Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : Iptables Rules

[Ashley Merrick]

Hello,

One of my low knowledge area's is Iptables Rule's I just normally use APF/CSF.

However on a VPS Host node, I basically want to block all access to a certain port let's say 1234 apart from a certain IP address.

However I don't want to block this port on any of the VPS's on the Node, so what Iptable Rule(s) would I need to put into a bash script on startup.

Thanks,
Ashley

[zacharooni]

If you're only blocking 1 IP address it will not block the port completely, just from that IP. You could use a rule like this:

/sbin/iptables -I INPUT -s IP.IP.IP.IP -d VPS.NODE.IP -m tcp -p tcp --dport 1234 -j DROP

[eeg3]

I think (I could be wrong about his intentions) that he wants to block all access except from one IP address, in which case he would need to do:

Quote:

/sbin/iptables -I INPUT -d VPS.NODE.IP -m tcp -p tcp --dport 1234 -j DROP
/sbin/iptables -I INPUT -s IP.IP.IP.IP -d VPS.NODE.IP -m tcp -p tcp --dport 1234 -j ACCEPT

The above will put the ACCEPT for the IP.IP.IP.IP above the blanket DROP for everywhere else.

[zacharooni]

My apologies, I read that wrong the first time. You would want to do this:

Quote:

iptables -I INPUT -s IP.IP.IP.IP -d VPS.NODE.IP -m tcp -p tcp --dport 1234 -j ACCEPT
iptables -P INPUT DROP

[eeg3]

Quote:

Originally Posted by zacharooni

My apologies, I read that wrong the first time. You would want to do this:

That's going to block all input, and probably lock him out of the server.

[mugo]

More than likely, if you are picking on a certain IP address, you will want to block them completely, not just a certain port

iptables -A INPUT -s 10.10.10.0/24 -j DROP

will blocks the whole /24, just drop the /24 and add last real octet to pick on the single IP.

Make it persistent
/sbin/service iptables save

I distribute a script to put offenders in, and it also optionally blocks certain foreign IPs (don't you get tired of all the APNIC brute forces and dDOSs?) for Linux and Win.
Helped cut down my spam too.

[Rekhatitus]

If you want to block a particular port on Hardware Node run the the following commands on HN. For eg: here we can consider port 9999 to be blocked

Quote:

iptables -I FORWARD -p tcp --dport 9999 -j DROP
iptables -I FORWARD -p udp --dport 9999 -j DROP
iptables -I FORWARD -p tcp --sport 9999 -j DROP
iptables -I FORWARD -p udp --sport 9999 -j DROP

and If you want to block a range of port say from 1234 to 2345

iptables -I FORWARD -p tcp --dport 1234:2345 -j DROP

[khunj]

Quote:

Originally Posted by Ashley Merrick

I basically want to block all access to a certain port let's say 1234 apart from a certain IP address.

Use iptables negation [ ! ] :

Code:

# iptables -I INPUT -s ! xxx.xxx.xxx.xxx -p tcp --dport 1234 -j DROP

Reject any IP on port 1234 except xxx.xxx.xxx.xxx