Search code examples
linuxnetwork-programmingipiptables

How to allow access to only particular url by ip tables

In my app I have to restrict the external access to port 8383. It should receives connections only from localhost. I achieved this successfully by:

Ensure port 8383 is accessible from localhost

iptables -A INPUT -p tcp --dport 8383 -s 127.0.0.0/8 -j ACCEPT

Ensure port 8383 is disabled for external access

iptables -A INPUT -p tcp --dport 8383 -j REJECT

However the app running under port 8383 has to be clustered. It clustered itself by sending POST request to :8383/default/cluster.

Is there any way to disable external access to 8383, but allow it only for requests which contains "/default/cluster" in request uri?

Solution

  • IPTables can't do it from the box. The reason is - IPTables work on L3-4 (Network and Transport layers) and don't look inside packet payload. But there are several extension that can perform "Deep packet inspection".

    To make it works you will need at least:

    • Correctly configured kernel (Netfilter connection tracking support)
    • Deep packet inspection tool (ndpi for example)
    • Module for IPtables that connects linux filtering and deep packet inspection functionality.