Network Topology & httpd Prevent direct access on your ip without netfilter rule by: ev1lut10n here's an example of network topology to prevent direct access on your ip ======================= [your server] | | | [cloud computing network] (servers that use port forwarding on port 80 to your server) (dns servers) ==========resolved to one of server inside cloud computing (this server use port forwarding on port 80 to your server) | | | | [internet] ===================== [How is it possible for your server to process http request from the forwarder ???] Below is a sample of http request from a browser: ==== root@ev1lut10n-Vostro1310:/home/ev1lut10n# nc -l 80 -vvv Connection from 127.0.0.1 port 80 [tcp/www] accepted GET / HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.10) Gecko/20100922 Ubuntu/10.10 (maverick) Firefox/31337 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Connection: keep-alive ================= from the above request we see this : ============ Host: localhost ============ it's the key for most httpd to respond with correct virtual hosts configuration. A typical user with a browser that request your domain will always include this: ========== Host: yourdomain.com ========== your httpd will read this line to determine what virtual host file configuration's should be processed. meanwhile the above topology still have some weakness, suppose someone from internet still get your real ip address. Basically you can play with some netfilter trick but it's not for our game, to give more protection , example when u use nginx httpd, here's a sample nginx configuration that will trick the attacker: =========== server { listen 80; server_name your_server_ip_address_here; server_tokens off; rewrite ^(.*) http://127.0.0.1; =============== this will redirect each attacker that try to access your server's ip directly to http://127.0.0.1