[SOLVED] ipTables rule to block a port for all internal IP Addresses except one
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
ipTables rule to block a port for all internal IP Addresses except one
I have a Virtual Dedicated Server with 6 IP Addresses. 1 for the server and 5 for other websites.
I want to block the access to port 9999(control panel) and 22(SSH) for all IP Addresses except 1.
They are internal IP Addresses not external.
I plan to use ipTables to do so since I am using it currently to block ports 993 and 995
Also, I plan to add more IP Addresses later to the same server.
SO I would prefer a rule which would allow access to w1.x1.y1.z1:9999
instead of writing 5 rules to deny access to other IP Addresses, so that I dont have write new rules when I add another IP Address.
Although this is just preference. Any rule works fine for the time being.
I have a Virtual Dedicated Server with 6 IP Addresses. 1 for the server and 5 for other websites.
I want to block the access to port 9999(control panel) and 22(SSH) for all IP Addresses except 1.
They are internal IP Addresses not external.
I plan to use ipTables to do so since I am using it currently to block ports 993 and 995
Also, I plan to add more IP Addresses later to the same server.
SO I would prefer a rule which would allow access to w1.x1.y1.z1:9999
instead of writing 5 rules to deny access to other IP Addresses, so that I dont have write new rules when I add another IP Address.
Although this is just preference. Any rule works fine for the time being.
Please help.
If I'm understanding you correctly, then something like this should work:
Thanks for the quick response,
however there seems to be some error in the statement(i am a noob) so have not ideas if it is a space or spelling.
its just that as soon as I execute the statement everything disappears from the SSH screen and I have to disconnect and re-connect.
Even after reconnecting if I type iptables -L or iptables -v -L to see if the rule was put in place, same thing happens until I execute iptables -F
Can you please check it?
I am on Fedora Core 7 if it helps
Last edited by pranaysharmadelhi; 07-07-2009 at 08:57 PM.
Thanks for the quick response,
however there seems to be some error in the statement(i am a noob) so have not ideas if it is a space or spelling.
its just that as soon as I execute the statement everything disappears from the SSH screen and I have to disconnect and re-connect.
Can you please check it?
I am on Fedora Core 7 if it helps
Try making it more specific, like:
Code:
iptables -I INPUT -p TCP -i eth0 -d ! w1.x1.y1.z1 -m multiport --dports 9999,22 -m state --state NEW -j DROP
Replace eth0 with whatever your actual interface's name is (in case it isn't eth0).
If you still get an error message, please post it so we can better understand what is happening.
Same error - no error, just screen wipes everything off it and I have to disconnect
Same error - no error, just screen wipes everything off it and I have to disconnect and reconnect and when i try and do iptables -L it does same thing again until I run iptables -F
Is there no other way?
I have 2 rules already
iptables -A INPUT -p all -s localhost -d localhost -j ACCEPT
iptables -A INPUT -p tcp –destination-port 3306 -j REJECT
I tried washing them and starting fresh, but still same error.
Same error - no error, just screen wipes everything off it and I have to disconnect and reconnect and when i try and do iptables -L it does same thing again until I run iptables -F
Is there no other way?
I have 2 rules already
iptables -A INPUT -p all -s localhost -d localhost -j ACCEPT
iptables -A INPUT -p tcp –destination-port 3306 -j REJECT
I tried washing them and starting fresh, but still same error.
That's strange. I can't really think of why this would cause that kind of effect. First I was thinking the rule was filtering the packet which were a part of your existing SSH connection, but after having added the match for state NEW that wouldn't be an issue. Could you post the output of this please:
Also here is the exact error
I tried same command with Putty and it threw an error
Code:
WARNING: /etc/modprobe.d line 1: ignoring bad line starting with 'á-@'
WARNING: /etc/modprobe.d line 2: ignoring bad line starting with ''
FATAL: Could not load /lib/modules/2.6.18-028stab059.6/modules.dep: No such file or directory
WARNING: /etc/modprobe.d line 1: ignoring bad line starting with 'á-@'
WARNING: /etc/modprobe.d line 2: ignoring bad line starting with ''
FATAL: Could not load /lib/modules/2.6.18-028stab059.6/modules.dep: No such file or directory
Can you give me a rule for maybe just a single port (one at a time).
And anything in the format of the previous statements which executed perfectly before
Code:
iptables -A INPUT -p tcp –destination-port 3306 -j REJECT
Last edited by pranaysharmadelhi; 07-07-2009 at 10:04 PM.
Also here is the exact error
I tried same command with Putty and it threw an error
Code:
WARNING: /etc/modprobe.d line 1: ignoring bad line starting with 'á-@'
WARNING: /etc/modprobe.d line 2: ignoring bad line starting with ''
FATAL: Could not load /lib/modules/2.6.18-028stab059.6/modules.dep: No such file or directory
WARNING: /etc/modprobe.d line 1: ignoring bad line starting with 'á-@'
WARNING: /etc/modprobe.d line 2: ignoring bad line starting with ''
FATAL: Could not load /lib/modules/2.6.18-028stab059.6/modules.dep: No such file or directory
Can you give me a rule for maybe just a single port (one at a time).
And anything in the format of the previous statements which executed perfectly before
Code:
iptables -A INPUT -p tcp –destination-port 3306 -j REJECT
Those errors seem to be caused by a deeper problem. Looks like your module loader is choking either on the multiport or state module. In that case, the simplest way to achieve your goal (considering what already works for you) is:
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.