothing to do with Apache. – Viacheslav Jun 29 '14 at 16:46
  • @Bombero: indeed, this cannot apply if you don't speak of a standard web site, so please give more details in your question next time as most of the readers will assume, like me and some others do, that HTTP = Web Server and the most used web server is Apache. – Benoit Jun 29 '14 at 19:45
  • Sure you can assume whatever you like, no problem. – Viacheslav Jun 29 '14 at 21:01