stackoom
  简体   繁体   中英

iptables block outgoing request from php

 原文  2015-12-10 09:07:03       php/ ubuntu/ iptables

Question

We have a Ubuntu server that host a php server and game server. recently, we get a lot of dos and flood attack. so i find some rule for iptables can protect http and game port from attack.

here is my rules: 

iptables -F
iptables -P INPUT DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m state --state NEW -m limit --limit 5/sec -m connlimit --connlimit-upto 15 --connlimit-mask 32 --connlimit-saddr -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state RELATED,ESTABLISHED -m connlimit --connlimit-upto 15 --connlimit-mask 32 --connlimit-saddr -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state RELATED,ESTABLISHED -m connlimit --connlimit-upto 15 --connlimit-mask 32 --connlimit-saddr -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 443 -m state --state RELATED,ESTABLISHED -m connlimit --connlimit-upto 15 --connlimit-mask 32 --connlimit-saddr -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 3724 -m state --state RELATED,ESTABLISHED -m connlimit --connlimit-upto 15 --connlimit-mask 32 --connlimit-saddr -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 25 -m state --state RELATED,ESTABLISHED -m connlimit --connlimit-upto 15 --connlimit-mask 32 --connlimit-saddr -j ACCEPT

but the problem appear when php want to open a request like Soap WebService to another server. and iptables block this connection.

I think that problem is in this line : 

iptables -P INPUT DROP

but without this line all request to all other port are allowed.

and this is php Soap error : 

object(SoapClient)#48 (2) { ["_soap_version"]=> int(1) ["sdl"]=> resource(97) of type (Unknown) }

I appreciate all your comment. Thanks.

1 answers

solution1
 0 ACCPTED  2015-12-10 10:59:34

The problem is that outgoing connections use a random local port to listen for replies. So if, for example, you are requesting a DNS entry on port 53, your computer will listen on port 42316 for data. If the latter port is blocked, as is the case in the above setup, the connection will fail.

This is easily solved generally allowing packets of state ESTABLISHED and RELATED connections. 

iptables -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

Also, change the other rules to use state NEW, as that's most likely what you want to restrict. Otherwise it will just cripple the server's connectivty.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question PHP, IPTables, and Request to Flask Port information for outgoing request php? PHP - block request from other domain Unexpected behaviour when running iptables from php Process outgoing mail from mail server with PHP Block direct access to PHP file except from AJAX request? Are there any PHP Hosts (shared) which do not block port 2195 and 2196 outgoing for iPhone Apple Push Notifications (APNS)? send email from PHP with outgoing mail server & userid and password authantication Using Gmails Outgoing SMTP from PHP using TLS How to log outgoing http requests from PHP + cURL?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM