#1  
Old 2nd January 2010, 05:22
slu2 slu2 is offline
Junior Member
 
Join Date: Jan 2010
Posts: 9
Thanks: 0
Thanked 0 Times in 0 Posts
Default IPtables for VPS vnets

I want to have different rules for different IPs on my VPS.

I have 5 IPs, and all are assigned a different VNet0:x address.


IP one is: x.x.x.x and it is on vnet0:0
IP two is: x.x.x.x and it is on vnet0:1
---------------------------- vnet0:2

etc...


I want to allow normal ports from all IPs on vnet0:0

I also want to block all IP addresses except for a few on vnet0:1


Is there a way to do that in iptables?

Thanks!
Reply With Quote
Sponsored Links
  #2  
Old 4th January 2010, 09:57
topdog topdog is offline
Senior Member
 
Join Date: Jan 2008
Location: South Africa
Posts: 1,352
Thanks: 0
Thanked 153 Times in 150 Posts
Default

of course, just set the policy of the chain to DROP then add the rules you want to allow thru.
__________________
----
http://www.topdog.za.net - Got Linux problems ? - I can help.
http://www.baruwa.org - Try it.
Reply With Quote
  #3  
Old 4th January 2010, 10:15
slu2 slu2 is offline
Junior Member
 
Join Date: Jan 2010
Posts: 9
Thanks: 0
Thanked 0 Times in 0 Posts
Default

This is my first time designing any IPTables, so I am still trying to figure it out.
I was sure it was possible, Im still not sure how.

I haven't saw many examples of this type of firewall.

I've saw a lot of examples of people disallowing an IP address in general.
But I haven't saw an example of how to designate ALLOW for a certain IP, for a certain vnet, and drop all others.. It's just a coding problem for me really.

Thx
Reply With Quote
  #4  
Old 4th January 2010, 10:19
topdog topdog is offline
Senior Member
 
Join Date: Jan 2008
Location: South Africa
Posts: 1,352
Thanks: 0
Thanked 153 Times in 150 Posts
Default

Quote:
Originally Posted by slu2 View Post
I've saw a lot of examples of people disallowing an IP address in general.
But I haven't saw an example of how to designate ALLOW for a certain IP, for a certain vnet, and drop all others.. It's just a coding problem for me really.
Thx
This is where you use the policy of the chain, to deny anything that is not explicitly allowed.

I suggest you read up on iptables first before trying to implement. http://www.frozentux.net/documents/iptables-tutorial/
__________________
----
http://www.topdog.za.net - Got Linux problems ? - I can help.
http://www.baruwa.org - Try it.
Reply With Quote
  #5  
Old 4th January 2010, 10:27
slu2 slu2 is offline
Junior Member
 
Join Date: Jan 2010
Posts: 9
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Thanks. I've been reading tutorial after tutorial. I've came up with a few ideas.

But since this is a co-located, stand alone type server, I am trying not to screw everything up.

I have the tables below defined, but I am still not seeing how to allow a certain IP to access a certain vnet.


# Allowed Inbound TCP Ports (ssh, smtp, dns, http, https, smtps, imaps, pop3s, rdp, webmin)

iptables -t filter -A INPUT -p tcp -m tcp -m multiport -i venet0 -j ACCEPT --dports 22,25,53,80,443,465,993,995,3389,10000



# Allowed Inbound UDP Ports (dns, openvpn)

iptables -t filter -A INPUT -p udp -m udp -m multiport -i venet0 -j ACCEPT --dports 53,1194



# Allowed Inbound ICMP (echo-request)

iptables -t filter -A INPUT -p icmp -m icmp -i venet0 --icmp-type echo-request -j ACCEPT



# Drop Inbound if No Existing Connection (invalid, new)

iptables -t filter -A INPUT -m state -i venet0:2 --state NEW,INVALID -j DROP



# Allowed Outbound TCP Ports (smtp, dns, http, https)

iptables -t filter -A OUTPUT -p tcp -m tcp -m multiport -o venet0 -j ACCEPT --dports 20,21,22,25,53,80,443



# Allowed Outbound UDP Ports (WoL, dns)

iptables -t filter -A OUTPUT -p udp -m udp -m multiport -o venet0 -j ACCEPT --dports 9,53



# Allowed Outbound ICMP (echo-request)

iptables -t filter -A OUTPUT -p icmp -m icmp -o venet0 --icmp-type echo-request -j ACCEPT



# Drop Outbound if No Existing Connection (invalid, new)

iptables -t filter -A OUTPUT -m state -o venet0 --state NEW,INVALID -j DROP


iptables -A INPUT -j DROP -p all
Reply With Quote
  #6  
Old 4th January 2010, 10:30
slu2 slu2 is offline
Junior Member
 
Join Date: Jan 2010
Posts: 9
Thanks: 0
Thanked 0 Times in 0 Posts
Default

I want the main IP address to accept all of the main ports, as defined in the table that I just posted.

But I just need an example of a command that will allow a few certain IP addresses to access one particular vnet on my system.
Reply With Quote
  #7  
Old 4th January 2010, 14:18
slu2 slu2 is offline
Junior Member
 
Join Date: Jan 2010
Posts: 9
Thanks: 0
Thanked 0 Times in 0 Posts
 
Default

What I really would like is for someone with experience with this function to post an example.

Such as:

iptables -t filter -A INPUT -p tcp -m tcp -m multiport -i venet0 -j ACCEPT --ip 192.168.1.1 192.168.1.2 192.168.1.3

Or whatever the proper command would be.

Thanks!
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
IPTables-Blocklist (Questions) giganet HOWTO-Related Questions 10 28th October 2009 16:09
Iptables gateway with one lan adapter tsmr Installation/Configuration 1 7th August 2008 12:02
IPtables rule to let PPTP access LAN brianwebb01 Installation/Configuration 0 1st May 2008 21:23
Match IP with MAC using iptables for squid block cooljai Server Operation 0 30th August 2007 18:30
About iptables rules satimis Technical 0 24th August 2007 17:32


All times are GMT +2. The time now is 10:49.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.