DEV Community

Cover image for 24.Application Security
Thu Kha Kyawe
Thu Kha Kyawe

Posted on

24.Application Security

#aws #linuxlevel2

Lab Information

We have a backup management application UI hosted on Nautilus's backup server in Stratos DC. That backup management application code is deployed under Apache on the backup server itself, and Nginx is running as a reverse proxy on the same server. Apache and Nginx ports are 8082 and 8092, respectively. We have to install the iptables firewall on the server. Make the appropriate changes to fulfill the requirements mentioned below:

We want to open all incoming connections to Nginx's port and block all incoming connections to Apache's port. Also make sure rules are permanent.

Lab Solutions

🧭 Part 1: Lab Step-by-Step Guidelines

1️⃣ Login to Backup Server

ssh clint@stbkp01
# Password: H@wk3y3
sudo -i
Enter fullscreen mode Exit fullscreen mode

2️⃣ Install iptables

yum install -y iptables
yum install -y iptables-services
Enter fullscreen mode Exit fullscreen mode

3️⃣ Check and Fix iptables

systemctl start iptables
systemctl enable iptables
Enter fullscreen mode Exit fullscreen mode

4️⃣ Flush existing rules (clean start)

iptables -F
Enter fullscreen mode Exit fullscreen mode

5️⃣ Allow Nginx port (8092)

iptables -A INPUT -p tcp --dport 8092 -j ACCEPT
Enter fullscreen mode Exit fullscreen mode

6️⃣ Block Apache port (8082)

iptables -A INPUT -p tcp --dport 8082 -j DROP
Enter fullscreen mode Exit fullscreen mode

7️⃣ Allow essential traffic (IMPORTANT)

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
Enter fullscreen mode Exit fullscreen mode

8️⃣ Save rules (make permanent)

iptables-save > /etc/sysconfig/iptables
systemctl restart iptables
Enter fullscreen mode Exit fullscreen mode

9️⃣ Verify rules

iptables -L -n
Enter fullscreen mode Exit fullscreen mode

Output

[root@stbkp01 ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:8092
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:8082
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
Enter fullscreen mode Exit fullscreen mode

🧠 Part 2: Simple Step-by-Step Explanation (Beginner Friendly)
What this lab is about

You are controlling:

Who can access which service
Current setup
Service Port Purpose
Apache 8082 backend
Nginx 8092 public access
What you need to do
Allow users β†’ Nginx (8092)
Block users β†’ Apache (8082)
Why block Apache?
Nginx acts as reverse proxy
Users should NOT access Apache directly
What iptables does
iptables = firewall tool
Controls network traffic
Rule explanation
1️⃣ Allow Nginx
iptables -A INPUT -p tcp --dport 8092 -j ACCEPT

πŸ‘‰ Means:

Allow incoming traffic on port 8092
2️⃣ Block Apache
iptables -A INPUT -p tcp --dport 8082 -j DROP

πŸ‘‰ Means:

Reject connections to Apache
3️⃣ Allow existing connections
ESTABLISHED,RELATED

πŸ‘‰ Prevents breaking active sessions

4️⃣ Allow loopback
lo (localhost)

πŸ‘‰ Required for internal communication

Final flow
User β†’ Nginx (allowed) β†’ Apache (internal only)
User β†’ Apache (blocked ❌)
⚑ Key Concept
Firewall = control entry points to your system
🎯 Key Takeaway
Expose only what is needed, block everything else

Resources & Next Steps
πŸ“¦ Full Code Repository: KodeKloud Learning Labs
πŸ“– More Deep Dives: Whispering Cloud Insights - Read other technical articles
πŸ’¬ Join Discussion: DEV Community - Share your thoughts and questions
πŸ’Ό Let's Connect: LinkedIn - I'd love to connect with you
Credits
β€’ All labs are from: KodeKloud
β€’ I sincerely appreciate your provision of these valuable resources.

Top comments (0)