I want to have different rules for different IPs on my VPS. I have 5 IPs, and all are assigned a different VNet0:x address. IP one is: x.x.x.x and it is on vnet0:0 IP two is: x.x.x.x and it is on vnet0:1 ---------------------------- vnet0:2 etc... I want to allow normal ports from all IPs on vnet0:0 I also want to block all IP addresses except for a few on vnet0:1 Is there a way to do that in iptables? Thanks!
This is my first time designing any IPTables, so I am still trying to figure it out. I was sure it was possible, Im still not sure how. I haven't saw many examples of this type of firewall. I've saw a lot of examples of people disallowing an IP address in general. But I haven't saw an example of how to designate ALLOW for a certain IP, for a certain vnet, and drop all others.. It's just a coding problem for me really. Thx
This is where you use the policy of the chain, to deny anything that is not explicitly allowed. I suggest you read up on iptables first before trying to implement. http://www.frozentux.net/documents/iptables-tutorial/
Thanks. I've been reading tutorial after tutorial. I've came up with a few ideas. But since this is a co-located, stand alone type server, I am trying not to screw everything up. I have the tables below defined, but I am still not seeing how to allow a certain IP to access a certain vnet. # Allowed Inbound TCP Ports (ssh, smtp, dns, http, https, smtps, imaps, pop3s, rdp, webmin) iptables -t filter -A INPUT -p tcp -m tcp -m multiport -i venet0 -j ACCEPT --dports 22,25,53,80,443,465,993,995,3389,10000 # Allowed Inbound UDP Ports (dns, openvpn) iptables -t filter -A INPUT -p udp -m udp -m multiport -i venet0 -j ACCEPT --dports 53,1194 # Allowed Inbound ICMP (echo-request) iptables -t filter -A INPUT -p icmp -m icmp -i venet0 --icmp-type echo-request -j ACCEPT # Drop Inbound if No Existing Connection (invalid, new) iptables -t filter -A INPUT -m state -i venet0:2 --state NEW,INVALID -j DROP # Allowed Outbound TCP Ports (smtp, dns, http, https) iptables -t filter -A OUTPUT -p tcp -m tcp -m multiport -o venet0 -j ACCEPT --dports 20,21,22,25,53,80,443 # Allowed Outbound UDP Ports (WoL, dns) iptables -t filter -A OUTPUT -p udp -m udp -m multiport -o venet0 -j ACCEPT --dports 9,53 # Allowed Outbound ICMP (echo-request) iptables -t filter -A OUTPUT -p icmp -m icmp -o venet0 --icmp-type echo-request -j ACCEPT # Drop Outbound if No Existing Connection (invalid, new) iptables -t filter -A OUTPUT -m state -o venet0 --state NEW,INVALID -j DROP iptables -A INPUT -j DROP -p all
I want the main IP address to accept all of the main ports, as defined in the table that I just posted. But I just need an example of a command that will allow a few certain IP addresses to access one particular vnet on my system.
What I really would like is for someone with experience with this function to post an example. Such as: iptables -t filter -A INPUT -p tcp -m tcp -m multiport -i venet0 -j ACCEPT --ip 192.168.1.1 192.168.1.2 192.168.1.3 Or whatever the proper command would be. Thanks!
