LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 03-26-2012, 09:07 AM   #1
yelluc
LQ Newbie
 
Registered: Mar 2012
Location: UK
Distribution: CentOS, Ubuntu
Posts: 7

Rep: Reputation: Disabled
Block ALL IP addresses only allow 3 IP addresses on port 80/443


Hi,

Basically I am trying to configure using IP Tables on CentOS 5.8, a rule to block all IP addresses trying to access port 80/443 but only allow 3 IP address to access.

Can I use 0.0.0.0 in the below rule?

Code:
iptables -A INPUT -s 0.0.0.0 -p tcp --destination-port 80 -j DROP
If the above rule would work, is there a specific order I would need to put the rule to allow access. I only ask because when using something like Squid Proxy you would need to enter rules in a certain order.

Code:
iptables -A INPUT -s 202.101.50.1 -p tcp --destination-port 80 -j ACCEPT
Much Regards
 
Old 03-26-2012, 09:16 AM   #2
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 1,814

Rep: Reputation: Disabled
Iptables rules are parsed from the top down, which means that the ACCEPT rules have to come before the "drop all" rule.

Also, to specify "all IP addresses", use -s 0.0.0.0/0.
 
Old 03-26-2012, 03:34 PM   #3
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,120

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
Generally speaking, with IPtables it is better to white list the desired traffic and drop all other traffic as opposed to writing a rule specifically to handle unwanted traffic. Your rule:
Code:
iptables -A INPUT -s 0.0.0.0 -p tcp --destination-port 80 -j DROP
being an example of a blacklist rule. I would recommend that you set the policy to accept, write four rules like the following:
Code:
  • -A INPUT -s 202.101.50.1 -p tcp -m tcp --dport 80 - j ACCEPT
  • -A INPUT -s 202.101.50.2 -p tcp -m tcp --dport 80 - j ACCEPT
  • -A INPUT -s 202.101.50.3 -p tcp -m tcp --dport 80 - j ACCEPT
  • -A INPUT -j DROP
 
2 members found this post helpful.
Old 03-27-2012, 02:25 AM   #4
yelluc
LQ Newbie
 
Registered: Mar 2012
Location: UK
Distribution: CentOS, Ubuntu
Posts: 7

Original Poster
Rep: Reputation: Disabled
Thanks for the reply,

If I was to add the 4 rules you suggested wouldn't that mean that all traffic would be blocked to other ports, i.e ssh, mysql etc. So would that mean I would have to add rules afterwards to allow access to these ports/services for all IPs/Specific IP's

Code:
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 3366 -j ACCEPT
I have added this and it seems to works fine.

Code:
-A RH-Firewall-1-INPUT -s 202.101.50.1 -p tcp -m tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp --dport 80 -j DROP
btw the ip's i have used are just random, not actually using the IP's I use.

Last edited by yelluc; 03-27-2012 at 06:05 AM.
 
Old 03-27-2012, 08:37 AM   #5
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,120

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
Quote:
Originally Posted by yelluc View Post
Thanks for the reply
Your quite welcome. I am happy to help!

Quote:
If I was to add the 4 rules you suggested wouldn't that mean that all traffic would be blocked to other ports, i.e ssh, mysql etc. So would that mean I would have to add rules afterwards to allow access to these ports/services for all IPs/Specific IP's (snip for brevity)...
This is correct. You want to add a rule to allow each service that you want to make available. I noticed that you used port 3306, MySQL, as an example and wanted to comment on this one. I would recommend that if you can at all avoid it, that you don't make MySQL accessible to the public and this goes for PHPMyAdmin as well. Instead, you will want to restrict it via binding of the interface, such as localhost, and use a firewall wrapper to prevent access from the outside.
 
Old 03-27-2012, 09:01 AM   #6
yelluc
LQ Newbie
 
Registered: Mar 2012
Location: UK
Distribution: CentOS, Ubuntu
Posts: 7

Original Poster
Rep: Reputation: Disabled
Would this be suitable to to prevent access to MySQL unless you were on the internal network which the server is apart of.

