Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Need iptables help, 3 ip addresses one nic
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2562

PostPosted: Sun Nov 15, 2015 3:05 pm    Post subject: Need iptables help, 3 ip addresses one nic Reply with quote

Hi,

I have an existing server. It's a hosted machine with one internal-only management nic and another outward-facing nic. The outward facing nic has 3 IP addresses, and is what I'm concerned with here.

My setup:

  1. 1 nic
  2. 3 public IP addresses on the same subnet. For this discussion we'll say addresses 11,12,13.
  3. Each IP address has a domain name, sharing a wildcard SSL certificate.
  4. I have an apache2 front-end handling requests.
  5. Each site has an app server which apache2 acts as a proxy for.
  6. There is a hardware firewall which has been good up to now.
  7. Firewall allows 443 and 80 to each host, but the hosting company says I can only restrict by NIC, not by IP address.


I want:

  1. 2 sites to accept https and http (443 and 80) from anywhere.
  2. 1 site to accept 443 only, and from exactly one remote IP address.


My iptables voodoo is very rusty, and frankly I've never tried something like 3 IPs on a single nic and different rules for each site.

Can someone help me out? I currently have the default setup, which is all-open.

Thanks.
Back to top
View user's profile Send private message
szatox
Veteran
Veteran


Joined: 27 Aug 2013
Posts: 1762

PostPosted: Sun Nov 15, 2015 4:24 pm    Post subject: Reply with quote

You can filer by IP. Here's an example for accepting incoming traffic from a small pool of IPs to one of your addresses:

-A INPUT -s 10.0.0.0/24 -d 10.0.0.13 -p tcp -dport 443 -j ACCEPT # accept TCP traffic from 10.0.0.* incoming to port 443 at 10.0.0.13
-A INPUT -d 10.0.0.13 -j REJECT # drop everything else incoming to 10.0.0.13
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 14159

PostPosted: Sun Nov 15, 2015 5:53 pm    Post subject: Reply with quote

szatox has a minor syntax error (-dport instead of --dport) and also suggests REJECT instead of DROP. I would use:
Code:
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# Accept internal communications.  Always present unless you can explain
# why you want otherwise.
-A INPUT -i lo -j ACCEPT
# Address .13 only allows https, and then only from one source.
-A INPUT -s 192.168.10.100 -d 10.0.0.13 -p tcp --dport 443 -j ACCEPT
# Address .11 allows both http and https, and from anywhere.
-A INPUT -d 10.0.0.11 -p tcp --dport 80 -j ACCEPT
-A INPUT -d 10.0.0.11 -p tcp --dport 443 -j ACCEPT
# Address .12 allows both http and https, and from anywhere.
-A INPUT -d 10.0.0.12 -p tcp --dport 80 -j ACCEPT
-A INPUT -d 10.0.0.12 -p tcp --dport 443 -j ACCEPT
# Allow traffic from any existing connection.  This is required to let
# the server process responses to any outbound traffic it initiates.
# This is last so that the stateless matches can be checked first.
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
# Everything else hits the policy target
You could combine the .11/.12 rules if their real addresses are such that a /31 netmask can cover both. You could use a multiport rule instead of separate rules for 80,443. Enumerating each possibility is more verbose, but also lets you keep traffic counters on a per-type basis.
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2562

PostPosted: Mon Nov 16, 2015 2:49 am    Post subject: Reply with quote

This is good stuff.

The real addresses are not contiguous but are inside a class c.

You gave me what I need to figure this out.

Thanks.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum