Solved

How do I allow traffic only from a certain IP range and only allow access to the site through that range?

Posted on 2008-10-03
14
665 Views
Last Modified: 2013-11-16
I have a Linux Centos Server, where I only want to allow traffic through from a DDOS protection server, yet I still need to allow access to the site from all IP addresses, so I cannot use IP Block.
Is there a software firewall/nat product I can install on the server to do this? and how would I go about setting it up to allow traffic from only the ip range that i need?
0
Comment
Question by:leevee1606
  • 7
  • 7
14 Comments
 
LVL 4

Expert Comment

by:jozef_mares
ID: 22639951
i am no sure if i understand question correctly:
you have a DDOS protection server
you have a CentOS linux server

You want connections only from DDOS protection server. If so check for iptables which is linux kernel software firewall/packet filter/nat.
0
 

Author Comment

by:leevee1606
ID: 22639993
ok - where exactly do i find the iptables file, and how do i setup the iptables? I have never setup iptables before. I have ssh access to the server.
0
 
LVL 4

Expert Comment

by:jozef_mares
ID: 22640006
iptables is binary. SSH to CentOS server, su to root and run iptables -L.
You will see rules. Post back.
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 4

Accepted Solution

by:
jozef_mares earned 500 total points
ID: 22640009
oh an i forgot. Rule to allow access to server:

iptables -P INPUT DROP # drop everything
iptables -A INPUT -s 192.168.1.10 -j ACCEPT # allow connection from 192.168.1.10

Think before type because you can block yourself from machine.

0
 

Author Comment

by:leevee1606
ID: 22640057
seems to works the same as ipblock in cpanel?
the minute i use iptables -P INPUT DROP # drop everything, there is no access to the site, even though I have enabled access using the correct IPs in iptables -A INPUT -s 192.168.1.10 -j ACCEPT # allow connection from 192.168.1.10
i need to allow only traffic from the external ddos server, but still allow access to the site from all ip addresses ie: it mustn't work like an ip block
does that make sense?

0
 

Author Comment

by:leevee1606
ID: 22640064
iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination

ACCEPT     all  --  41.247.214.238       anywhere

ACCEPT     all  --  209.200.128.0/27     anywhere
0
 
LVL 4

Expert Comment

by:jozef_mares
ID: 22640076
well that does not make sense for me. You have to choose if you want access from all hosts in network or from few. You can't have in same time disabled access and enabled.
0
 

Author Comment

by:leevee1606
ID: 22640087
ok - sure - sorry, i was a bit confusing there! :)
haven't had my cup of coffee this morning yet!
I need to allow access only from the external server, and then everyone else connects to the site only through that external server.
The problem is that I allow access only from the external server, and it blocks for everyone even when they connect through the external server, as if it is looking at their ip as the access ip
0
 
LVL 4

Expert Comment

by:jozef_mares
ID: 22640124
oh then the problem looks like packet filter is checking source ip which is different from external server.
Simpliest solution is to forward address or ports from external server to CentOS site. This should be setup'ed in external server. On CentOS server than setup proper blocking and every request will go throught external server.
0
 

Author Comment

by:leevee1606
ID: 22640151
ok - makes sense - only the problem i have there is that i cannot do anything on the external server, as it is owned by someone else, and they operate it as a service.
the only other thing i can do, i guess, is setup packet filtering? (which i don't know how to do)
or to stop the packet filter from checking the source ip???
0
 
LVL 4

Expert Comment

by:jozef_mares
ID: 22640165
well depends on how to the requests are processed from external server to your internal network. If they just forwards DNS requests to your internal server then you can enable packet filter and allow connections only from that external server.
But the problem is that i do not know nothing about request and network.
0
 

Author Comment

by:leevee1606
ID: 22640166
i have mod_security installed on the server - is there anything i can setup there?
0
 
LVL 4

Expert Comment

by:jozef_mares
ID: 22640193
mod_security is apache module which allows you to protect web application from common security problems like sql injection and XSS.
You can configure it but this strongly depends on web application. This module check and modifies web requests. Wrong configuration of mod_security can make applications to stop working correctly.

Let's start from beginning what you want to protect and from what. Than we can found hopefully better solution.
0
 

Author Comment

by:leevee1606
ID: 22640205
ok - sounds like i better leave the mod-security alone - i'll just leave the default settings on that.
I think your first solution of the iptables will work the best - i will use that, then just ask the owners of the external server to setup the server so that they just pass through the external requests as from their ip.
Thank you for your help.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question