IPTABLES how to allow/block private/public IPs

zaji_nms · Post by **zaji_nms** » Thu Dec 17, 2020 2:26 pm

Dear Expert

Having NagiosXI 5.x.x
Centos 6.x
assume localhost = 192.168.50.50

how to allow/block private/public IPs via IPTABLES

allow from all Private IPs <<<<<<< Full Access to this localhost = 192.168.50.50
allow from some Public IPs x.x.x.x/32 <<<<<< Full Access to this localhost = 192.168.50.50
allow from some Public IPs x.x.x.x/16 just ping (ICMP Echo) to this server (localhost=192.168.50.50)
allow telnet/ping/ssh from this localhost=192.168.50.50 to anyone <<<< you can say if initiated from this server , allowed

the below is current config, just for your reference to guide on above

more /etc/sysconfig/iptables.save
# Generated by iptables-save v1.4.7 on
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:END - [0:0]
:RULES - [0:0]
-A INPUT -j RULES
-A FORWARD -j RULES
-A OUTPUT -j RULES
-A END -j REJECT --reject-with icmp-port-unreachable
-A END -j REJECT --reject-with icmp-port-unreachable
-A RULES -s 198.144.0.0/16 -p tcp -m tcp --dport 3334 -j REJECT --reject-with icmp-port-unreachable
-A RULES -s 198.144.0.0/16 -p udp -m udp --dport 3334 -j REJECT --reject-with icmp-port-unreachable
-A RULES -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 3334 -j REJECT --reject-with icmp-port-unreachable
-A RULES -s 192.168.x.x/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A RULES -s 172.16.1.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
-A RULES -s 100.100.100.100/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A RULES -s 127.0.0.1/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A RULES -s 172.16.x.x/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A RULES -p tcp -m tcp --dport 22 -j REJECT --reject-with icmp-port-unreachable
-A RULES -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RULES -p icmp -j ACCEPT
-A RULES -s 127.0.0.1/32 -j ACCEPT
-A RULES -s 200.200.200.200/32 -j ACCEPT
-A RULES -s 10.0.0.0/8 -j ACCEPT
-A RULES -s 192.168.0.0/16 -j ACCEPT
-A RULES -s 172.16.0.0/12 -j ACCEPT
-A RULES -p tcp -m multiport --dports 25,53,161,5667,5666 -j ACCEPT
-A RULES -p udp -m multiport --dports 53,123,161 -j ACCEPT
-A RULES -j END
COMMIT
# Completed on Thu Feb 14
# Generated by iptables-save v1.4.7 on Feb 14
*nat
:PREROUTING ACCEPT [1116:61961]
:POSTROUTING ACCEPT [18301:146671]
:OUTPUT ACCEPT [18301:146671]
COMMIT
# Completed on Feb 14

Regards

benjaminsmith · Post by **benjaminsmith** » Fri Dec 18, 2020 11:57 am

Hi @zaji_nms,

I would recommend reaching to your internal teams on this question and the best approach for your company and network. Much of this would be best set up at the firewall/router level.

We help customers with configurations related to the default setup in Nagios XI, however, setting up company security rules in Apache and iptables is not something we typically set up for customers.

Best Regards,
Benjamin

zaji_nms · Post by **zaji_nms** » Sat Dec 19, 2020 1:40 am

Yes benjaminsmith and Nagios Support, agree , but take your time, reply on very low priority basis

Yes, the same way we are concern to our customer's WAN link not LAN although we monitor their LAN too, little extra mile
customer happy, we happy too

we need your tips/advice/guidance......your little Extra Mile, sure will help your thousands of users

benjaminsmith · Post by **benjaminsmith** » Mon Dec 21, 2020 12:39 pm

Hi,

I reach out to team member on this, and one approach would be to use Access Control in Apache to set this up, see:

Apache Access Control

The implementation is fairly simple but would require adjusting all the Require All lines on the config files located in /etc/httpd/conf.d

For example ( in the Directory directive )

Code: Select all

Require ip <ip.address>
Require not ip <address>

Hope that helps you out.

--Benjmain

zaji_nms · Post by **zaji_nms** » Wed Jan 06, 2021 4:00 am

Dear tgriep

can you please read my very first Thread of this post and can u plz suggest some tips/hints/URL.

i hope you will spare some time to reply and then close this post, i will not bother u again.

regards

benjaminsmith · Post by **benjaminsmith** » Wed Jan 06, 2021 11:28 am

Hi @zaji_nms,

A happy new year and I hope you are doing well. As mentioned in my first reply, I would recommend working with your internal admins to set this up. We help customers with configurations related to the default setup in Nagios XI, however, this type of firewall configuration, is out of scope for product support.

If you're looking for tips or hints online for setting up IPtables, take a look at the following guides.

Iptables Tutorial: Ultimate Guide To Linux Firewall
An In-Depth Guide to iptables, the Linux Firewall

One thing to keep mind is that your license allows for 3 product activations, production, test, and backup. So you can safely experiment with the firewall settings on a test server before copying those over to the production instance. This will minimize the chance of any possible disruptions to your company's monitoring.

https://support.nagios.com/kb/article.php?id=145

zaji_nms · Post by **zaji_nms** » Wed Jan 06, 2021 12:55 pm

Thanks benjaminsmith

Thanks for the tips/hints...you can close the case.

Happy New Year to you and all Nagios Team/Users too.

Regards

benjaminsmith · Post by **benjaminsmith** » Wed Jan 06, 2021 2:55 pm

Hi @zaji_nms,

Sounds good.

Thank you for using Nagios.

Nagios Support Forum