IPTables and Port redirection Apache2

Question

I'm using Apache to redirect a subdomain to a port (mod_proxy, mod_proxy_http, mod_proxy_ajp) and IP Tables to restrict direct port access except to me and the local server.

My IP Tables looks like so:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP       tcp  -- !c-24-7-110-109.hsd1.ca.comcast.net  anywhere             tcp dpt:tproxy
ACCEPT     tcp  --  localhost            anywhere             tcp dpt:tproxy
DROP       tcp  -- !c-24-7-110-109.hsd1.ca.comcast.net  anywhere             tcp dpt:http-alt
DROP       tcp  -- !c-24-7-110-109.hsd1.ca.comcast.net  anywhere             tcp dpt:webmin
ACCEPT     tcp  --  localhost            anywhere             tcp dpt:webmin

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

The context I'm going to use in this post is:

Sonatype Nexus: nexus.example.com => example.com:8081

Jenkins CI: jenkins.example.com => example.com:8080

Webmin: webmin.example.com => example.com:10000

What I have working right now is no direct port access except to me. I also want the local system to be able to access ports which is what, I believe, I have now. I'm using mod_proxy_ajp for Jenkins CI and Webmin and mod_proxy_http for Sonatype Nexus.

When I visit direct ports, each of these services loads just fine. When I have asked someone else to load each, they can't, so that's working.

Now, however, when trying to access one of the subdomains, get I get a never ending load (infinite loop?)

When I run a tracert on the subdomain, though, it ends fine so I can cross out infinite loop.

Here is my Sonatype Nexus apache virtual host configuration:

<VirtualHost *:80>
        ServerName nexus.majornoob.com
        ServerAlias www.nexus.majornoob.com
        ProxyRequests Off
        ProxyPreserveHost On
        ProxyPass / http://localhost:8081/
        ProxyPassReverse / http://localhost:8081/
        ProxyPassReverseCookiePath / /
        ErrorLog /var/www/majornoob/error-nexus.log
        LogLevel warn
        CustomLog /var/www/majornoob/access-nexus.log combined
</VirtualHost>

and here is my Jenkins:

<VirtualHost *:80>
        ServerName jenkins.majornoob.com
        ServerAlias www.jenkins.majornoob.com
        ProxyRequests Off
        ProxyPreserveHost On
        ProxyPass / ajp://127.0.0.1:8080/
        ProxyPassReverse / ajp://127.0.0.1:8080/
        ProxyPassReverseCookiePath / /

        ErrorLog /var/www/majornoob/error-jenkins.log

        LogLevel warn

        CustomLog /var/www/majornoob/access-jenkins.log combined
</VirtualHost>

These two examples of virtual hosts are using mod_proxy_ajp and mod_proxy_http respectively.

Can anyone help me to figure out why I am getting an infinite load?

Thanks.

edit: Nevermind on the infinite loop. After some time, I received a 503 Service Unavailable error.

Answer 1

The iptables rules are evaluated in order, top to bottom as printed. The problem you have is that the proxied connection is from localhost, which matches this rule:

DROP       tcp  -- !c-24-7-110-109.hsd1.ca.comcast.net  anywhere             tcp dpt:tproxy

localhost is not c-24-7-..., so the connection is dropped. The proxy module eventually times out; if the rule was REJECT instead of DROP, you'd get an error much quicker (because you'd get denied explicitly rather than the connection attempt just disappearing).

The solution is quite simple: reorder the rules to have the "accept from localhost" before the "deny from anywhere else". (IP routing matches by most-specific, but because iptables are multi-factor, that's not necessarily defined).

I'd generally recommend having a first rule that allows all localhost communication (via the loopback interface, just in case someone tries something weird over the ethernet); try adding

iptables -I INPUT -i lo -s localhost -d localhost -j ACCEPT

to insert (-I) that at the top of the list.