Block ALL IP addresses only allow 3 IP addresses on port 80/443
Hi,
Basically I am trying to configure using IP Tables on CentOS 5.8, a rule to block all IP addresses trying to access port 80/443 but only allow 3 IP address to access. Can I use 0.0.0.0 in the below rule? Code:
iptables -A INPUT -s 0.0.0.0 -p tcp --destination-port 80 -j DROP Code:
iptables -A INPUT -s 202.101.50.1 -p tcp --destination-port 80 -j ACCEPT |
Iptables rules are parsed from the top down, which means that the ACCEPT rules have to come before the "drop all" rule.
Also, to specify "all IP addresses", use -s 0.0.0.0/0. |
Generally speaking, with IPtables it is better to white list the desired traffic and drop all other traffic as opposed to writing a rule specifically to handle unwanted traffic. Your rule:
Code:
iptables -A INPUT -s 0.0.0.0 -p tcp --destination-port 80 -j DROP Code:
|
Thanks for the reply,
If I was to add the 4 rules you suggested wouldn't that mean that all traffic would be blocked to other ports, i.e ssh, mysql etc. So would that mean I would have to add rules afterwards to allow access to these ports/services for all IPs/Specific IP's Code:
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT Code:
-A RH-Firewall-1-INPUT -s 202.101.50.1 -p tcp -m tcp --dport 80 -j ACCEPT |
Quote:
Quote:
|
Would this be suitable to to prevent access to MySQL unless you were on the internal network which the server is apart of.
BTW I have Apache and MySQL running on one box which is serving a DB-driven website, which is being accessed by 2 external locations and 1 internal location(where the server is located hence the idea of locking down port 80 to 3 ip's)(Ok 2 ip's one 1 ip range :D ) Code:
-A RH-Firewall-1-INPUT -s 192.168.0.0/24 -p tcp -m tcp --dport 3306 -j ACCEPT Thanks again. EDIT: I know it looks bad that I have 3306 open but I have strong passwords and only 3 db users. I also have denyhosts and ossec running and users get blocked after certain ammount of failed attempt. My hosts.deny file is HUGE lol. |
If they aren't using direct access to MySQL and only accessing indirectly via the web page, there is no need to permit access to port 3306 at all. Based upon your description of "Apache and MySQL running on one box which is serving a DB-driven website" I don't think you need to open port 3306 at all. On the other hand, if for example they are using your centralized SQL server and connecting to it, these rules would work to restrict it. The last one not being necessary if you have a generalized drop all other traffic.
With respect to, "Use a firewall wrapper to prevent access from the outside", I meant it as outside of the desired range which could be anything from outside of that particular server to your LAN subnets. IPtables can be used for this function as it can filter based upon source and destination, but if you have a hardware firewall or router, I would also keep port 3306 closed there too. The more layers the better. Quote:
|
Thanks a bunch, from your advice I have achieved everything I set out to do.
I have disabled access to MySQL port 3306, I will re-enable only when needed which is hardly at all. A small inconvenience for more security and piece of mind, is the better solution for me. I have added rules rules to allow the IP addresses that we use to access port 80,443 then any other IP address packets get dropped. Its working great. Much Regards |
I'm glad that it's working for you!
One thing that occurred to me, that I thought I would mention because it wasn't obvious to me at first is that if you have users connecting to MySQL that the format for the user is user@domain. Normally, when you create a user it defaults to localhost and the domain part goes unnoticed. In a situations where you have connections to the database from another machine you can make use of this by specifying the host name for domain (or rather however that machine identifies itself on the network). This is opposed to using a syntax like 'user'@'%', which would be a wildcard. This would add another layer to the authentication requirements, helping to keep out those who shouldn't be there. |
All times are GMT -5. The time now is 04:28 PM. |