LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   ipTables rule to block a port for all internal IP Addresses except one (https://www.linuxquestions.org/questions/linux-security-4/iptables-rule-to-block-a-port-for-all-internal-ip-addresses-except-one-738391/)

pranaysharmadelhi 07-07-2009 01:59 PM
ipTables rule to block a port for all internal IP Addresses except one
 
I have a Virtual Dedicated Server with 6 IP Addresses. 1 for the server and 5 for other websites.
I want to block the access to port 9999(control panel) and 22(SSH) for all IP Addresses except 1.
They are internal IP Addresses not external.

So http://w1.x1.y1.z1:9999 is accessible but
http://w2.x2.y2.z2:9999
http://w3.x3.y3.z3:9999
http://w4.x4.y4.z4:9999
http://w5.x5.y5.z5:9999
http://w6.x6.y6.z6:9999 do not work. Please help

I plan to use ipTables to do so since I am using it currently to block ports 993 and 995

Also, I plan to add more IP Addresses later to the same server.
SO I would prefer a rule which would allow access to w1.x1.y1.z1:9999
instead of writing 5 rules to deny access to other IP Addresses, so that I dont have write new rules when I add another IP Address.

Although this is just preference. Any rule works fine for the time being.

Please help.

win32sux 07-07-2009 05:12 PM
Quote:
Originally Posted by pranaysharmadelhi (Post 3599988)
I have a Virtual Dedicated Server with 6 IP Addresses. 1 for the server and 5 for other websites.
I want to block the access to port 9999(control panel) and 22(SSH) for all IP Addresses except 1.
They are internal IP Addresses not external.

So http://w1.x1.y1.z1:9999 is accessible but
http://w2.x2.y2.z2:9999
http://w3.x3.y3.z3:9999
http://w4.x4.y4.z4:9999
http://w5.x5.y5.z5:9999
http://w6.x6.y6.z6:9999 do not work. Please help

I plan to use ipTables to do so since I am using it currently to block ports 993 and 995

Also, I plan to add more IP Addresses later to the same server.
SO I would prefer a rule which would allow access to w1.x1.y1.z1:9999
instead of writing 5 rules to deny access to other IP Addresses, so that I dont have write new rules when I add another IP Address.

Although this is just preference. Any rule works fine for the time being.

Please help.
If I'm understanding you correctly, then something like this should work:
Code:
iptables -I INPUT -p TCP -m multiport --dports 9999,22 -d ! w1.x1.y1.z1 -j DROP

pranaysharmadelhi 07-07-2009 08:49 PM
Error in query
 
Thanks for the quick response,
however there seems to be some error in the statement(i am a noob) so have not ideas if it is a space or spelling.
its just that as soon as I execute the statement everything disappears from the SSH screen and I have to disconnect and re-connect.
Even after reconnecting if I type iptables -L or iptables -v -L to see if the rule was put in place, same thing happens until I execute iptables -F
Can you please check it?
I am on Fedora Core 7 if it helps

win32sux 07-07-2009 08:52 PM
Quote:
Originally Posted by pranaysharmadelhi (Post 3600305)
Thanks for the quick response,
however there seems to be some error in the statement(i am a noob) so have not ideas if it is a space or spelling.
its just that as soon as I execute the statement everything disappears from the SSH screen and I have to disconnect and re-connect.
Can you please check it?
I am on Fedora Core 7 if it helps
Try making it more specific, like:
Code:
iptables -I INPUT -p TCP -i eth0 -d ! w1.x1.y1.z1 -m multiport --dports 9999,22 -m state --state NEW -j DROP
Replace eth0 with whatever your actual interface's name is (in case it isn't eth0).

