How do I allow only certain IPSet set's to access a certain port with iptables?
8,063
Reverse the presumption: allow through those that you want, then deny the rest:
iptables -A INPUT -m set --match-set uk.zone src -p tcp --dport 15765 -j ACCEPT
iptables -A INPUT -m set --match-set th.zone src -p tcp --dport 15765 -j ACCEPT
iptables -A INPUT -p tcp --dport 15765 -j DROP
(and similarly for port 16247, or try getting clever with -m multiport
). Note that the order is important: the exceptions (ACCEPT
s) need to come before the rule (DROP
).
Related videos on Youtube
Author by
James Morrison
Updated on September 18, 2022Comments
-
James Morrison over 1 year
I'm using IPSet to build IP ranges for different countries as follows :
# Canada ipset -F ca.zone ipset -N ca.zone nethash for IP in $(wget -O - http://www.ipdeny.com/ipblocks/data/countries/ca.zone) do ipset -A ca.zone $IP echo $IP done
I'm then blocking those countries from certain ports on my server with the following iptables rules :
iptables -A INPUT -m set --match-set fr.zone src -p tcp --dport 15765 -j DROP iptables -A INPUT -m set --match-set cn.zone src -p tcp --dport 15765 -j DROP iptables -A INPUT -m set --match-set ca.zone src -p tcp --dport 16247 -j DROP iptables -A INPUT -m set --match-set de.zone src -p tcp --dport 16247 -j DROP
This all works well but I want to achieve the opposite of this for some of the ports by only allowing certain IPSet country ip ranges. For example block all IP's apart from those inside my uk.zone and th.zone sets.
What iptables rules would I need to achieve this ?