Friday, 29 July 2016

Messing about with IPTables

I'm NOT a firewall or networking expert, so this is very much YMMV.

I wanted to see if/how I could use the out-of-the-box IPTables firewall to block most connectivity to a web server ( IBM HTTP Server ) whilst allowing SSH connectivity and, more importantly, allowing incoming requests from 

Flush the existing rules

iptables -F

Add a rule to allow SSH connectivity only from a specific interface and host - actually the host VM

iptables -A INPUT -i eth0 -p tcp -s --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

Add a rule to allow connectivity from a specific interface and host and port - the F5 LTM

iptables -A INPUT -i eth1 -p tcp -s --dport 8443 -m state --state NEW,ESTABLISHED -j ACCEPT

Drop all other traffic from the 192.168.153 subnet

iptables -A INPUT -s -j DROP

Drop all other traffic from the 10.128.10 subnet

iptables -A INPUT -s -j DROP

Save and print the configuration


# Generated by iptables-save v1.4.7 on Fri Jul 29 19:13:26 2016
:OUTPUT ACCEPT [945:348018]
-A INPUT -s -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT 
-A INPUT -s -i eth1 -p tcp -m tcp --dport 8443 -m state --state NEW,ESTABLISHED -j ACCEPT 
-A INPUT -s -j DROP 
-A INPUT -s -j DROP 
# Completed on Fri Jul 29 19:13:26 2016


I then tested this by: -

(a) ensuring that I could still connect to IHS via the F5 load balancer: -

openssl s_client -connect </dev/null

SSL handshake has read 1065 bytes and written 440 bytes
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 2048 bit

(b) ensuring that I could NOT connect to IHS directly: -

openssl s_client -connect </dev/null

connect: Operation timed out

Here's my not-so-secret sources: -

No comments: