| View previous topic :: View next topic |
| Author |
Message |
1clue
Advocate
Joined: 05 Feb 2006
Posts: 2569
|
 Posted: Sun Nov 15, 2015 3:05 pm Post subject: Need iptables help, 3 ip addresses one nic |
 |
|
Hi,
I have an existing server. It's a hosted machine with one internal-only management nic and another outward-facing nic. The outward facing nic has 3 IP addresses, and is what I'm concerned with here.
My setup:
- 1 nic
- 3 public IP addresses on the same subnet. For this discussion we'll say addresses 11,12,13.
- Each IP address has a domain name, sharing a wildcard SSL certificate.
- I have an apache2 front-end handling requests.
- Each site has an app server which apache2 acts as a proxy for.
- There is a hardware firewall which has been good up to now.
- Firewall allows 443 and 80 to each host, but the hosting company says I can only restrict by NIC, not by IP address.
I want:
- 2 sites to accept https and http (443 and 80) from anywhere.
- 1 site to accept 443 only, and from exactly one remote IP address.
My iptables voodoo is very rusty, and frankly I've never tried something like 3 IPs on a single nic and different rules for each site.
Can someone help me out? I currently have the default setup, which is all-open.
Thanks. |
|
| Back to top |
|
 |
szatox
Advocate
Joined: 27 Aug 2013
Posts: 3563
|
| Posted: Sun Nov 15, 2015 4:24 pm Post subject: |
|
|
You can filer by IP. Here's an example for accepting incoming traffic from a small pool of IPs to one of your addresses:
-A INPUT -s 10.0.0.0/24 -d 10.0.0.13 -p tcp -dport 443 -j ACCEPT # accept TCP traffic from 10.0.0.* incoming to port 443 at 10.0.0.13
-A INPUT -d 10.0.0.13 -j REJECT # drop everything else incoming to 10.0.0.13 |
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23227
|
| Posted: Sun Nov 15, 2015 5:53 pm Post subject: |
|
|
szatox has a minor syntax error (-dport instead of --dport) and also suggests REJECT instead of DROP. I would use: | Code: | *filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# Accept internal communications. Always present unless you can explain
# why you want otherwise.
-A INPUT -i lo -j ACCEPT
# Address .13 only allows https, and then only from one source.
-A INPUT -s 192.168.10.100 -d 10.0.0.13 -p tcp --dport 443 -j ACCEPT
# Address .11 allows both http and https, and from anywhere.
-A INPUT -d 10.0.0.11 -p tcp --dport 80 -j ACCEPT
-A INPUT -d 10.0.0.11 -p tcp --dport 443 -j ACCEPT
# Address .12 allows both http and https, and from anywhere.
-A INPUT -d 10.0.0.12 -p tcp --dport 80 -j ACCEPT
-A INPUT -d 10.0.0.12 -p tcp --dport 443 -j ACCEPT
# Allow traffic from any existing connection. This is required to let
# the server process responses to any outbound traffic it initiates.
# This is last so that the stateless matches can be checked first.
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
# Everything else hits the policy target
|
You could combine the .11/.12 rules if their real addresses are such that a /31 netmask can cover both. You could use a multiport rule instead of separate rules for 80,443. Enumerating each possibility is more verbose, but also lets you keep traffic counters on a per-type basis. |
|
| Back to top |
|
|
1clue
Advocate
Joined: 05 Feb 2006
Posts: 2569
|
| Posted: Mon Nov 16, 2015 2:49 am Post subject: |
|
|
This is good stuff.
The real addresses are not contiguous but are inside a class c.
You gave me what I need to figure this out.
Thanks. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
