IPtables for VPS vnets

[slu2]

I want to have different rules for different IPs on my VPS.

I have 5 IPs, and all are assigned a different VNet0:x address.


IP one is: x.x.x.x and it is on vnet0:0
IP two is: x.x.x.x and it is on vnet0:1
---------------------------- vnet0:2

etc...


I want to allow normal ports from all IPs on vnet0:0

I also want to block all IP addresses except for a few on vnet0:1


Is there a way to do that in iptables?

Thanks!

[topdog]

of course, just set the policy of the chain to DROP then add the rules you want to allow thru.

[slu2]

This is my first time designing any IPTables, so I am still trying to figure it out.
I was sure it was possible, Im still not sure how.

I haven't saw many examples of this type of firewall.

I've saw a lot of examples of people disallowing an IP address in general.
But I haven't saw an example of how to designate ALLOW for a certain IP, for a certain vnet, and drop all others.. It's just a coding problem for me really.

Thx

[topdog]

Quote:

Originally Posted by slu2

I've saw a lot of examples of people disallowing an IP address in general.
But I haven't saw an example of how to designate ALLOW for a certain IP, for a certain vnet, and drop all others.. It's just a coding problem for me really.
Thx

This is where you use the policy of the chain, to deny anything that is not explicitly allowed.

I suggest you read up on iptables first before trying to implement. http://www.frozentux.net/documents/iptables-tutorial/

[slu2]

Thanks. I've been reading tutorial after tutorial. I've came up with a few ideas.

But since this is a co-located, stand alone type server, I am trying not to screw everything up.

I have the tables below defined, but I am still not seeing how to allow a certain IP to access a certain vnet.


# Allowed Inbound TCP Ports (ssh, smtp, dns, http, https, smtps, imaps, pop3s, rdp, webmin)

iptables -t filter -A INPUT -p tcp -m tcp -m multiport -i venet0 -j ACCEPT --dports 22,25,53,80,443,465,993,995,3389,10000



# Allowed Inbound UDP Ports (dns, openvpn)

iptables -t filter -A INPUT -p udp -m udp -m multiport -i venet0 -j ACCEPT --dports 53,1194



# Allowed Inbound ICMP (echo-request)

iptables -t filter -A INPUT -p icmp -m icmp -i venet0 --icmp-type echo-request -j ACCEPT



# Drop Inbound if No Existing Connection (invalid, new)

iptables -t filter -A INPUT -m state -i venet0:2 --state NEW,INVALID -j DROP



# Allowed Outbound TCP Ports (smtp, dns, http, https)

iptables -t filter -A OUTPUT -p tcp -m tcp -m multiport -o venet0 -j ACCEPT --dports 20,21,22,25,53,80,443



# Allowed Outbound UDP Ports (WoL, dns)

iptables -t filter -A OUTPUT -p udp -m udp -m multiport -o venet0 -j ACCEPT --dports 9,53



# Allowed Outbound ICMP (echo-request)

iptables -t filter -A OUTPUT -p icmp -m icmp -o venet0 --icmp-type echo-request -j ACCEPT



# Drop Outbound if No Existing Connection (invalid, new)

iptables -t filter -A OUTPUT -m state -o venet0 --state NEW,INVALID -j DROP


iptables -A INPUT -j DROP -p all

[slu2]

I want the main IP address to accept all of the main ports, as defined in the table that I just posted.

But I just need an example of a command that will allow a few certain IP addresses to access one particular vnet on my system.

[slu2]

What I really would like is for someone with experience with this function to post an example.

Such as:

iptables -t filter -A INPUT -p tcp -m tcp -m multiport -i venet0 -j ACCEPT --ip 192.168.1.1 192.168.1.2 192.168.1.3

Or whatever the proper command would be.

Thanks!