Activities

July 2016
M T W T F S S
« Feb   Aug »
 123
45678910
11121314151617
18192021222324
25262728293031

How to block http /https access to specified hosts /network only

It was quite a long time I’d a visit to my blog. There were 2 reason, I got a new office and was strugging to keep up the rythom with new enviorments. Also there are certain personal stuff at my native place has to fixed which need my physical presence. So I was quite busy with usual weekend travel and hury burry office stuff between the week days. Now I’m wanting to make global presene and so updating the blog again.

One of my project has a requirement to open a public web server for internal purpose for few weeks. So we had to block public access to this host and this is one of the quick platform requirement.

Here we are using 2 private IP block for our Internal LAN those are 192.20.10.0/24 and 172.10.0.0/24 network. Here is the required rules to accoumplish the requirement.

iptables -F
/sbin/iptables -I INPUT -s  0.0.0.0  -p tcp --dport 80    -m state --state NEW  -j REJECT
/sbin/iptables -I INPUT -s  0.0.0.0  -p tcp --dport 443    -m state --state NEW  -j REJECT
/sbin/iptables -I INPUT -s  0.0.0.0  -p tcp --dport 80    -m state --state ESTABLISHED,RELATED  -j REJECT
/sbin/iptables -I INPUT -s  0.0.0.0  -p tcp --dport 443  -m state --state ESTABLISHED,RELATED  -j REJECT
iptables -A INPUT  -p tcp --dport 80  -s 192.20.10.0/24  -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT  -p tcp --dport 443  -s 192.20.10.0/24  -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT  -p tcp --dport 443  -s 172.10.0.0/16  -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT  -p tcp --dport 80  -s 172.10.0.0/16  -m state --state ESTABLISHED,RELATED -j ACCEPT

How do I test it.

If we are using the browser to test the http/https avialability which will not much helpful based on my testing. So I added ‘-m state –state NEW’ which will drop all the NEW connections and still allow any existing opned connections. So use another network to confirm or re-open the browser.

Leave a Reply

  

  

  

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>