IPtables for VPS vnets

Discussion in 'Server Operation' started by slu2, Jan 2, 2010.

  1. slu2

    slu2 New Member

    I want to have different rules for different IPs on my VPS.

    I have 5 IPs, and all are assigned a different VNet0:x address.


    IP one is: x.x.x.x and it is on vnet0:0
    IP two is: x.x.x.x and it is on vnet0:1
    ---------------------------- vnet0:2

    etc...


    I want to allow normal ports from all IPs on vnet0:0

    I also want to block all IP addresses except for a few on vnet0:1


    Is there a way to do that in iptables?

    Thanks!
     
  2. topdog

    topdog HowtoForge Supporter

    of course, just set the policy of the chain to DROP then add the rules you want to allow thru.
     
  3. slu2

    slu2 New Member

    This is my first time designing any IPTables, so I am still trying to figure it out.
    I was sure it was possible, Im still not sure how.

    I haven't saw many examples of this type of firewall.

    I've saw a lot of examples of people disallowing an IP address in general.
    But I haven't saw an example of how to designate ALLOW for a certain IP, for a certain vnet, and drop all others.. It's just a coding problem for me really.

    Thx
     
  4. topdog

    topdog HowtoForge Supporter

    This is where you use the policy of the chain, to deny anything that is not explicitly allowed.

    I suggest you read up on iptables first before trying to implement. http://www.frozentux.net/documents/iptables-tutorial/
     
  5. slu2

    slu2 New Member

    Thanks. I've been reading tutorial after tutorial. I've came up with a few ideas.

    But since this is a co-located, stand alone type server, I am trying not to screw everything up.

    I have the tables below defined, but I am still not seeing how to allow a certain IP to access a certain vnet.


    # Allowed Inbound TCP Ports (ssh, smtp, dns, http, https, smtps, imaps, pop3s, rdp, webmin)

    iptables -t filter -A INPUT -p tcp -m tcp -m multiport -i venet0 -j ACCEPT --dports 22,25,53,80,443,465,993,995,3389,10000



    # Allowed Inbound UDP Ports (dns, openvpn)

    iptables -t filter -A INPUT -p udp -m udp -m multiport -i venet0 -j ACCEPT --dports 53,1194



    # Allowed Inbound ICMP (echo-request)

    iptables -t filter -A INPUT -p icmp -m icmp -i venet0 --icmp-type echo-request -j ACCEPT



    # Drop Inbound if No Existing Connection (invalid, new)

    iptables -t filter -A INPUT -m state -i venet0:2 --state NEW,INVALID -j DROP



    # Allowed Outbound TCP Ports (smtp, dns, http, https)

    iptables -t filter -A OUTPUT -p tcp -m tcp -m multiport -o venet0 -j ACCEPT --dports 20,21,22,25,53,80,443



    # Allowed Outbound UDP Ports (WoL, dns)

    iptables -t filter -A OUTPUT -p udp -m udp -m multiport -o venet0 -j ACCEPT --dports 9,53



    # Allowed Outbound ICMP (echo-request)

    iptables -t filter -A OUTPUT -p icmp -m icmp -o venet0 --icmp-type echo-request -j ACCEPT



    # Drop Outbound if No Existing Connection (invalid, new)

    iptables -t filter -A OUTPUT -m state -o venet0 --state NEW,INVALID -j DROP


    iptables -A INPUT -j DROP -p all
     
  6. slu2

    slu2 New Member

    I want the main IP address to accept all of the main ports, as defined in the table that I just posted.

    But I just need an example of a command that will allow a few certain IP addresses to access one particular vnet on my system.
     
  7. slu2

    slu2 New Member

    What I really would like is for someone with experience with this function to post an example.

    Such as:

    iptables -t filter -A INPUT -p tcp -m tcp -m multiport -i venet0 -j ACCEPT --ip 192.168.1.1 192.168.1.2 192.168.1.3

    Or whatever the proper command would be.

    Thanks!
     

Share This Page