Page 1 of 3 123 LastLast
Results 1 to 10 of 27

Thread: iptables allow ports to a specific ip or domain name

  1. #1
    Join Date
    May 2010
    Beans
    153

    iptables allow ports to a specific ip or domain name

    How to configure iptables to allow only 22,80,3306 ports for only a dynamic public ip/dyn dns domain name on a ubuntu server?


    Thank you all!

  2. #2
    Join Date
    Dec 2006
    Location
    Chicago
    Beans
    3,839

    Re: iptables allow ports to a specific ip or domain name

    Iptables only filters by IP address. If it had to resolve hostnames every time it processes a packet, this would be horribly inefficient. I think the only way to accomplish this would be to update your iptables rules every time dynamic IP changes. Also, I'm not sure how safe it is to connect to a mysql database over the internet.

  3. #3
    Join Date
    May 2010
    Beans
    153

    iptables allow ports to a specific ip or domain name

    Thanks a lot denley!

    I want to drop all incoming traffic & want to allow only ssh from a specific ip. Others should not connect via ssh.

    Please need step by step guide...

  4. #4
    Join Date
    Feb 2010
    Location
    California
    Beans
    244
    Distro
    Ubuntu 8.10 Intrepid Ibex

    Re: iptables allow ports to a specific ip or domain name

    Your talking about source IP address's, and IPtables can totally do that.
    Webmin makes it very easy. See step by step guide at http://woodel.com

    You will probably be most interested in page 5. (if you already have webmin)

    When you make a rule, just fill out the first box that says "source address"
    works awesome, i use it everyday.
    -Kev

  5. #5
    Join Date
    Oct 2009
    Beans
    2,199
    Distro
    Ubuntu 10.10 Maverick Meerkat

    Re: iptables allow ports to a specific ip or domain name

    starting with a blank iptables (no rules yet)

    sudo iptables -A INPUT -i lo -j ACCEPT
    sudo iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    sudo iptables -A INPUT -s a.b.c.d -p tcp -m tcp --dport 22 -j ACCEPT
    sudo iptables -A INPUT -j DROP

    where a.b.c.d is the ip address of your ssh client

  6. #6
    Join Date
    May 2010
    Beans
    153

    iptables allow ports to a specific ip or domain name

    Thanks a lot to both kevinthecomputerguy , YesWeCan and denley

    Actually my office has dynamic public ip address and dhcp is configured on the internet modem and all computers are assigned in the network 192.168.2.0.

    They purchased some ubuntu clouds, each has static public ip addresses. I'm asked to configure iptables only to allow my office network(dynamic public ip) to SSH to clouds.

    If I use the ip table rule "iptables -A INPUT -s <public-ip> -p tcp -m tcp --dport 22 -j ACCEPT", I could not access my clouds via ssh if my dynamic public ip changes and requires restarting clouds to reset iptables.

    So I registered with dyndns and now I've a domain name "mycompany.dyndns.org" for my public ip. It is resolving fine ( checked 'nslookup mycompany.dyndns.org' but if I type 'nslookup <public-ip> it resolves to my airtel broadband domain).

    I used the following iptables rules on my clouds

    1 :INPUT DROP [598:41912]
    2 :FORWARD ACCEPT [0:0]
    3 :OUTPUT ACCEPT [456:35354]
    4 -A INPUT -i lo -j ACCEPT
    5 -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
    6 -A INPUT -s mycompany.dyndns.org -p tcp -m tcp --dport 22 -j ACCEPT
    7 -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

    If I remove line no:5 I could not ssh to my clouds and will ask to restart my clouds to reset ip tables
    I don't know the reason why I couldn't connect with my dyndns domain name.

    I could not able to resolve/meet this requirement since I joined as sys admin. And I'm even asked to grant mysql permissions to dyndns domain name instead of dynamicall changing public ip. Lot of pressure on me

    Please need help from you all.. and thank you all for spending your time for me.
    Last edited by Thyagaraj; July 25th, 2010 at 08:47 AM.

  7. #7
    Join Date
    Nov 2006
    Location
    Belgium
    Beans
    3,008
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: iptables allow ports to a specific ip or domain name

    if you want rules with hostnames to work, you also have to allow DNS, so the names can be resolved to addresses

  8. #8
    Join Date
    Apr 2005
    Location
    Singapore
    Beans
    51
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: iptables allow ports to a specific ip or domain name

    A better solution would be to:
    1. add to /etc/hosts.allow
    Code:
    sshd: mycompany.dyndns.org
    2. add to /etc/hosts.deny
    Code:
    sshd: ALL
    Would be slow because of lookups, but should work fine.
    I would also suggest adding to /etc/hosts.allow and allowing SSH from all other static IP hosts.
    This gives you a "backdoor" to access one cloud node from another node in case one of them has a bad DNS cache for your dyndns name.
    Roy Lee
    ConceptLane Pte Ltd
    Hosting, VPS, Colo, Dedi, Web Apps

  9. #9
    Join Date
    Nov 2007
    Location
    Newry, Northern Ireland
    Beans
    1,258

    Re: iptables allow ports to a specific ip or domain name

    You could also look at placing the cloud instances on a VPN, and using their VPN address for SSH access and denying all ssh on the eth0 interface. You can even filter SSH to only be allowed from the VPN IP address you will be working from, which you can set as static also. No messing about with DNS or DynDNS URLs then.
    Can't think of anything profound or witty.
    My Blog: http://gonzothegeek.blogspot.co.uk/

  10. #10
    Join Date
    Feb 2010
    Location
    California
    Beans
    244
    Distro
    Ubuntu 8.10 Intrepid Ibex

    Re: iptables allow ports to a specific ip or domain name

    Thyagaraj-

    Try at the least these settings. Some of these other replies are good as well.

    The bottom two are what you are interested in.


    The first one allows a hostname, the second one allows a network, like the public IP
    of your office or small buisness (assuming you have a need for "that many" public IP's)

    #-------------------------------------------------------------------
    #
    :FORWARD DROP [0:0]
    :INPUT DROP [0:0]
    :OUTPUT ACCEPT [0:0]
    # Loopback
    -A INPUT -p tcp -m tcp -i lo -j ACCEPT

    # in and out if established eth0
    -A INPUT -m state -i eth0 --state ESTABLISHED,RELATED -j ACCEPT

    # 22 incoming eth0 allowed hostname
    -A INPUT -p tcp -m tcp -m multiport -s example.dyndns.com -i eth0 --ports 22 -j ACCEPT


    # 22 incoming eth0 allowed network 7.7.7.xxx
    -A INPUT -p tcp -m tcp -m multiport -s 7.7.7.0/24 -i eth0 --ports 22 -j ACCEPT
    Last edited by kevinthecomputerguy; July 27th, 2010 at 09:37 PM.

Page 1 of 3 123 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •