How rule matching in iptables work? - iptables

Hi I have two rule in my iptables
Rule 1
destination IP 10.0.0.0/16 block all
Rule 2
destination IP 10.0.0.0/24 allow tcp
So the subnet mask overlap in a certain range.
So if a packet comes with destination IP 10.0.0.1 does it allow or deny.?

This simply depends on the order of your rules. They are tested from top to bottom. If a rule matches and accepts or declines, then the process is stopped.
So you need to code exceptions first, then more general rules.

Related

HAProxy ACL whitelist IPs CIDR notation

I have an HAProxy load balancer and I would like to allow access only to certain IPs. I know how to do this using the regular notation:
acl is_ip_allowed src 173.245.48.1
http-request deny if !is_ip_allowed
But when I use CIDR notation is not working
acl is_ip_allowed src 173.245.48.0/20
http-request deny if !is_ip_allowed
This should be possible if I got the HAProxy documentation correctly
IPv4 addresses values can be specified either as plain addresses or
with a netmask appended, in which case the IPv4 address matches
whenever it is within the network. Plain addresses may also be
replaced with a resolvable host name, but this practice is generally
discouraged as it makes it more difficult to read and debug
configurations. If hostnames are used, you should at least ensure that
they are present in /etc/hosts so that the configuration does not
depend on any random DNS match at the moment the configuration is
parsed.
But unfortunately, it's not working. Am I missing something?
After consulting with a colleague I found an answer.
http-request deny if !{ src 173.245.48.0/20 }
So, removing the ACL and adding the CIDR range in an IF condition works.

Iptables : How to block (handle) X-Forwarded-For addresses?

(I'm in fact, on the CentOS behind AWS ELB. But i don't want this question to be specific for AWS ELB only, but for the general ground.)
I'm working on a CentOS 6.5 box, which is behind a loadbalancer which only passes the X-Forwarded-For IPs to me. As a web server, I know the bad IPs coming in, and I need to block them, from by server itself. (Assuming there is no any IPS/IDS/Firewall in front, to rely on.)
So far, I don't know (I can't) block those bad IPs by my iptables because there's no real IP, but only X-Forwarded-For IPs passed to me. (So what I do is, I am using the .htaccess to block. And it works)
How to achieve this by the proper firewall level please?
I'd like to do the same thing. I've got a very long list of IP addresses to block in CIDR format, and converting it to regular expressions to use in a .htaccess file just doesn't seem like the right thing to do. And you know that in terms of processor load, regular expressions in .htaccess aren't even in the same galaxy as the integer bit-fiddling that iptables can do. But I don't believe that it's possible to use iptables for this. Iptables runs in the kernel, and it blocks the incoming IP addresses at a low level, before any header is read.
In my case, I'm only using the load balancer as a convenient way to handle https requests, I don't really need to balance a heavy load across multiple webserver instances. So what I've been considering is running a separate instance with nginx reverse proxy to handle https for my apache webserver, adding the X_FORWARDED headers exactly like the AWS load balancer does. That way I can use iptables on the instance running nginx, and I don't have to touch my apache configuration or webapps that have been running behind the load balancer.
You lose the redundancy of multiple IP addresses for the load balancer itself, as well as integration with AWS Cloud Front to balance backend load, but you gain ability to use iptables and you can offload processing of static content from apache, perhaps improving your response time. Since nginx is said to be much lighter-weight than apache for simple request processing, you shouldn't need much muscle on that instance. I wonder if AWS load balancers are actually just instances running nginx. If you look at the pricing, the hourly cost of a load balancer is roughly the same as a t2.small linux instance.
I haven't tried this yet myself, as nginx configuration is brand new to me, and it would require buying and installing an SSL certificate instead of using the wonderfully simple and convenient certificate manager.
I wonder if AWS would consider user feature-requests to be able to configure load balancers with iptables...
UPDATE: I just posted this in the AWS EC2 forum.
UPDATE 2: My feature request to AWS asking for a feature to configure iptables for the load balancer got answered with an explanation of how to use a network ACL to block requests originating from any CIDR in a list from reaching the load balancer. To me, that's just as good a solution. The OP was looking for a solution not specific to AWS, and this doesn't meet that criterion. If you have this problem with some server that is behind a reverse proxy, it simply isn't possible to use that server's iptables-style firewall to block incoming requests based on the original IP address - the firewall needs to decide whether to block a request long before it reads the headers, which is the only place that the original requesting address can be found. If you're on AWS, you can use a network ACL. Otherwise you'd need to have full control over the server performing the reverse proxy, and put the firewall rules on that server.
Looks like you can do pattern matching with IP Tables: http://wiztelsys.com/Article_iptables_bob2.html
So you'd have to do that for example:
iptables -I INPUT 1 -p tcp --dport <port> -m string --string "X-Forwarded-For: <ip>" --algo bm -j DROP
"-m": matching type = string
"--string": what string
"--algo bm": Boyer-Moore algorithm for pattern matching
Since you mention .htaccess it sounds like you're using Apache Webserver, so I'd recommend adding these rules there instead of in iptables. The basic way of blocking based on X-Forwarded-For in Apache is this:
RewriteCond %{HTTP:X-FORWARDED-FOR} ^171.42.6.123$
RewriteRule .* - [F,L]
Since the IP address is just a string being matched against then you can specify all sorts of regular expressions in your condition. See this question for an example of doing that.

Blocking access to Joomla, Wordpress, PhpMyAdmin Administrator Pages through iptables

I am trying to write an iptables rule which states that block a specific IP address from accessing the administrative console of Joomla, Wordpress and PhpMyAdmin.
For instance, in the following rule, I state that block all TCP accesses to port 8080 (Apache Tomcat).
sudo iptables -A INPUT -p tcp -s 172.24.21.133 --dport 8080 -j DROP
This will block access to the service running on port 8080.
But, now, if Joomla, Wordpress and PhpMyAdmin, all of them are running on port 80, is there any additional parameter that I can specify to block access only to one service among Joomla, Wordpress or PhpMyAdmin? Or I shall judiciously assume the fact that if I were to block access to one service, then I will have to compromise on the other two?
IPtables does not (to my knowledge) have any module for matching based on the URL inside an HTTP packet. Your better bet would be to use IP-based access control in your webserver configuration. If you are using Apache, you would use rules something like this in an .htaccess file in your Joomla/WordPress/PHPMyAdmin directory:
Order allow,deny
Deny from 172.24.21.133
Allow from all
This will prohibit HTTP access to anything in those directories from that specified IP address. You can also have multiple Deny lines to block multiple IP addresses.

Mac | ipfw adding firewall rule [duplicate]

This question already has an answer here:
Add firewall rule programmatically
(1 answer)
Closed 5 years ago.
In my Application, i need to block firewall such a way that it should block all the url and allow certain URL,
this is the rule i am wring
assuming i don't want to block www.google.com , www.facebook.com
ipfw 12164 deny tcp from any to any
ipfw 12156 allow tcp from any to www.google.com
ipfw 12157 allow tcp from any to www.facebook.com
but its blocking all the connection, what should be the firewall rule to have such a scenario.
Using ipfw to filter the traffic isn't a good idea. ipfw only works with IP address: when you add a rule with a hostname, the hostname is resolved and the current IP address in used.
Some hostname can have multiple IP addresses (test the command host www.google.com) or the IP address my change, or the server may return link to resources stored on other addresses.
If you want to filter the website the user can access, you can use parental controls or Managed Client (MCX).
But if you still want to use ipfw, you should accept ingoing TCP traffic. Your rules only accept outgoing TCP traffic to www.google.com and www.facebook.com and block any response.
You should write the first rule like this:
ipfw 12164 deny tcp from any to any out

htaccess - How to restrict to access from my home

I have a website on the internet that I only want to be accessible from my house.
Could I have htaccess be restricted to the MAC address of my router? If not, are there any other options?
I don't think I could use IP address because my ISP changes it all the time.
You can't use the MAC because it won't get past the next router. Usually, even if you have a dynamic IP, your ISP gives you a hostname that is fixed, something like customer1337.newyork.bestisp.com. See what it is here, and use that in the htaccess.
Since you cannot use your MAC address or your IP Address, your best solution is to use DNS to maintain a host record. You can use dyndns or freedns to set up a dynamic dns record. Many routers these days actually allow you to configure your router to ping these sites to update your host record.
Suppose on freedns.afraid.org you set it up so that gregmyhome.mooo.com points to your router. Then you can update the htaccess file to allow access from that hostname. Apache will perform a reverse dns lookup upon your visiting the site, and let you in.
I will say, however, that there may be a delay which may cause you to be restricted for some time. This problem may force you to look to other authentication mechanisms, such as digest auth, client certificate, or even ssh tunnelling.
In addition to Bart, you could just use a .htpasswd file and set a username and password for the site, so that only you can login.
you probably could but that's not what htaccess is for, in my opinion. unless you set up authentication using htaccess. but then your website will be accessible from everywhere that has the password.
iptables can do mac address filtering though. why don't you set that up?
so if your router's mac is xyz,
first set the default policy:
iptables -P INPUT DROP
then specifically allow yours:
iptables -A INPUT -p tcp –destination-port 80 -m mac –mac-source xyz -j ACCEPT