LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 07-07-2009, 01:59 PM   #1
pranaysharmadelhi
LQ Newbie
 
Registered: Jul 2009
Posts: 5

Rep: Reputation: 0
ipTables rule to block a port for all internal IP Addresses except one


I have a Virtual Dedicated Server with 6 IP Addresses. 1 for the server and 5 for other websites.
I want to block the access to port 9999(control panel) and 22(SSH) for all IP Addresses except 1.
They are internal IP Addresses not external.

So http://w1.x1.y1.z1:9999 is accessible but
http://w2.x2.y2.z2:9999
http://w3.x3.y3.z3:9999
http://w4.x4.y4.z4:9999
http://w5.x5.y5.z5:9999
http://w6.x6.y6.z6:9999 do not work. Please help

I plan to use ipTables to do so since I am using it currently to block ports 993 and 995

Also, I plan to add more IP Addresses later to the same server.
SO I would prefer a rule which would allow access to w1.x1.y1.z1:9999
instead of writing 5 rules to deny access to other IP Addresses, so that I dont have write new rules when I add another IP Address.

Although this is just preference. Any rule works fine for the time being.

Please help.
 
Old 07-07-2009, 05:12 PM   #2
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by pranaysharmadelhi View Post
I have a Virtual Dedicated Server with 6 IP Addresses. 1 for the server and 5 for other websites.
I want to block the access to port 9999(control panel) and 22(SSH) for all IP Addresses except 1.
They are internal IP Addresses not external.

So http://w1.x1.y1.z1:9999 is accessible but
http://w2.x2.y2.z2:9999
http://w3.x3.y3.z3:9999
http://w4.x4.y4.z4:9999
http://w5.x5.y5.z5:9999
http://w6.x6.y6.z6:9999 do not work. Please help

I plan to use ipTables to do so since I am using it currently to block ports 993 and 995

Also, I plan to add more IP Addresses later to the same server.
SO I would prefer a rule which would allow access to w1.x1.y1.z1:9999
instead of writing 5 rules to deny access to other IP Addresses, so that I dont have write new rules when I add another IP Address.

Although this is just preference. Any rule works fine for the time being.

Please help.
If I'm understanding you correctly, then something like this should work:
Code:
iptables -I INPUT -p TCP -m multiport --dports 9999,22 -d ! w1.x1.y1.z1 -j DROP
 
Old 07-07-2009, 08:49 PM   #3
pranaysharmadelhi
LQ Newbie
 
Registered: Jul 2009
Posts: 5

Original Poster
Rep: Reputation: 0
Error in query

Thanks for the quick response,
however there seems to be some error in the statement(i am a noob) so have not ideas if it is a space or spelling.
its just that as soon as I execute the statement everything disappears from the SSH screen and I have to disconnect and re-connect.
Even after reconnecting if I type iptables -L or iptables -v -L to see if the rule was put in place, same thing happens until I execute iptables -F
Can you please check it?
I am on Fedora Core 7 if it helps

Last edited by pranaysharmadelhi; 07-07-2009 at 08:57 PM.
 
Old 07-07-2009, 08:52 PM   #4
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by pranaysharmadelhi View Post
Thanks for the quick response,
however there seems to be some error in the statement(i am a noob) so have not ideas if it is a space or spelling.
its just that as soon as I execute the statement everything disappears from the SSH screen and I have to disconnect and re-connect.
Can you please check it?
I am on Fedora Core 7 if it helps
Try making it more specific, like:
Code:
iptables -I INPUT -p TCP -i eth0 -d ! w1.x1.y1.z1 -m multiport --dports 9999,22 -m state --state NEW -j DROP
Replace eth0 with whatever your actual interface's name is (in case it isn't eth0).

If you still get an error message, please post it so we can better understand what is happening.
 
Old 07-07-2009, 09:26 PM   #5
pranaysharmadelhi
LQ Newbie
 
Registered: Jul 2009
Posts: 5

Original Poster
Rep: Reputation: 0
Same error - no error, just screen wipes everything off it and I have to disconnect

Same error - no error, just screen wipes everything off it and I have to disconnect and reconnect and when i try and do iptables -L it does same thing again until I run iptables -F


Is there no other way?
I have 2 rules already

iptables -A INPUT -p all -s localhost -d localhost -j ACCEPT

iptables -A INPUT -p tcp –destination-port 3306 -j REJECT

I tried washing them and starting fresh, but still same error.
 
