Iptables

How to Whitelist or Block IPs in your Firewall on Linux – iptables, firewalld, ufw

Knowing how to Whitelist and Blacklist IPs in your firewall can be very important when you want to allow or deny connection to your server, based on an IP address. Below we will cover how to allow and deny connections from IPs in IP Tables, Firewalld, and UFW.

IPTables:
Allowing or Denying connections from IPs in IP Tables is quite simple. To accept the connection, or whitelist the IP, you would use the following command (where 1.1.1.1 is the IP you want to allow through the Firewall):

# sudo iptables -A INPUT -s 1.1.1.1 -j ACCEPT

Denying the IP is very similar, just changing ACCEPT to DROP:

# sudo iptables -A INPUT -s 1.1.1.1 -j DROP

You can also change DROP or REJECT if you want your server to respond back to the request with a Rejection instead of just dropping the traffic all together.

Firewalld:
To whitelist IPs on Firewall-CMD, we’ll want to use the –add-source flag. We can whitelist an IP or an IP Subnets via the following commands:

# firewall-cmd --permanent --zone=public --add-source=1.1.1.1

Range:

# firewall-cmd --permanent --zone=public --add-source=1.1.0.0/16

Blocking an IP is a bit difficult, as it requires a more complex command. The command that you would want to use to block traffic from an IP would be:

# firewall-cmd --permanent --add-rich-rule="rule family=ipv4 source address=1.1.1.1 reject"

Range:

# firewall-cmd --permanent --add-rich-rule="rule family=ipv4 source address=1.1.0.0/16 reject"

We can also view all of the whitelisted IPs in our zone via:

# firewall-cmd --permanent --zone=public --list-sources

UFW:
Allowing and blocking IPs in UFW is very simple and straight forward. We can allow connections from a specific IP via the following command:

# sudo ufw allow from 22.33.44.55

Blocking and IP is just as simple, with the following command:

# sudo ufw deny from 22.33.44.55

Cloud Server Iptables rejects port 80 CentOS 6.5

I have just intalled apache on a fresh CentOS 6.5 installation. I entered the ip address in the browser address bar, and it failed to connect. I then turned off iptables, and refeshed, and this time I could connect.

So clearly iptables is blocking the http (port 80) traffic. So I looked at the iptables rules:

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

It seems confusing as there is a “accept all” rule. I typed this – it explains the devices as well where acept all is on the lo interface. So all eth connections are dropped.:

# iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   11   764 ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED 
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            
    0     0 ACCEPT     all  --  lo     any     anywhere             anywhere            
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpt:ssh 
    0     0 REJECT     all  --  any    any     anywhere             anywhere            reject-with icmp-host-prohibited 

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     all  --  any    any     anywhere             anywhere            reject-with icmp-host-prohibited 

Chain OUTPUT (policy ACCEPT 6 packets, 824 bytes)
 pkts bytes target     prot opt in     out     source               destination

Edit iptables to add the rule:


# nano /etc/sysconfig/iptables
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited

Copy the ssh port 22 line and add it right under it, then change the port to 80. This is what it should look like:

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited

Restart iptables

# service iptables save
service iptables restart

Block IP with iptables

Block Incoming Request From IP 1.2.3.4

The following command will drop any packet coming from the IP address 1.2.3.4:


# /sbin/iptables -I INPUT -s {IP-HERE} -j DROP
# /sbin/iptables -I INPUT -s 1.2.3.4 -j DROP

Finally, the last thing we need to do is save our rules so that next time we reboot our computer our rules are automatically reloaded:


# /sbin/service iptables save

Check to see if it is added:

# iptables --list -n | grep 37.233.38.46
DROP       all  --  37.233.38.46         0.0.0.0/0

Other good info to check out:

http://wiki.centos.org/HowTos/Network/IPTables

Stop Spam and http access with IPtables

To stop Spam:

drop SMTP on port 25, 465 and 587 to prevent further spam from being sent out by running the following commands:


# /sbin/iptables -A INPUT -p tcp --dport 25 -j DROP
# /sbin/iptables -A OUTPUT -p tcp --dport 25 -j DROP
# /sbin/iptables -A INPUT -p tcp --dport 465 -j DROP
# /sbin/iptables -A OUTPUT -p tcp --dport 465 -j DROP
# /sbin/iptables -A INPUT -p tcp --dport 587 -j DROP
# /sbin/iptables -A OUTPUT -p tcp --dport 587 -j DROP

Restart:

# service iptables restart

Block an IP accessing the site:

# iptables -A INPUT -s 80.35.xx.xxx -j DROP

Restart:

# service iptables restart

After that – check the cpnael access logs for the domain and see that there is a 403 Error:

# tail -f /usr/local/apache/domlogs/gamedayboston.com

80.82.xx.xx - - [07/Oct/2014:17:13:46 -0400] "POST /xmlrpc.php HTTP/1.0" 403 - "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
80.82.xx.xx - - [07/Oct/2014:17:13:46 -0400] "POST /xmlrpc.php HTTP/1.0" 403 - "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
80.82.xx.xx - - [07/Oct/2014:17:13:46 -0400] "POST /xmlrpc.php HTTP/1.0" 403 - "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"