Best way to only allow access to a server to a handful IPs? - Resolved.

Amitz

Dear all,

I have a server here that I would like to be appear completely dead (well, excluding ping perhaps) to the whole world for all services running on it except for a handful of given (VPN-) IPs that should be able to access it just normally.

What would be the best way to achieve this? There is no hardware firewall in front of it. IPTables? Or some easier solution, maybe via ConfigServer Firewall (CSF)?

Thanks a lot in advance & kind regards
Amitz

linuxthefish

iptables default policy drop?

Amitz

The thing is - myself and iptables. I never managed to get warm with it (even though I always wanted to) and I am a complete malfunction when it comes to iptables. Would you have a working example for me that I could use with the IPs in question? That would be just wonderful!

ehab

^ and if you use firewalld then its easier

ehab

Amitz .. time you really learn firewalld

matteob

Faster and easiest:

iptables -A INPUT -s sourceip -j ACCEPT

iptables -A INPUT -j DROP

or better: what o.s. you have installed in the server?

Amitz

Indeed, I never fiddled with firewalld. Will take a look at it now, thanks!

Concerning iptables - Would this here work?

iptables -P FORWARD DROP
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -s VPN-IP-HERE -j ACCEPT
iptables -P INPUT DROP

matteob

you can still use iptables if you know better.

For centos 7:

yum install iptables-services -y

systemctl stop firewalld && systemctl disable firewalld

systemctl enable iptables

systemctl start iptables

and you will be able to use iptables as always

ehab

@matteob said:
iptables -A INPUT -s sourceip -j ACCEPT

iptables -A INPUT -j DROP

i am not expert in iptables but i recall a drop should be before an accept. As Block All then fine grain the accept..

perennate

If you don't want to write iptables rules, then ufw on Debian or Ubuntu makes it slightly more straightforward.

https://wiki.debian.org/Uncomplicated%20Firewall%20(ufw)

matteob

@ehab said:

@matteob said:
iptables -A INPUT -s sourceip -j ACCEPT

iptables -A INPUT -j DROP

i am not expert in iptables but i recall a drop should be before an accept. As Block All then fine grain the accept..

No drop need to be the last line because when a packet match the rule it will not go head (for performance pourposes). If you put DROP on top you will drop all traffic.

Amitz

I am on Debian, sorry - forgot to add that. (Hihi - Debian. Thx.)

globalRegisters

This bash/bourne script is what I run on my servers while I'm setting them up.

These would be iptables rules for a Debian based system and would block all incoming traffic except specified IPs on ssh port 22.

I actually run a version of this script automatically on boot as an init file.

Mod script to your own needs.

#!/bin/sh

IPT="/sbin/iptables"

remotesshIP1="1.2.3.4"
remotesshIP2="1.2.6.6"

exitVAR=0

mainFnc () {
printf "%s\n\n\nIPv4: Loading temporary secure firewall rules..."
$IPT -F; $IPT -X;$IPT -t nat -F;$IPT -t nat -X;$IPT -t mangle -F;$IPT -t mangle -X
$IPT -P INPUT DROP; $IPT -P OUTPUT ACCEPT; $IPT -P FORWARD DROP

## Allow only stated IP on ssh port 22
$IPT -A INPUT -i lo -m comment --comment "Loopback Inbound" -j ACCEPT
$IPT -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p udp --dport 520 -j ACCEPT
$IPT -A INPUT -p tcp --dport 22 -s ${remotesshIP1},${remotesshIP2} --syn -m state --state NEW -j ACCEPT
$IPT -A INPUT -j LOG -m limit --limit 1/minute --limit-burst 1 --log-level 7 --log-prefix "TCP_BAN: "
if [ $? = 0 ];then printf "%ssuccesful.\n\n";exitVAR=0;else printf "%serror.\n\n";exitVAR=1;fi

iptables -nvL
}

case $1 in
    start|restart) mainFnc;;
                *) echo "Usage: fw {start|restart}"; exit 1;;
esac
exit $exitVAR

matteob

@Amitz said:
I am on Debian, sorry - forgot to add that. (Hihi - Debian. Thx.)

On Debian ufw is the best

aptitude install ufw -y

Now:

ufw allow from VPN-IP

ufw default deny incoming

Amitz

Thank you all!

ufw does the trick for me! Great, I was not aware of that program. :-)

raindog308

Indeed, you are powerful, as the @jarland has forseeen.

jeromeza

@ehab said:
^ and if you use firewalld then its easier

+1 - far prefer firewalld

LiteServer

In case you're not really familiar with iptables or don't how to setup the firewall rules I would say go with CSF and use something like Webmin in front of it to manage CSF through a GUI.
CSF is based on iptables, but doesn't require any manual work like setting up drop/accept firewall rules.
Great for solution for the ones that like to setup a firewall using a GUI.

I really like CSF. Great all in one solution, and it's getting better/advanced with almost every release :-)

raindog308

LiteServer said: I really like CSF. Great all in one solution, and it's getting better/advanced with almost every release :-)

Have you run CSF on non-cPanel boxes? I've used it with cPanel but I've never tried it standalone.

I agree - CSF is good stuff.

gexacor

I have a server here that I would like to be appear completely dead (well, excluding ping perhaps) to the whole world for all services running on it except for a handful of given (VPN-) IPs that should be able to access it just normally.

What would be the best way to achieve this? There is no hardware firewall in front of it. IPTables? Or some easier solution, maybe via ConfigServer Firewall (CSF)?

iptables -A INPUT -s sourceip -j ACCEPT
iptables -A INPUT -j DROP

Repeat the first line for all your IP you want to have access from.
That's it, all other traffic will be dropped.

Make sure that you'll not leave your own server unaccessible from remote
I think all of us have such the experience at least once!

Take a look here for few examples of iptables, it can help you a bit.

LiteServer

@raindog308 said:
Have you run CSF on non-cPanel boxes? I've used it with cPanel but I've never tried it standalone.

I agree - CSF is good stuff.

Yes I used CSF several times on standalone servers. Made a lot of people happy with CSF + Webmin for easy management.
Works the same in standalone mode. And using the Webmin module gives the user the same look/feeling as the CSF module for CPanel/DirectAdmin :-).
A lot of features within CSF are overkill for an average Linux user, but still... it's a great all-in-one solution with plenty of (custom) features. And it's even free!

raindog308

gexacor said: Make sure that you'll not leave your own server unaccessible from remote I think all of us have such the experience at least once!

A nice trick is to use at or cron to put a "turn off iptables" run 5 minutes in the future, then try your changes. Just make sure to disable the "turn off" script once you're happy with your rules.