Old 07-07-2009, 09:42 PM   #6
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by pranaysharmadelhi View Post
Same error - no error, just screen wipes everything off it and I have to disconnect and reconnect and when i try and do iptables -L it does same thing again until I run iptables -F


Is there no other way?
I have 2 rules already

iptables -A INPUT -p all -s localhost -d localhost -j ACCEPT

iptables -A INPUT -p tcp –destination-port 3306 -j REJECT

I tried washing them and starting fresh, but still same error.
That's strange. I can't really think of why this would cause that kind of effect. First I was thinking the rule was filtering the packet which were a part of your existing SSH connection, but after having added the match for state NEW that wouldn't be an issue. Could you post the output of this please:
Code:
iptables -nvL

Last edited by win32sux; 07-07-2009 at 09:44 PM.
 
Old 07-07-2009, 09:53 PM   #7
pranaysharmadelhi
LQ Newbie
 
Registered: Jul 2009
Posts: 5

Original Poster
Rep: Reputation: 0
Here is the response

Code:
Chain INPUT (policy ACCEPT 996 packets, 85292 bytes)
 pkts bytes target     prot opt in     out     source               destination 
   20  3336 ACCEPT     all  --  *      *       127.0.0.1            127.0.0.1   
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:3306 reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 

Chain OUTPUT (policy ACCEPT 966 packets, 463K bytes)
 pkts bytes target     prot opt in     out     source               destination
Also here is the exact error
I tried same command with Putty and it threw an error

Code:
WARNING: /etc/modprobe.d line 1: ignoring bad line starting with 'á-@'
WARNING: /etc/modprobe.d line 2: ignoring bad line starting with ''
FATAL: Could not load /lib/modules/2.6.18-028stab059.6/modules.dep: No such file or directory
WARNING: /etc/modprobe.d line 1: ignoring bad line starting with 'á-@'
WARNING: /etc/modprobe.d line 2: ignoring bad line starting with ''
FATAL: Could not load /lib/modules/2.6.18-028stab059.6/modules.dep: No such file or directory
Can you give me a rule for maybe just a single port (one at a time).
And anything in the format of the previous statements which executed perfectly before
Code:
iptables -A INPUT -p tcp –destination-port 3306 -j REJECT

Last edited by pranaysharmadelhi; 07-07-2009 at 10:04 PM.
 
Old 07-08-2009, 12:10 AM   #8
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by pranaysharmadelhi View Post
Code:
Chain INPUT (policy ACCEPT 996 packets, 85292 bytes)
 pkts bytes target     prot opt in     out     source               destination 
   20  3336 ACCEPT     all  --  *      *       127.0.0.1            127.0.0.1   
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:3306 reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 

Chain OUTPUT (policy ACCEPT 966 packets, 463K bytes)
 pkts bytes target     prot opt in     out     source               destination
Also here is the exact error
I tried same command with Putty and it threw an error

Code:
WARNING: /etc/modprobe.d line 1: ignoring bad line starting with 'á-@'
WARNING: /etc/modprobe.d line 2: ignoring bad line starting with ''
FATAL: Could not load /lib/modules/2.6.18-028stab059.6/modules.dep: No such file or directory
WARNING: /etc/modprobe.d line 1: ignoring bad line starting with 'á-@'
WARNING: /etc/modprobe.d line 2: ignoring bad line starting with ''
FATAL: Could not load /lib/modules/2.6.18-028stab059.6/modules.dep: No such file or directory
Can you give me a rule for maybe just a single port (one at a time).
And anything in the format of the previous statements which executed perfectly before
Code:
iptables -A INPUT -p tcp –destination-port 3306 -j REJECT
Those errors seem to be caused by a deeper problem. Looks like your module loader is choking either on the multiport or state module. In that case, the simplest way to achieve your goal (considering what already works for you) is:
Code:
iptables -A INPUT -p TCP -d ! w1.x1.y1.z1 --dport 22 -j REJECT
iptables -A INPUT -p TCP -d ! w1.x1.y1.z1 --dport 9999 -j REJECT
BTW, maybe your virtual environment restricts you from loading modules? Just a thought.

Last edited by win32sux; 07-08-2009 at 12:19 AM.
 
Old 07-08-2009, 07:57 AM   #9
pranaysharmadelhi
LQ Newbie
 
Registered: Jul 2009
Posts: 5

Original Poster
Rep: Reputation: 0
YES!! Perfect.

Worked like a charm..
Thankyou....
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables nat port forwarding rule set crowhurst01 Linux - Networking 2 02-13-2012 03:39 AM
iptables Rule to Block all LAN traffic mrant Linux - Networking 11 02-28-2010 01:53 AM
iptables port connection limit rule Shwick Linux - Security 18 10-09-2008 09:26 PM
iptables port 80 rule Q doronunu Linux - Security 3 06-04-2006 06:55 PM
iptables, block port 80? frank2 Linux - Security 4 09-12-2004 09:14 AM


All times are GMT -5. The time now is 01:50 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration