APF and iptables on router - dissallow SSH on specific subnet host - linux

I have a CentOS router with APF installed.
1 terminal with 3 NICs (3 IPs) is using that router as a Gateway to access the internet.
What I want is APF to block SSH access, on the 2 of 3 NICs (IPs).
So SSH is only accessible for a specific IP and not all three.
How can I achieve that directly on the router with APF or iptables?

Edit iptables to allow SSH connections from IP 111.222.222.222 and deny from all others.
vi /etc/sysconfig/iptables
Add
-A INPUT -p tcp -m tcp -s 111.222.222.222 --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp -s 0.0.0.0/0 --dport 22 -j DROP

Related

How to restrict access to my subversion server (i.e. svnserve) by IP address, so only my IP can checkout, commit, etc.?

I'm using Ubuntu and I have my subversion server running as you can see below:
root 31422 1 0 06:45 ? 00:00:00 /usr/bin/svnserve -d -r /var/svn/repos --log-file=/var/log/svnserve.log
I want to whitelist my subversion server, in other words, I want to allow only my IP address to checkout, commit, log, etc. Does svnserve support that?
NOTE: I'm not using Apache to access my subversion.
svnserve listens on TCP port 3690 by default, so you can use any firewalling solution the restrict access to this port. For example with iptables:
# Let the internal network access it
iptables -A INPUT -s 192.168.0.0/8 -p tcp --dport 3690 -j ACCEPT
# Let a specific external IP access it
iptables -A INPUT -s 1.1.1.1 -p tcp --dport 3690 -j ACCEPT
# Drop all the rest
iptables -A INPUT -p tcp --dport 3690 -j DROP
It would however be better security-wise if you would switch to apache + dav_svn as you get SSL encryption and user authentication and it's not too complicated to setup: http://svnbook.red-bean.com/en/1.7/svn.serverconfig.httpd.html

How can i restrict ports 80 and 443 in xenservers to a single source?

I would like to restrict port 80 and 443 of ovh servers to a single ip. I have tried adding iptables rules and tried messing about with hosts.allow and hosts.deny, but nothing seems to work.
They should work but you probably do something wrong. Would be better to provide us the way you try to do it so we can see if it's wrong or not. Your question is kinda generic "ovh servers". I suppose you are referring to an ovh server and not to all of them.
iptables -A INPUT -p all -s your_ip -j ACCEPT iptables -A INPUT -s
ip_address -p tcp --dport 80 -j ACCEPT iptables -A INPUT -s ip_address
-p tcp --dport 443 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j DROP iptables -A INPUT -p tcp --dport 443 -j DROP
your_ip is the ip address your are connecting to the server via ssh
ip_address is the ip address you want to allow ports 80 and 443
Give it a try! Sorry for any wrong typos, I'm writing from my phone

iptables port forwding - nothing returned

I'm stumped.
This is how my iptables are configured on Debian 7.
sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 8090 -j ACCEPT
-A FORWARD -d 127.0.0.1/32 -i eth0 -p tcp -m state --state NEW -m tcp --dport 8090 -j ACCEPT
-A FORWARD -d 10.1.130.5/32 -i eth0 -p tcp -m state --state NEW -m tcp --dport 8090 -j ACCEPT
Basically forwarding port 80 to port 8090.
I also have an instance of Apache Tomcat running and listening on port 8090. e.g.
sudo lsof -i :8090
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
java 15081 user1 36u IPv6 164737 0t0 TCP *:8090 (LISTEN)
However, whenever I try to connect via a browser nothing get returned. Its the same using Wget. e.g.
wget www.test.com/confluence
--2016-04-22 16:59:22-- http://www.test.com/confluence
Resolving www.test.com... 10.1.130.5
Connecting to www.test.com|10.1.130.5|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: /bootstrap/selectsetupstep.action [following]
--2016-04-22 16:59:22-- http://se- www.test.com/bootstrap/selectsetupstep.action
Reusing existing connection to www.test.com:80.
HTTP request sent, awaiting response...
There is nothing in your ruleset that actually forwards ports. You have INPUT rules, which will accept or reject packets destined for the local host, and you have FORWARD rules, which will accept or reject rules transiting the machine to another address, but you don't have anything that actually changes the target port of a connection.
If you actually want to change some aspect of a connection, this falls into the broad category of "network address translation" (NAT), which is carried out in the nat table, rather than the default filter table.
Possibly you need REDIRECT rule in your nat table:
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 \
-j REDIRECT --to-ports 8090
Note that a REDIRECT rule will only operate on traffic that does not originate on the local host. You will need to test this from another host on the network (or from inside a container or a vm).
Alternatively, you could accomplish something similar using proxy software such as haproxy.
Some additional reading:
http://www.cyberciti.biz/faq/linux-port-redirection-with-iptables/
https://serverfault.com/questions/179200/difference-beetween-dnat-and-redirect-in-iptables
https://wiki.debian.org/Firewalls-local-port-redirection

linux PPTP server relay

I want to create a VPS both has PPTP server and client, and this VPS is used as a relay.
There are two server: VPS1 and VPS2, both install PPTPD, and VPS1 install pptp client.
I want have this:
user ---- PPTP ----> VPS1 ----- PPTP ----> VPS2
user connect to VPS1, and all the network traffic route to VPS2.
I'm doing this because user is hard to connect VPS2 directly, need an middle server to work as relay.
How can I config iptable to make it work? Thanks.
Strange usage of PPTP. Your ISP must be Shanghai, China Telecom.
If you route all the network traffic in VPS1 to VPS2, you have to know the IP address of user and setup an exception. Or the user will never receive the reply packets.
Maybe you can use iptables to enable DNAT. Make VPS1 as a router and VPS2 as the internal pptp server.
First of all, you should check if the kernel module ip_nat_pptp and ip_conntrack_pptp is loaded. PPTP use TCP port 1723 to transmit control commands and use GRE to transfer data. Because the GRE has no port, the server has to use the CallID to track the endpoints and implement the NAT. This is called PPTP Passthrough.
# lsmod | grep pptp
If not loaded, then load them.
# modprobe ip_nat_pptp
# modprobe ip_conntrack_pptp
Then you need to enable the IPv4 network forwarding:
# sysctl -w net.ipv4.ip_forward=1
Now you can create iptables rules to accept the incoming and forwarding request:
# iptables -A INPUT -d $VPS1_IP_ADDR -p tcp --dport 1723 -j ACCEPT
# iptables -A INPUT -d $VPS1_IP_ADDR -p gre -j ACCEPT
# iptables -A FORWARD -d $VPS2_IP_ADDR -p tcp --dport 1723 -j ACCEPT
# iptables -A FORWARD -d $VPS2_IP_ADDR -p gre -j ACCEPT
Finally setup the DNAT rules:
# iptables -A PREROUTING -d $VPS1_IP_ADDR -p tcp --dport 1723 -j DNAT --to-destination $VPS2_IP_ADDR
# iptables -A POSTROUTING -d $VPS2_IP_ADDR -p tcp --dport 1723 -j MASQUERADE
You can connect VPS1 with username/password of the pptpd on VPS2 now.

Is it necessary to open all used ports when using one Node.JS application to route from port 80 to apps on different ones?

I'm working with an Ubuntu 12.04 LTS, 64 Bit server there I have used the following commands to send all http request on port 80 to port 8080
Commands:
cat /proc/sys/net/ipv4/ip_forward #returns 1
sudo iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
sudo iptables -A INPUT -p tcp -m tcp --sport 80 -j ACCEPT
sudo iptables -A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
From there I wanted to proxy the requests based on (sub)domain to some other ports (i.e. 9000, 3000, 9615) using http-master. I'm having some problems getting this done and had it right once on a VPS on amazon aws where those ports where opened.
So what I'm asking is if it's necessary to open every port and how I can do that on the command line?
After some further research and experimentation I concluded that it's only necessary to open the port that we use as entry points. If we then route it with a proxy or even with NAT configuration to another PORT, the latter will be used only to "listen".

Resources