How do I allow only certain IPSet set's to access a certain port with iptables?
8,063
Reverse the presumption: allow through those that you want, then deny the rest:
iptables -A INPUT -m set --match-set uk.zone src -p tcp --dport 15765 -j ACCEPT
iptables -A INPUT -m set --match-set th.zone src -p tcp --dport 15765 -j ACCEPT
iptables -A INPUT -p tcp --dport 15765 -j DROP
(and similarly for port 16247, or try getting clever with -m multiport). Note that the order is important: the exceptions (ACCEPTs) need to come before the rule (DROP).
Related videos on Youtube
11 : 09
Computer Networking Tutorial - 40 - iptables Firewall Rules
06 : 28
Linux Firewall: IPTables to Block/Allow Incoming Traffic
31 : 02
iptables Complete Guide | HackerSploit Linux Security
11 : 25
Linux How To Block IP Addresses Using IPTABLES And IPset
01 : 00 : 30
IPTables - Blacklisting IP's and Ports - Stop the Badguys
Author by
James Morrison
Updated on September 18, 2022Comments
-
James Morrison over 1 year
I'm using IPSet to build IP ranges for different countries as follows :
# Canada ipset -F ca.zone ipset -N ca.zone nethash for IP in $(wget -O - http://www.ipdeny.com/ipblocks/data/countries/ca.zone) do ipset -A ca.zone $IP echo $IP doneI'm then blocking those countries from certain ports on my server with the following iptables rules :
iptables -A INPUT -m set --match-set fr.zone src -p tcp --dport 15765 -j DROP iptables -A INPUT -m set --match-set cn.zone src -p tcp --dport 15765 -j DROP iptables -A INPUT -m set --match-set ca.zone src -p tcp --dport 16247 -j DROP iptables -A INPUT -m set --match-set de.zone src -p tcp --dport 16247 -j DROPThis all works well but I want to achieve the opposite of this for some of the ports by only allowing certain IPSet country ip ranges. For example block all IP's apart from those inside my uk.zone and th.zone sets.
What iptables rules would I need to achieve this ?