iptables is blocking nginx from being a reverse proxy for node.js
There's no point to using extremely restrictive rules on the loopback interface. All this will do is to prevent your local services from talking to each other in strange ways that you will have trouble diagnosing (which is why you're here). Just give up on it:
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
Related videos on Youtube
Comments
-
Eric over 1 year
Having some trouble with my very restrictive iptables setup. I have nginx (port 80) setup to be a reverse proxy in front of node.js (port 8080). When the iptables service is stopped, everything works great. When it's turned back on, I get proxy timeout errors from nginx.
The part that isn't working is the "HTTP (node.js)" block in the "INCOMING" section; see below for the actual configuration file contents. This is pretty confusing since I'm covering the only two ethernet "adapters" in my system: eth0 and lo. Does this problem have to do with the fact that nginx talks to node.js on neither eth0 nor lo?
Here is my iptables config:
# Remove all existing rules iptables -F # Set default chain policies iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP ##### BEGIN: INCOMING ##### # HTTP (nginx) iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT # HTTP (node.js) iptables -A INPUT -i eth0 -p tcp --dport 8080 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --sport 8080 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -i lo -p tcp --dport 8080 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o lo -p tcp --sport 8080 -m state --state ESTABLISHED -j ACCEPT # Samba iptables -A INPUT -i eth0 -p tcp --source 10.1.1.0/24 --dport 445 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --destination 10.1.1.0/24 --sport 445 -m state --state ESTABLISHED -j ACCEPT # SSH iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT ##### END: INCOMING ##### ##### BEGIN: OUTGOING ##### # DNS iptables -A OUTPUT -o eth0 -p tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i eth0 -p tcp --sport 53 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -i eth0 -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT # E-Mail to Gmail iptables -A OUTPUT -o eth0 -p tcp --dport 587 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i eth0 -p tcp --sport 587 -m state --state ESTABLISHED -j ACCEPT # HTTP iptables -A OUTPUT -o eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT # HTTPS iptables -A OUTPUT -o eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT # Ping iptables -A OUTPUT -o eth0 -p icmp --icmp-type echo-request -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i eth0 -p icmp --icmp-type echo-reply -m state --state ESTABLISHED -j ACCEPT ##### END: OUTGOING ##### # Make these rules permanent service iptables save service iptables restart
-
Eric about 11 yearsThanks. This seems like good advice. I'd like to know exactly why doing this is necessary when it's not on eth0, but your point about local service communication is one I hadn't considered. tips hat