Centos 6 (64) IPTABLES 3 network cards, odd issue, new to linuxish
Hello Linux People
I am new,
I have a VPS, it has 3 IP addresses assigned to it. eth0 / eth0:0 / eth0:1
I am trying to create firewall rules to stop any communication with 0:0 and 0:1 while only allowing 2 IP address for ssh access and other stuff attached to eth0. This will change but I want to configure access on each IP/nic separately and test as I open up each port to check it is working correctly.
My IPtables conf is below (2 now, top is current bottom is older), what I believe should be happening. INPUT by default is drop unless rules are matched. 3 Chains one for each card, Drop EVERYTHING on 0:0 and 0:1 and allow SSH and 8080 from 2 IPs via eth0. (the below config was a test, the original is right at the bottom without the chain bit, it had the same problem)
My Issue, I am sure the IP tables are working; I can change the way it responds to ping and notice it. However when port scanning eth0:0 and eth:0:1 I am still seeing the port 8080 open if I am running the application. With the rules below I would expect nothing back from eth0:0 and eth0:1 after a port scan since they are meant to drop everything
Now that I am really thinking about it maybe I should not do it on interface but IP?
Also what does the [0:0] bits mean on the filters?
There is a good chance I am just missing something simple, to anyone that helps thank you, if I make any progress I will update
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:nic-eth0-70 - [0:0]
:nic-eth00-66 - [0:0]
:nic-eth01-67 - [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i eth0 -j nic-eth0-70
-A INPUT -i eth0:0 -j nic-eth00-66
-A INPUT -i eth0:1 -j nic-eth01-67
-A nic-eth0-70 -s xx.xx.xx.xx/32 -p tcp -m tcp --dport 8080 -j ACCEPT
-A nic-eth0-70 -s xx.xx.xx.xx/32 -p tcp -m tcp --dport 8080 -j ACCEPT
-A nic-eth0-70 -s xx.xx.xx.xx/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A nic-eth0-70 -s xx.x.x.xx/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A nic-eth00-66 -j DROP
-A nic-eth01-67 -j DROP
COMMIT
-------------- Original
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -s xx.x.x.xx/32 -i eth0 -p tcp -m tcp --dport 8080 -j ACCEPT
-A INPUT -s xx.x.x.xx/32 -i eth0 -p tcp -m tcp --dport 8080 -j ACCEPT
-A INPUT -s xx.x.x.xx/32 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s xx.x.x.xx/32 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p icmp -j DROP
COMMIT
|