New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Best way to only allow access to a server to a handful IPs? - Resolved.
Dear all,
I have a server here that I would like to be appear completely dead (well, excluding ping perhaps) to the whole world for all services running on it except for a handful of given (VPN-) IPs that should be able to access it just normally.
What would be the best way to achieve this? There is no hardware firewall in front of it. IPTables? Or some easier solution, maybe via ConfigServer Firewall (CSF)?
Thanks a lot in advance & kind regards
Amitz
Comments
iptables default policy drop?
The thing is - myself and iptables. I never managed to get warm with it (even though I always wanted to) and I am a complete malfunction when it comes to iptables. Would you have a working example for me that I could use with the IPs in question? That would be just wonderful!
^ and if you use firewalld then its easier
Amitz .. time you really learn firewalld
Faster and easiest:
iptables -A INPUT -s sourceip -j ACCEPT
iptables -A INPUT -j DROP
or better: what o.s. you have installed in the server?
Indeed, I never fiddled with firewalld. Will take a look at it now, thanks!
Concerning iptables - Would this here work?
you can still use iptables if you know better.
For centos 7:
yum install iptables-services -y
systemctl stop firewalld && systemctl disable firewalld
systemctl enable iptables
systemctl start iptables
and you will be able to use iptables as always
i am not expert in iptables but i recall a drop should be before an accept. As Block All then fine grain the accept..
If you don't want to write iptables rules, then ufw on Debian or Ubuntu makes it slightly more straightforward.
https://wiki.debian.org/Uncomplicated%20Firewall%20(ufw)
No drop need to be the last line because when a packet match the rule it will not go head (for performance pourposes). If you put DROP on top you will drop all traffic.
I am on Debian, sorry - forgot to add that. (Hihi - Debian. Thx.)
This bash/bourne script is what I run on my servers while I'm setting them up.
These would be iptables rules for a Debian based system and would block all incoming traffic except specified IPs on ssh port 22.
I actually run a version of this script automatically on boot as an init file.
Mod script to your own needs.
On Debian ufw is the best
aptitude install ufw -y
Now:
ufw allow from VPN-IP
ufw default deny incoming
Thank you all!
ufw does the trick for me! Great, I was not aware of that program. :-)
Indeed, you are powerful, as the @jarland has forseeen.
+1 - far prefer firewalld
In case you're not really familiar with iptables or don't how to setup the firewall rules I would say go with CSF and use something like Webmin in front of it to manage CSF through a GUI.
CSF is based on iptables, but doesn't require any manual work like setting up drop/accept firewall rules.
Great for solution for the ones that like to setup a firewall using a GUI.
I really like CSF. Great all in one solution, and it's getting better/advanced with almost every release :-)
Have you run CSF on non-cPanel boxes? I've used it with cPanel but I've never tried it standalone.
I agree - CSF is good stuff.
Repeat the first line for all your IP you want to have access from.
That's it, all other traffic will be dropped.
Make sure that you'll not leave your own server unaccessible from remote
I think all of us have such the experience at least once!
Take a look here for few examples of iptables, it can help you a bit.
Yes I used CSF several times on standalone servers. Made a lot of people happy with CSF + Webmin for easy management.
Works the same in standalone mode. And using the Webmin module gives the user the same look/feeling as the CSF module for CPanel/DirectAdmin :-).
A lot of features within CSF are overkill for an average Linux user, but still... it's a great all-in-one solution with plenty of (custom) features. And it's even free!
A nice trick is to use at or cron to put a "turn off iptables" run 5 minutes in the future, then try your changes. Just make sure to disable the "turn off" script once you're happy with your rules.