BTW I have Apache and MySQL running on one box which is serving a DB-driven website, which is being accessed by 2 external locations and 1 internal location(where the server is located hence the idea of locking down port 80 to 3 ip's)(Ok 2 ip's one 1 ip range )


Code:
-A RH-Firewall-1-INPUT -s 192.168.0.0/24 -p tcp -m tcp --dport 3306 -j ACCEPT
-A RH-Firewall-1-INPUT -s 200.150.0.2 -p tcp -m tcp --dport 3306 -j ACCEPT
-A RH-Firewall-1-INPUT -s 200.151.0.1 -p tcp -m tcp --dport 3306 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp --dport 3306 -j DROP
When you said "Use a firewall wrapper to prevent access from the outside" did you mean using iptables or a hardware device i.e router, or both

Thanks again.

EDIT: I know it looks bad that I have 3306 open but I have strong passwords and only 3 db users. I also have denyhosts and ossec running and users get blocked after certain ammount of failed attempt. My hosts.deny file is HUGE lol.

Last edited by yelluc; 03-27-2012 at 09:03 AM.
 
Old 03-27-2012, 09:28 AM   #7
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,120

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
If they aren't using direct access to MySQL and only accessing indirectly via the web page, there is no need to permit access to port 3306 at all. Based upon your description of "Apache and MySQL running on one box which is serving a DB-driven website" I don't think you need to open port 3306 at all. On the other hand, if for example they are using your centralized SQL server and connecting to it, these rules would work to restrict it. The last one not being necessary if you have a generalized drop all other traffic.

With respect to, "Use a firewall wrapper to prevent access from the outside", I meant it as outside of the desired range which could be anything from outside of that particular server to your LAN subnets. IPtables can be used for this function as it can filter based upon source and destination, but if you have a hardware firewall or router, I would also keep port 3306 closed there too. The more layers the better.

Quote:
I know it looks bad that I have 3306 open but I have strong passwords and only 3 db users. I also have denyhosts and ossec running and users get blocked after certain ammount of failed attempt. My hosts.deny file is HUGE lol.
A very wise precaution, and good thinking which definitely puts you ahead of many!
 
1 members found this post helpful.
Old 03-28-2012, 01:33 AM   #8
yelluc
LQ Newbie
 
Registered: Mar 2012
Location: UK
Distribution: CentOS, Ubuntu
Posts: 7

Original Poster
Rep: Reputation: Disabled
Thanks a bunch, from your advice I have achieved everything I set out to do.

I have disabled access to MySQL port 3306, I will re-enable only when needed which is hardly at all. A small inconvenience for more security and piece of mind, is the better solution for me.

I have added rules rules to allow the IP addresses that we use to access port 80,443 then any other IP address packets get dropped.

Its working great.

Much Regards
 
Old 03-28-2012, 04:20 AM   #9
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,120

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
I'm glad that it's working for you!

One thing that occurred to me, that I thought I would mention because it wasn't obvious to me at first is that if you have users connecting to MySQL that the format for the user is user@domain. Normally, when you create a user it defaults to localhost and the domain part goes unnoticed. In a situations where you have connections to the database from another machine you can make use of this by specifying the host name for domain (or rather however that machine identifies itself on the network). This is opposed to using a syntax like 'user'@'%', which would be a wildcard. This would add another layer to the authentication requirements, helping to keep out those who shouldn't be there.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] ipTables rule to block a port for all internal IP Addresses except one pranaysharmadelhi Linux - Security 8 07-08-2009 07:57 AM
Binding 2 NICs (MAC addresses) to 2 IP Addresses in same Subnet RedHat EL4.0 skhira Linux - Networking 13 02-24-2008 08:16 PM
Binding 2 NICs (MAC addresses) to 2 IP Addresses in same Subnet RedHat EL4.0 skhira Linux - Networking 1 02-09-2008 07:17 AM
mechanics of mapping process memory addresses to physical addresses on amd64 Tischbein Linux - Kernel 2 02-01-2007 08:09 PM


All times are GMT -5. The time now is 11:11 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration