TIPS Setting Apache to listen to specific IP

[turalo]

Hi guys.

I'm almost done with my new VM setup.

Basicly to secure my piaf vm's I have created a set of rules.

all ports but 5060-10000-20000 are closed via iptables.

I have created a vpn server, default pptpd and it is giving 192 adresses to users that login via vpn.

so I want only the users on IP 192 be able to reach httpd and ssh etc...

I have tried to change listening IP of httpd but it's not accepting it, I get error :

Starting httpd: (99)Cannot assign requested address: make_sock: could not bind to address 192.168.1.1:9080
no listening sockets available, shutting down
Unable to open logs
[FAILED]

I have also tried to add a iptables rule that only accept port 9080 connections based on source IP 192.x.x.x
but that does not reject other IP's, all public ip's also get acces to httpd.

Can anybody help advise to set this right?

I need to find a way to make the www and ssh only accesable by Local 192.168.1.0 network.
Thsi way only users that login true VPN will get acces to the www gui and ssh.

please help.

 

[billsimon]

Is 192.168.1.1 assigned to a network interface? Use ip addr show to find out.

Is something else already bound to that IP and port? Use netstat -pan | grep LISTENING to see whether any processes already own it.

 

[turalo]

Is 192.168.1.1 assigned to a network interface? Use ip addr show to find out.

Is something else already bound to that IP and port? Use netstat -pan | grep LISTENING to see whether any processes already own it.

No, the local IP is not bound to any int, I have 2 int's, 1 is lo-loopback, 2 is the eth0 witha public IP.
this is a default PIAF image latest ( cent os )

and also there is no service / proces that listens to that port, if I start httpd then it listens to 9080.

 

[billsimon]

Apache won't bind to an IP address that doesn't exist on a network interface.

Just have Apache listen on all interfaces as is default. Your firewall rules control the access.

 

[turalo]

Apache won't bind to an IP address that doesn't exist on a network interface.

Just have Apache listen on all interfaces as is default. Your firewall rules control the access.

I have tried it by Iptables .and the funny thing is as soon as I activate the rule in iptables, then I'm not able to reach it from outside on piblic IP wich is rith as I want, but then the local 192 acces to web gui is also blocked.
it's very strange. While if I'm not using Iptables then i can acces it from 192, and also public IP.

On iptables I have don allow from ip to 9080 and then deny anything alse to 9080.

 

[billsimon]

Sorry turalo I haven't been on this forum in a while. Without seeing your exact setup I can't give any further advice. I just know Apache won't start to listen on any IP address that it does not see on the local interfaces.

 

[BeerCan]

If I understand what you want you need to do it with iptables. Perhaps this site will help https://www.linode.com/docs/security/firewalls/control-network-traffic-with-iptables
FWIW don't use webmin to do your iptables rules unless you want them borked.

 

[turalo]

Sorry turalo I haven't been on this forum in a while. Without seeing your exact setup I can't give any further advice. I just know Apache won't start to listen on any IP address that it does not see on the local interfaces.

Well, basicly it's the original Cent OS PIAF install (latest) with all default.
I just installed pptpd vpn server on it, and wanted to block all ports but 5060-10000-20000 from outside.
and I wanted to use VPN to connect to server and login to ssh or webgui etc...

so after installing vpn server I can connect to the server and can acces the ssh and webgui, but as soon as I close the ports as described above in iptables, then I'm also unable to acces ssh etc... from vpn.
so I have created a new rule in iptables to ssh and webgui with a source IP. but that does not help.
I tried to make webserver listen to a local IP, that is not possible, it's not starting if I set that.
posts before suggest's that the network adress must exist on one the server sothat webserver can listen to it, but I wouldnt know how to enable it, should I just set the IP's to second netcard wich is not connected to anywhere ?
or must I create a virtual netcard? I dont know how to acomplish this.

 

[billsimon]

Sounds like you're blocking the tunnel entirely since you are closing all ports except 5060 and 10k-20k.

Leave the tunnel port open and let apache listen on *. If you're stuck on this, you should probably get a networking consultant to log in and help sort things out.