If you still get an error message, please post it so we can better understand what is happening.

pranaysharmadelhi 07-07-2009 09:26 PM
Same error - no error, just screen wipes everything off it and I have to disconnect
 
Same error - no error, just screen wipes everything off it and I have to disconnect and reconnect and when i try and do iptables -L it does same thing again until I run iptables -F

:(
Is there no other way? :(
I have 2 rules already

iptables -A INPUT -p all -s localhost -d localhost -j ACCEPT

iptables -A INPUT -p tcp –destination-port 3306 -j REJECT

I tried washing them and starting fresh, but still same error.

win32sux 07-07-2009 09:42 PM
Quote:
Originally Posted by pranaysharmadelhi (Post 3600337)
Same error - no error, just screen wipes everything off it and I have to disconnect and reconnect and when i try and do iptables -L it does same thing again until I run iptables -F

:(
Is there no other way? :(
I have 2 rules already

iptables -A INPUT -p all -s localhost -d localhost -j ACCEPT

iptables -A INPUT -p tcp –destination-port 3306 -j REJECT

I tried washing them and starting fresh, but still same error.
That's strange. I can't really think of why this would cause that kind of effect. First I was thinking the rule was filtering the packet which were a part of your existing SSH connection, but after having added the match for state NEW that wouldn't be an issue. Could you post the output of this please:
Code:
iptables -nvL

pranaysharmadelhi 07-07-2009 09:53 PM
Here is the response
 
Code:
Chain INPUT (policy ACCEPT 996 packets, 85292 bytes)
 pkts bytes target    prot opt in    out    source              destination
  20  3336 ACCEPT    all  --  *      *      127.0.0.1            127.0.0.1 
    0    0 REJECT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:3306 reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target    prot opt in    out    source              destination

Chain OUTPUT (policy ACCEPT 966 packets, 463K bytes)
 pkts bytes target    prot opt in    out    source              destination
Also here is the exact error
I tried same command with Putty and it threw an error

Code:
WARNING: /etc/modprobe.d line 1: ignoring bad line starting with 'á-@'
WARNING: /etc/modprobe.d line 2: ignoring bad line starting with ''
FATAL: Could not load /lib/modules/2.6.18-028stab059.6/modules.dep: No such file or directory
WARNING: /etc/modprobe.d line 1: ignoring bad line starting with 'á-@'
WARNING: /etc/modprobe.d line 2: ignoring bad line starting with ''
FATAL: Could not load /lib/modules/2.6.18-028stab059.6/modules.dep: No such file or directory
Can you give me a rule for maybe just a single port (one at a time).
And anything in the format of the previous statements which executed perfectly before
Code:
iptables -A INPUT -p tcp –destination-port 3306 -j REJECT

win32sux 07-08-2009 12:10 AM
Quote:
Originally Posted by pranaysharmadelhi (Post 3600356)
Code:
Chain INPUT (policy ACCEPT 996 packets, 85292 bytes)
 pkts bytes target    prot opt in    out    source              destination
  20  3336 ACCEPT    all  --  *      *      127.0.0.1            127.0.0.1 
    0    0 REJECT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:3306 reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target    prot opt in    out    source              destination

Chain OUTPUT (policy ACCEPT 966 packets, 463K bytes)
 pkts bytes target    prot opt in    out    source              destination
Also here is the exact error
I tried same command with Putty and it threw an error

Code:
WARNING: /etc/modprobe.d line 1: ignoring bad line starting with 'á-@'
WARNING: /etc/modprobe.d line 2: ignoring bad line starting with ''
FATAL: Could not load /lib/modules/2.6.18-028stab059.6/modules.dep: No such file or directory
WARNING: /etc/modprobe.d line 1: ignoring bad line starting with 'á-@'
WARNING: /etc/modprobe.d line 2: ignoring bad line starting with ''
FATAL: Could not load /lib/modules/2.6.18-028stab059.6/modules.dep: No such file or directory
Can you give me a rule for maybe just a single port (one at a time).
And anything in the format of the previous statements which executed perfectly before
Code:
iptables -A INPUT -p tcp –destination-port 3306 -j REJECT
Those errors seem to be caused by a deeper problem. Looks like your module loader is choking either on the multiport or state module. In that case, the simplest way to achieve your goal (considering what already works for you) is:
Code:
iptables -A INPUT -p TCP -d ! w1.x1.y1.z1 --dport 22 -j REJECT
iptables -A INPUT -p TCP -d ! w1.x1.y1.z1 --dport 9999 -j REJECT
BTW, maybe your virtual environment restricts you from loading modules? Just a thought.

pranaysharmadelhi 07-08-2009 07:57 AM
YES!! Perfect.
 
Worked like a charm..
Thankyou....


All times are GMT -5. The time now is 05:25 PM.