Results 1 to 8 of 8

Thread: Iptables Rules

  1. #1
    Join Date
    Mar 2007
    Location
    UK
    Posts
    852

    Iptables Rules

    Hello,

    One of my low knowledge area's is Iptables Rule's I just normally use APF/CSF.

    However on a VPS Host node, I basically want to block all access to a certain port let's say 1234 apart from a certain IP address.

    However I don't want to block this port on any of the VPS's on the Node, so what Iptable Rule(s) would I need to put into a bash script on startup.

    Thanks,
    Ashley

  2. #2
    Join Date
    Apr 2005
    Posts
    1,711
    If you're only blocking 1 IP address it will not block the port completely, just from that IP. You could use a rule like this:

    /sbin/iptables -I INPUT -s IP.IP.IP.IP -d VPS.NODE.IP -m tcp -p tcp --dport 1234 -j DROP
    Zach E. - Kualowww.kualo.com
    Shared Web Hosting, Reseller Hosting, Cloud VPS & Dedicated Servers
    UK: 0800 138 3235 ❘ USA: 1-800-995-8256

  3. #3
    Join Date
    Jul 2009
    Location
    Charlotte, NC
    Posts
    42
    I think (I could be wrong about his intentions) that he wants to block all access except from one IP address, in which case he would need to do:

    /sbin/iptables -I INPUT -d VPS.NODE.IP -m tcp -p tcp --dport 1234 -j DROP
    /sbin/iptables -I INPUT -s IP.IP.IP.IP -d VPS.NODE.IP -m tcp -p tcp --dport 1234 -j ACCEPT
    The above will put the ACCEPT for the IP.IP.IP.IP above the blanket DROP for everywhere else.

  4. #4
    Join Date
    Apr 2005
    Posts
    1,711
    My apologies, I read that wrong the first time. You would want to do this:

    iptables -I INPUT -s IP.IP.IP.IP -d VPS.NODE.IP -m tcp -p tcp --dport 1234 -j ACCEPT
    iptables -P INPUT DROP
    Zach E. - Kualowww.kualo.com
    Shared Web Hosting, Reseller Hosting, Cloud VPS & Dedicated Servers
    UK: 0800 138 3235 ❘ USA: 1-800-995-8256

  5. #5
    Join Date
    Jul 2009
    Location
    Charlotte, NC
    Posts
    42
    Quote Originally Posted by zacharooni View Post
    My apologies, I read that wrong the first time. You would want to do this:
    That's going to block all input, and probably lock him out of the server.

  6. #6
    Join Date
    Mar 2009
    Location
    Austin Tx
    Posts
    2,001
    More than likely, if you are picking on a certain IP address, you will want to block them completely, not just a certain port

    iptables -A INPUT -s 10.10.10.0/24 -j DROP

    will blocks the whole /24, just drop the /24 and add last real octet to pick on the single IP.

    Make it persistent
    /sbin/service iptables save

    I distribute a script to put offenders in, and it also optionally blocks certain foreign IPs (don't you get tired of all the APNIC brute forces and dDOSs?) for Linux and Win.
    Helped cut down my spam too.
    This is the best signature in the world....Tribute!
    (It is not the best signature in the world, no. This is just a tribute)

  7. #7
    Join Date
    Jun 2009
    Location
    Kochi,India
    Posts
    177
    If you want to block a particular port on Hardware Node run the the following commands on HN. For eg: here we can consider port 9999 to be blocked
    iptables -I FORWARD -p tcp --dport 9999 -j DROP
    iptables -I FORWARD -p udp --dport 9999 -j DROP
    iptables -I FORWARD -p tcp --sport 9999 -j DROP
    iptables -I FORWARD -p udp --sport 9999 -j DROP
    and If you want to block a range of port say from 1234 to 2345

    iptables -I FORWARD -p tcp --dport 1234:2345 -j DROP
    Ezeelogin -
    The ultimate multiple server administration software.
    *Parallel shell *rm -rf protection *SSH logging*automated password changes*encrypted storage*
    AdMod.com -Delivering innovative web hosting solutions

  8. #8
    Join Date
    Mar 2009
    Location
    /home/khunj
    Posts
    432
    Quote Originally Posted by Ashley Merrick View Post
    I basically want to block all access to a certain port let's say 1234 apart from a certain IP address.
    Use iptables negation [ ! ] :
    Code:
    # iptables -I INPUT -s ! xxx.xxx.xxx.xxx -p tcp --dport 1234 -j DROP
    Reject any IP on port 1234 except xxx.xxx.xxx.xxx

Similar Threads

  1. ftpd and iptables rules
    By robocap in forum Hosting Security and Technology
    Replies: 6
    Last Post: 05-20-2008, 09:48 AM
  2. Need to translate IPFW rules to IPTABLES rules
    By chris_jon in forum Hosting Security and Technology
    Replies: 1
    Last Post: 01-20-2006, 05:11 AM
  3. listing iptables rules
    By kapot in forum Hosting Security and Technology
    Replies: 2
    Last Post: 12-13-2005, 07:41 PM
  4. cleaning iptables rules
    By Lem0nHead in forum Hosting Security and Technology
    Replies: 4
    Last Post: 06-07-2004, 05:21 PM
  5. Help Setting UP IPtables Rules
    By Huminie in forum Hosting Security and Technology
    Replies: 2
    Last Post: 01-11-2004, 10:37 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •