Block ALL IP addresses only allow 3 IP addresses on port 80/443
 

Hi,

Basically I am trying to configure using IP Tables on CentOS 5.8, a rule to block all IP addresses trying to access port 80/443 but only allow 3 IP address to access.

Can I use 0.0.0.0 in the below rule?

If the above rule would work, is there a specific order I would need to put the rule to allow access. I only ask because when using something like Squid Proxy you would need to enter rules in a certain order.

Much Regards

Iptables rules are parsed from the top down, which means that the ACCEPT rules have to come before the "drop all" rule.

Also, to specify "all IP addresses", use -s 0.0.0.0/0.

Generally speaking, with IPtables it is better to white list the desired traffic and drop all other traffic as opposed to writing a rule specifically to handle unwanted traffic. Your rule: being an example of a blacklist rule. I would recommend that you set the policy to accept, write four rules like the following:

Thanks for the reply,

If I was to add the 4 rules you suggested wouldn't that mean that all traffic would be blocked to other ports, i.e ssh, mysql etc. So would that mean I would have to add rules afterwards to allow access to these ports/services for all IPs/Specific IP's

I have added this and it seems to works fine.

btw the ip's i have used are just random, not actually using the IP's I use. :D

Your quite welcome. I am happy to help!

This is correct. You want to add a rule to allow each service that you want to make available. I noticed that you used port 3306, MySQL, as an example and wanted to comment on this one. I would recommend that if you can at all avoid it, that you don't make MySQL accessible to the public and this goes for PHPMyAdmin as well. Instead, you will want to restrict it via binding of the interface, such as localhost, and use a firewall wrapper to prevent access from the outside.

Would this be suitable to to prevent access to MySQL unless you were on the internal network which the server is apart of.

BTW I have Apache and MySQL running on one box which is serving a DB-driven website, which is being accessed by 2 external locations and 1 internal location(where the server is located hence the idea of locking down port 80 to 3 ip's)(Ok 2 ip's one 1 ip range :D )


When you said "Use a firewall wrapper to prevent access from the outside" did you mean using iptables or a hardware device i.e router, or both :D

Thanks again.

EDIT: I know it looks bad that I have 3306 open but I have strong passwords and only 3 db users. I also have denyhosts and ossec running and users get blocked after certain ammount of failed attempt. My hosts.deny file is HUGE lol.

If they aren't using direct access to MySQL and only accessing indirectly via the web page, there is no need to permit access to port 3306 at all. Based upon your description of "Apache and MySQL running on one box which is serving a DB-driven website" I don't think you need to open port 3306 at all. On the other hand, if for example they are using your centralized SQL server and connecting to it, these rules would work to restrict it. The last one not being necessary if you have a generalized drop all other traffic.

With respect to, "Use a firewall wrapper to prevent access from the outside", I meant it as outside of the desired range which could be anything from outside of that particular server to your LAN subnets. IPtables can be used for this function as it can filter based upon source and destination, but if you have a hardware firewall or router, I would also keep port 3306 closed there too. The more layers the better.

A very wise precaution, and good thinking which definitely puts you ahead of many!

Thanks a bunch, from your advice I have achieved everything I set out to do.

I have disabled access to MySQL port 3306, I will re-enable only when needed which is hardly at all. A small inconvenience for more security and piece of mind, is the better solution for me.

I have added rules rules to allow the IP addresses that we use to access port 80,443 then any other IP address packets get dropped.

Its working great.

Much Regards

I'm glad that it's working for you!

One thing that occurred to me, that I thought I would mention because it wasn't obvious to me at first is that if you have users connecting to MySQL that the format for the user is user@domain. Normally, when you create a user it defaults to localhost and the domain part goes unnoticed. In a situations where you have connections to the database from another machine you can make use of this by specifying the host name for domain (or rather however that machine identifies itself on the network). This is opposed to using a syntax like 'user'@'%', which would be a wildcard. This would add another layer to the authentication requirements, helping to keep out those who shouldn't be there.