Firewall source address filtering
Contents
Source address filtering
You can restricted the access of a particular service to a limited set of source networks, IP @.
Single port filter
# Only allow company's offices to access our Tomcat
$IPTABLES -A INPUT -p tcp --dport 8088 -s 192.168.1.0/24 -j ACCEPT # Sweden LAN
$IPTABLES -A INPUT -p tcp --dport 8088 -s 90.83.80.64/27 -j ACCEPT # FR remote
$IPTABLES -A INPUT -p tcp --dport 8088 -s 90.83.80.123/27 -j ACCEPT # FR remote
$IPTABLES -A INPUT -p tcp --dport 8088 -s 77.68.140.115/24 -j ACCEPT # DK remote
$IPTABLES -A INPUT -p tcp --dport 8088 -s 0.0.0.0/0 -j DROP # DROP all the rest !
Don't forget to drop all the rest at the end !!
Multiple ports filter: using for loop
This is a more advanced version. This will use a for loop to generate a set of rules for each source IP.
ALLOWED_REMOTE_IPS=(
195.101.122.64/27 # French office
193.12.118.194 # Sweden codriver.vehco.com
193.12.118.196 # Sweden code.vehco.com
91.121.17.114 # French RTD preprod [VPN]
)
# enable access to services (HTTP)
for ipList in ${ALLOWED_REMOTE_IPS[@]}
do
$IPTABLES -A INPUT -p tcp --dport 80 -s $ipList -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 443 -s $ipList -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 8080 -s $ipList -j ACCEPT
done
# disable for everyone else
$IPTABLES -A INPUT -p tcp -m tcp -s 0.0.0.0/0 --dport 80 -j DROP
$IPTABLES -A INPUT -p tcp -m tcp -s 0.0.0.0/0 --dport 443 -j DROP
$IPTABLES -A INPUT -p tcp -m tcp -s 0.0.0.0/0 --dport 8080 -j DROP
Block an IP address or network
Block IP
To block a specific IP address:
$IPTABLES -A INPUT -s 192.168.6.66/32 -j DROP
Block network
To block a network
$IPTABLES -A INPUT -s 10.66.6.0/24 -j DROP
