Add ports for apache continuum and its wrapper to iptables

[Aurumh4x]

This fixes the apache continuum setup so that the JVM can connect to the wrapper which runs on port 32000 at localhost
Also adds the actual jetty webserver port 8080 to the iptables so it can be reached from other hosts in the network

This allows usage of the Apache Continuum exploit module as well - https://www.rapid7.com/db/modules/exploit/linux/http/apache_continuum_cmd_exec

Attached images below for new iptables setup, module execution as well as wrapper logs for apache continuum

``

[deargle]

I'm making this work for the new chef iptables_rule approach. I don't find that it's necessary to open the firewall for 32000 to run the apache_continuum_cmd_exec exploit -- only 8080 needs to be opened. Am I missing something?

[Aurumh4x]

Port 32000 needs to be open internally at least to allow the Apache Continuum JVM to talk to the Tanuki Java Service Wrapper that operates on port 32000. If this isn't opened, Apache Continuum fails to start with an error stating that it can't connect to the wrapper.

[deargle]

Hmm seems to be running internally already on 32000, and the exploit worked for me without that needing to be accessible from outside the firewall, but then again I'm not seeing all of the docker firewall rules that you see when I run iptables -S when I build from this vagrant file.

So maybe your use of docker is messing with your routing in ways that I'm not seeing. What is your build setup that might lead to all of that?

Edit: my iptables

[Aurumh4x]

I was using Vagrant with Virtual Box provider with NAT network configuration for networking, not sure why I might have run into the issue.

You can see the error in the third screenshot in the original comment saying "Failed to connect to wrapper at port 32000".
I resolved this using the iptables rule.

Port 32000 definitely doesn't need to be accessible from outside of the machine, only for local connections.

[deargle]

That's the thing -- unless I have a fundamental misunderstanding of iptables, it's just a firewall, so it wouldn't impact local connections. I don't understand why adding a rule for 32000 to the firewall would have fixed any local-only connection between the jvm and the wrapper.

edit: give me a minute to do some more reading

edit 2: D'oh, yeah, iptables impacts loopback interface too, thanks to that -A INPUT -j DROP role at the end. @jmartin-r7 any objections to allowing all traffic on 127.0.0.1? e.g.,

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT