0

I'm running a server with nginx and fastcgi. I'm using TCP sockets for fastcgi rather than Unix sockets as I've read that this scales better. The fastcgi server is running on fastcgi://127.0.0.1:9000. I'm trying to figure out what rules I need to add to iptables to allow the traffic through. I've figured out this much:

-A INPUT -p tcp -m tcp -d 127.0.0.1 --dport 8999 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp -s 127.0.0.1 --sport 8999 -m state --state NEW,ESTABLISHED -j ACCEPT

But I'm guessing that I should also specify a source port and source IP for the INPUT rule and a destination port and destination IP for the OUTPUT rule (for security purposes). What would the correct values for that be?

I hope that my question makes sense.

xtpu
  • 1
  • 1
  • Most firewalls already include a rule that permits access to the loopback (127.0.0.1). If you don't have one, why not just a basic rule `-A INPUT -i lo -j ACCEPT` and `-A OUTPUT -o lo -j ACCEPT`. You really won't get much value out of trying to heavily lock down the rules related to the loopback interface. – Zoredache May 16 '14 at 17:14
  • I'm very new to iptables, so I didn't even know that what you're suggesting was possible! Sounds like the best solution to the problem. If you want to repost that as the answer, I will choose it as the best response. – xtpu May 16 '14 at 17:54
  • PS, I flushed all my rules when I set up this firewall so that I could set everything up from scratch. That way, I know exactly what does what – xtpu May 16 '14 at 17:55

1 Answers1

2

These are what called the loopback iptable rules as shown below.

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

The fast_cgi port is an internal port between the php-fpm and the web server. if you want to make sure it is a part of the server or not, block all ip traffic and test your fast_cgi connection to your server by running any php file test.

you can block your traffic this way:

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
Digital site
  • 190
  • 1
  • 10