Access control using Nginx and Iptables (IP and Mac)

Previously configured servers, equivalent to the entire intranet is public

Moreover, in addition to the 80-port Nginx to access the services indirectly, you can bypass Nginx, direct IP address plus port access to the corresponding service

It's not right, so we're going to have to make some restrictions.

Because only for the specific people to provide services, and LAN IP and Mac are fixed, so you can directly use the whitelist, the other all refused

/************************************** using Nginx to control the access rights *********************************/

Set it up in Nginx first.

Create a new ip.conf below/ETC/NGINX/CONF.D

The. conf in this directory will be included in the nginx.conf

Suppose we only allow 192.168.1.2 192.168.1.3 access

The content is

192.168. 1.2 ;    192.168. 1.3 ;   Deny all;

So it's done.

Of course, Nginx can also do better, sub-directory control

Ip.conf equivalent to the first white list, which is the global whitelist, in the corresponding reverse proxy of the Conf file, the same can be added to whitelist

For example, open on the 4567 port of the forum, just want to let 192.168.1.2 access

Then the original configuration file (refer to another essay ubuntu14.04 under the installation of Ngnix,mediawiki,nodebb,everything,gitlab)

Server {Listen the;            server_name www.forum.zqb.local forum.zqb.local; Location/{proxy_set_header X-real-IP $remote _addr; Proxy_set_header X-forwarded-For $proxy _add_x_forwarded_for;            Proxy_set_header Host $http _host; Proxy_set_header X-nginx-proxytrue; Proxy_pass http://127.0.0.1:4567/;Proxy_redirect off; # Socket.io Support Proxy_http_version1.1;            Proxy_set_header Upgrade $http _upgrade; Proxy_set_header Connection"Upgrade"; }}

Change into

Server {Listen the;            server_name www.forum.zqb.local forum.zqb.local; Location/{ allow192.168.1.2;            #允许访问 deny all; Proxy_set_header X-real-IP $remote _addr; Proxy_set_header X-forwarded-For $proxy _add_x_forwarded_for;            Proxy_set_header Host $http _host; Proxy_set_header X-nginx-proxytrue; Proxy_pass http://127.0.0.1:4567/;Proxy_redirect off; # Socket.io Support Proxy_http_version1.1;            Proxy_set_header Upgrade $http _upgrade; Proxy_set_header Connection"Upgrade"; }}

This allows you to control access for each service individually, rather than cutting

Note When you finish modifying the configuration file, you restart the service

Service Nginx Restart

Of course, you can also configure the entire network segment, you can also configure the blacklist, the specific Google or Baidu grammar

Oh, yes, it's going to be automatically loaded before the boot.

Iptables-save >/etc/iptables.up.rules

Modify/etc/network/interfaces

Add a line at the end

Pre-up Iptables-restore </etc/iptables.up.rules

/************************************** access control using Iptables *********************************/

But it's not enough to limit the IP, and we want to do better, for example, to limit the MAC address.

This time, Nginx will not be iptables

Configuration can be written in a single command, you can edit the file after the bulk write

Write the current configuration to the file/etc/iptables.test.rules first

Iptables-save >/etc/iptables.test.rules

Then modify the file/etc/iptables.test.rules

Revise and write back

Iptables-restore </etc/iptables.test.rules

It came into effect.

Assume that the server's own IP is 192.168.1.2,mac address aa:bb:cc:dd:ee:ff

Want to achieve the following effect

The server can freely access all of its own ports

Other machines do not allow access to port 4567 (that is, no direct access to the open on the 4567 port of the forum, must be through the 80-port Nginx to indirectly access)

You can configure this

# Generated by Iptables-save v1.4.21On Mon May2  the: -:Wuyi  .*filter:input ACCEPT [ the:9703]:forward ACCEPT [0:0]:output ACCEPT [1531:1424833]-A Input-s192.168.1.2/ +-M mac--mac-source AA:BB:cc:DD: Ee:ff-p TCP-J ACCEPT-A input-i lo-J ACCEPT-A input-p tcp-m TCP--dport4567-j REJECT--reject-with icmp-port-Unreachable-A Input-s192.168.1.3/ +-M Mac--mac-source ab:cd:ef:ab:cd:ef-p tcp-m TCP--dport the-J ACCEPT-A input-p tcp-m TCP--dport the-j REJECT--reject-with icmp-port-unreachablecommit# completed on Mon may2  the: -:Wuyi  .

The first four lines are generated automatically

The five line indicates that for the IP address 192.168.1.2,mac address is aa:bb:cc:dd:ee:ff, the direct accept

Line six indicates that loopback communication is allowed

Line seventh indicates that access to port 4567 is forbidden

Line eighth, which allows access to port 80 for IP address 192.168.1.3,mac address Ab:cd:ef:ab:cd:ef

Line Nineth indicates that access to port 80 is forbidden

This rule is matched sequentially, matches to any one end, otherwise continues to match down

So for the server itself, the fifth line is matched, the following rules no matter, no restrictions

For other machines, line fifth is not matched and line seventh prohibits direct access to port 4567

For 192.168.1.3, match to line eighth, so you can access port 80

Other machines do not match, execute to line nineth, prohibit access to port 80

Above this configuration, only a few ports are banned, and other ssh and the like do not limit

A bit of the port blacklist feel, more strict can also be made into the port whitelist, only open 23,80 and other ports, the other all banned

/***********************************************************************/

In summary, first through the iptables, let the white list (IP and Mac must match) the machine can only access 80 ports, that is, must be through nginx and not directly access the service

Then nginx further restrictions on the service

Of course, each service itself is required account password to use, such as in the forum background can also set the registration rights, but that is the service itself provided by the

In addition, this will bring some additional effects, such as the Gitlab given will be

http://192.168.1.2:8081/zhuangqiubin/books_ceshi.git

But you can't directly access 8081, so change to

http://www.gitlab.zqb.local/zhuangqiubin/Books_ceshi.git

/***********************************************************************/

However, both the IP and MAC addresses are modifiable = =

Modify IP

sudo ifconfig 192.168. 2.1 255.255. 255.0 sudo /etc/init.d/networking restart

Modify Mac

ifconfig eth0 Down ifconfig eth0 hw ether xx:xx:xx:xx:xx:xx ifconfig eth0 up

Access control using Nginx and Iptables (IP and Mac)