Allow connections to only a specific URL via HTTPS with iptables, -m recent (potentially) and -m string (definitely)

Posted by The Consumer on Server Fault See other posts from Server Fault or by The Consumer
Published on 2011-01-07T19:13:22Z Indexed on 2011/01/07 19:55 UTC
Read the original article Hit count: 197

Filed under:
|
|
|
|

Hello,

Let's say that, for example, I want to allow connections only to subdomain.mydomain.com; I have it partially working, but it sometimes gets in a freaky loop with the client key exchange once the Client Hello is allowed. Ah, to make it even more annoying, it's a self-signed certificate, and the page requires authentication, and HTTPS is listening on a non-standard port... So the TCP/SSL Handshake experience will differ greatly for many users.

Is -m recent the right route? Is there a more graceful method to allow the complete TCP stream once the string is seen?

Here's what I have so far:

#iptables -N SSL
#iptables -A INPUT -i eth0 -p tcp -j SSL
#iptables -A SSL -m recent --set -p tcp --syn --dport 400
#iptables -A SSL -m recent --update -p tcp --tcp-flags PSH,SYN,ACK SYN,ACK --sport 400
#iptables -A SSL -m recent --update -p tcp --tcp-flags PSH,SYN,ACK ACK --dport 400
#iptables -A SSL -m recent --remove -p tcp --tcp-flags PSH,ACK PSH,ACK --dport 400 -m string --algo kmp --string "subdomain.mydomain.com" -j ACCEPT

Yes, I have tried to get around this with nginx tweaks, but I can't get nginx to return a 444 or abrupt disconnect before the client hello, if you can think of a way to achieve this instead, I'm all ears, err, eyes.

(As suggested by a user, bringing this inquiry over from http://stackoverflow.com/questions/4628157/allow-connections-to-only-a-specific-url-via-https-with-iptables-m-recent-pote)

© Server Fault or respective owner

Related posts about nginx

Related posts about iptables