Score:1

Server

How to whitelist ip destination from specific IP block or from an interface in iptables?

dennbagas

6/4/23, 6:56 AM

I have a jumpbox that i use to access my two database lets say its database A and database B, each of them is in separate IP address. I have another person that dedicated to work on database B, so i want to restrict the access only to that DB. We use wireguard to connect to the jumpbox and we have separate wireguard profile to connect so each of us have different interface and different IP source.

I have try this but this still allow connection to both DB:

*filter
-A FORWARD -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i my-wg -j ACCEPT
-A FORWARD -i other-person-wg ! -d XXX.XXX.XXX.XXX -j ACCEPT  # database B ip
COMMIT

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [1:88]
:POSTROUTING ACCEPT [1:88]
-A POSTROUTING -s XXX.XXX.XXX.XXX -j MASQUERADE  #this is the wireguard ip block that i and the other person use
COMMIT

Here is the output of iptables -L -v:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
60374 7581K DOCKER-USER  all  --  any    any     anywhere             anywhere            
60374 7581K DOCKER-ISOLATION-STAGE-1  all  --  any    any     anywhere             anywhere            
22156 1788K ACCEPT     all  --  any    docker0  anywhere             anywhere             ctstate RELATED,ESTABLISHED
   93  5580 DOCKER     all  --  any    docker0  anywhere             anywhere            
22083 1169K ACCEPT     all  --  docker0 !docker0  anywhere             anywhere            
    0     0 ACCEPT     all  --  docker0 docker0  anywhere             anywhere            
 7799 3947K ACCEPT     all  --  eth0   any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
 8238  672K ACCEPT     all  --  my-wg    any     anywhere             anywhere            
    0     0 ACCEPT     all  --  other-person-wg    any     anywhere            !XXX.XXX.XXX.XXX          # ip of database B

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  !docker0 docker0  anywhere             172.17.0.2           tcp dpt:9181
    0     0 ACCEPT     tcp  --  !docker0 docker0  anywhere             172.17.0.4           tcp dpt:5000
   92  5520 ACCEPT     tcp  --  !docker0 docker0  anywhere             172.17.0.3           tcp dpt:9180

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
22083 1169K DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  anywhere             anywhere            
60374 7581K RETURN     all  --  any    any     anywhere             anywhere            

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  any    docker0  anywhere             anywhere            
22083 1169K RETURN     all  --  any    any     anywhere             anywhere            

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination         
60374 7581K RETURN     all  --  any    any     anywhere             anywhere

How to restrict access from specific IP block or from an interface to only have access to specific IP in iptables on jumpbox?

0 + 0

iptables

Nikita Kipriyanov

6/7/23, 5:44 AM

I guess he was accepted by the defaullt `filter FORWARD` policy, which is `ACCEPT`, but we don't see it in your question. Set either `iptables -P FORWARD DROP` or `iptables -A FORWARD -j DROP`, it will help in that case. If you don't want us to guess, please, show the complete `iptables-save`, which will show which policy you currently have.

dennbagas

6/7/23, 7:00 AM

That is the complete `iptables-save` i currently have

setenforce 1

6/7/23, 8:19 PM

Can you show `iptables - L -a -v`

dennbagas

6/8/23, 4:29 AM

There is no `-a` option, but I've updated the question and add the output of `iptables -L -v`

Score:1

Server

Cameron

6/10/23, 12:22 AM

This command says "if network traffic is incoming from X IP address, but is not on Y interface, then DROP it." Note that it is in the raw table, which is the first and fastest table hit when network traffic comes in to IPtables.

iptables -t raw -A PREROUTING -s ${X} ! -i ${Y} -j DROP

You should have another permutation of this rule in the opposite direction:

iptables -t raw -A PREROUTING ! -s ${X} -i ${Y} -j DROP

You can log violations of these rules by having these four commands:

iptables -t raw -A PREROUTING -s ${X} ! -i ${Y} -j LOG --log-prefix "Wrong IP: "
iptables -t raw -A PREROUTING -s ${X} ! -i ${Y} -j DROP 
iptables -t raw -A PREROUTING ! -s ${X} -i ${Y} -j LOG --log-prefix "Wrong Interface: "
iptables -t raw -A PREROUTING ! -s ${X} -i ${Y} -j DROP

EDIT: Edited after I received more clarification in the comments.

This rule says "if traffic is incoming from IP address X and is not destined for IP address Z, then drop the traffic."

iptables -t raw -A PREROUTING -s ${X} ! -d ${Z} -j DROP

This rules says "if traffic is incoming on interface Y and is not destined for IP address Z, then drop the traffic."

iptables -t raw -A PREROUTING -i ${Y} ! -d ${Z} -j DROP

Here is a combination of those two rules, that says "if traffic is incoming from IP address X and is incoming on interface Y and is not destined for IP address Z, then drop the traffic."

iptables -t raw -A PREROUTING -s ${X} -i ${Y} ! -d ${Z} -j DROP.

Just a note: I like to use the raw table if the rules do not require connection tracking. The raw table does not track any connections. In this case, no connection tracking is necessary for these rules. Connection tracking is necessary for the nat table and for the conntrack module (-m conntrack). The raw table is much more performant than other tables because connection tracking takes up significantly more resources on your server. The filter table is fine to use, however, and if it's simpler and makes more sense for you, then use the filter table. The rules would be exactly the same, but just -t raw would become -t filter

When packets enter IPtables, they traverse the tables like this:

raw --> mangle (where connection tracking begins) --> nat --> filter

0 + 0

dennbagas

6/10/23, 4:32 PM

Well i can do that limitation by using PREROUTING on the nat table, what im asking is "if network traffic is incoming from X IP address AND not going to Z IP address, then DROP" OR "if network traffic is incoming from Y interface AND not going to Z IP address, then DROP"

Cameron

6/10/23, 4:45 PM

Oh okay, I understand. `iptables -t raw -A PREROUTING -s ${X} ! -d ${Z} -j DROP` and `iptables -t raw -A PREROUTING -i ${Y} ! -d ${Z} -j DROP` should do the trick. Not sure if this would help, but here is a combination of the two rules: `iptables -t raw -A PREROUTING -s ${X} -i ${Y} ! -d ${Z} -j DROP`.

dennbagas

6/10/23, 5:57 PM

All your solution works! Can you update your post so I can mark it as correct answer. Also can this rules placed in the filter table? if so what is the equivalent of the rules if I want to write it on filter table? and maybe an explanation on that would so much appreciated!

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How to whitelist ip destination from specific IP block or from an interface in iptables?

TH: จะเพิ่มรายการปลายทาง ip ที่อนุญาตพิเศษจากบล็อก IP เฉพาะหรือจากอินเทอร์เฟซใน iptables ได้อย่างไร

RO: Cum să plasați pe lista albă destinația IP dintr-un anumit bloc IP sau dintr-o interfață în iptables?

RU: Как добавить IP-адрес в белый список из определенного IP-блока или из интерфейса в iptables?

VI: Làm cách nào để đưa địa chỉ ip vào danh sách trắng từ khối IP cụ thể hoặc từ một giao diện trong iptables?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.