Whitelist IP or IP range in/out using iptables

#Flush existing rules
iptables -F

# Set up default DROP rule for eth0 (Assuming eth0 is the Ethernet Port)
iptables -P INPUT DROP

# Allow existing connections to continue
iptables -A INPUT -i eth0 -m state –state ESTABLISHED,RELATED -j ACCEPT

# Accept everything from the 192.168.0.x network
iptables -A INPUT -i eth0 -s 192.168.0.0/24 -j ACCEPT

# Allow connections from this host to 192.168.1.10
iptables -A OUTPUT -o eth0 -d 192.168.1.10 -j ACCEPT

How to block IP address in Linux – Using IPTables Rule

Using IPTables rules we can block a Single IP address or a block of IP Addresses.

The following command (via ssh) will drop any packet coming from the IP address 1.2.3.4 :

# iptables -I INPUT -s 1.2.3.4 -j DROP

or you can use append

# iptables -A INPUT -s 1.2.3.4 -j DROP

How To Block Subnet (ip.Add.re.ss/subnet):

If your Machines public interface card name is eth1 and if you’d like to block the subnet 10.0.0.0/8 -Use the following syntax:

# iptables -i eth1 -A INPUT -s 10.0.0.0/8 -j DROP

How to View Blocked IP Address(es):

Simply use the following command:

# iptables -L -v

How to Save Blocked IP Address(es) in IPTables:

# service iptables save

ConfigServer installation IPtables problem in OpenVZ or Virtuozzo (solved!)

ConfigServer Firewall (AKA csf) is an essential security tool for Linux based server and VPS.

The installation of CSF is pretty straight forward and is described here: http://configserver.com/free/csf/install.txt

However, some of the iptables modules required by the csf might not be present in the server and when the perl test command ( # perl /usr/local/csf/bin/csftest.pl ) is run in the VPS container while installing csf – the following fatal error may be encountered:

[root@vps-xyz ~]# perl /etc/csf/csftest.pl
Testing ip_tables/iptable_filter…OK
Testing ipt_LOG…FAILED [ 4294967295] – Required for csf to function
Testing ipt_multiport/xt_multiport…FAILED [FATAL Error: iptables: Unknown error 4294967295] – Required for csf to function
Testing ipt_REJECT…OK
Testing ipt_state/xt_state…FAILED [FATAL Error: iptables: Unknown error 4294967295] – Required for csf to function
Testing ipt_limit/xt_limit…FAILED [FATAL Error: iptables: Unknown error 4294967295] – Required for csf to function
Testing ipt_recent…FAILED [Error: iptables: Unknown error 4294967295] – Required for PORTFLOOD and PORTKNOCKING features
Testing xt_connlimit…FAILED [Error: iptables: Unknown error 4294967295] – Required for CONNLIMIT feature
Testing ipt_owner/xt_owner…FAILED [Error: iptables: Unknown error 4294967295] – Required for SMTP_BLOCK and UID/GID blocking features
Testing iptable_nat/ipt_REDIRECT…FAILED [Error: iptables v1.3.5: can’t initialize iptables table `nat’: Table does not exist (do you need to insmod?)] – Required for MESSENGER feature
Testing iptable_nat/ipt_DNAT…FAILED [Error: iptables v1.3.5: can’t initialize iptables table `nat’: Table does not exist (do you need to insmod?)] – Required for csf.redirect feature

SOLUTION:

To resolve the issue – You’ll need to have access to your Hardware node (main server – not the VPS container). If you do not have access to the main server you may provide this guide to your VPS provider. Now you need to do the following steps:

1. First, you need to define required iptables modules are available for VPS.
Edit /etc/sysconfig/iptables-config file on the Hardware Node (Main server) and make sure you have the following:

IPTABLES_MODULES="ipt_REJECT ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp"

Edit /etc/sysconfig/vz file:

IPTABLES="ipt_REJECT
ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp"

2. Restart Virtuozzo/OpenVZ:

# service vz restart

3. execute the command (Assuming your VPS’s CTID is 1001):

# vzctl set 1001 --netfilter full --save --setmode restart

4. Now run the perl test command once again in the VPS container and you should see the result successful:

root@vps-xyz [~]# perl /usr/local/csf/bin/csftest.pl
Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...OK
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK

RESULT: csf should function on this server

5. Finally restart CSF:

# Service csf restart

 

 

How to disable IPtables Firewall in Linux (Red hat/CentOS/Fedora Core)

Disable / Turn off Linux Firewall (Red hat/CentOS/Fedora Core)

Type the following two commands to save the IPtables first and then to stop it (you must login as the root user):

# /etc/init.d/iptables save
# /etc/init.d/iptables stop

Turn off firewall on boot

# chkconfig iptables off

Enable / Turn on Linux Firewall (Red hat/CentOS/Fedora Core)

Type the following command to turn on iptables firewall:

# /etc/init.d/iptables start

 

Turn on firewall on boot:

# chkconfig iptables on