<caveat>
I'm NOT a firewall or networking expert, so this is very much YMMV.
</caveat>
I wanted to see if/how I could use the out-of-the-box IPTables firewall to block most connectivity to a web server ( IBM HTTP Server ) whilst allowing SSH connectivity and, more importantly, allowing incoming requests from
Flush the existing rules
iptables -F
Add a rule to allow SSH connectivity only from a specific interface and host - actually the host VM
iptables -A INPUT -i eth0 -p tcp -s 192.168.153.1 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
Add a rule to allow connectivity from a specific interface and host and port - the F5 LTM
iptables -A INPUT -i eth1 -p tcp -s 10.128.10.0/24 --dport 8443 -m state --state NEW,ESTABLISHED -j ACCEPT
Drop all other traffic from the 192.168.153 subnet
iptables -A INPUT -s 192.168.153.0/24 -j DROP
Drop all other traffic from the 10.128.10 subnet
iptables -A INPUT -s 10.128.10.0/24 -j DROP
Save and print the configuration
iptables-save
iptables -F
Add a rule to allow SSH connectivity only from a specific interface and host - actually the host VM
iptables -A INPUT -i eth0 -p tcp -s 192.168.153.1 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
Add a rule to allow connectivity from a specific interface and host and port - the F5 LTM
iptables -A INPUT -i eth1 -p tcp -s 10.128.10.0/24 --dport 8443 -m state --state NEW,ESTABLISHED -j ACCEPT
Drop all other traffic from the 192.168.153 subnet
iptables -A INPUT -s 192.168.153.0/24 -j DROP
Drop all other traffic from the 10.128.10 subnet
iptables -A INPUT -s 10.128.10.0/24 -j DROP
Save and print the configuration
iptables-save
...
# Generated by iptables-save v1.4.7 on Fri Jul 29 19:13:26 2016
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [945:348018]
-A INPUT -s 192.168.153.1/32 -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s 10.128.10.0/24 -i eth1 -p tcp -m tcp --dport 8443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.153.0/24 -j DROP
-A INPUT -s 10.128.10.0/24 -j DROP
COMMIT
# Completed on Fri Jul 29 19:13:26 2016
...
# Generated by iptables-save v1.4.7 on Fri Jul 29 19:13:26 2016
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [945:348018]
-A INPUT -s 192.168.153.1/32 -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s 10.128.10.0/24 -i eth1 -p tcp -m tcp --dport 8443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.153.0/24 -j DROP
-A INPUT -s 10.128.10.0/24 -j DROP
COMMIT
# Completed on Fri Jul 29 19:13:26 2016
...
I then tested this by: -
(a) ensuring that I could still connect to IHS via the F5 load balancer: -
openssl s_client -connect 10.128.10.240:443 </dev/null
…
SSL handshake has read 1065 bytes and written 440 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 2048 bit
…
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 2048 bit
…
(b) ensuring that I could NOT connect to IHS directly: -
openssl s_client -connect 192.168.153.200:8443 </dev/null
…
connect: Operation timed out
connect:errno=60
…
connect:errno=60
…
Here's my not-so-secret sources: -