Previously configured servers, equivalent to the entire intranet is public
Moreover, in addition to the 80-port Nginx to access the services indirectly, you can bypass Nginx, direct IP address plus port access to the corresponding service
It's not right, so we're going to have to make some restrictions.
Because only for the specific people to provide services, and LAN IP and Mac are fixed, so you can directly use the whitelist, the other all refused
/************************************** using Nginx to control the access rights *********************************/
Set it up in Nginx first.
Create a new ip.conf below/ETC/NGINX/CONF.D
The. conf in this directory will be included in the nginx.conf
Suppose we only allow 192.168.1.2 192.168.1.3 access
The content is
192.168. 1.2 ; 192.168. 1.3 ; Deny all;
So it's done.
Of course, Nginx can also do better, sub-directory control
Ip.conf equivalent to the first white list, which is the global whitelist, in the corresponding reverse proxy of the Conf file, the same can be added to whitelist
For example, open on the 4567 port of the forum, just want to let 192.168.1.2 access
Then the original configuration file (refer to another essay ubuntu14.04 under the installation of Ngnix,mediawiki,nodebb,everything,gitlab)
Server {Listen the; server_name www.forum.zqb.local forum.zqb.local; Location/{proxy_set_header X-real-IP $remote _addr; Proxy_set_header X-forwarded-For $proxy _add_x_forwarded_for; Proxy_set_header Host $http _host; Proxy_set_header X-nginx-proxytrue; Proxy_pass http://127.0.0.1:4567/;Proxy_redirect off; # Socket.io Support Proxy_http_version1.1; Proxy_set_header Upgrade $http _upgrade; Proxy_set_header Connection"Upgrade"; }}
Change into
Server {Listen the; server_name www.forum.zqb.local forum.zqb.local; Location/{ allow192.168.1.2; #允许访问 deny all; Proxy_set_header X-real-IP $remote _addr; Proxy_set_header X-forwarded-For $proxy _add_x_forwarded_for; Proxy_set_header Host $http _host; Proxy_set_header X-nginx-proxytrue; Proxy_pass http://127.0.0.1:4567/;Proxy_redirect off; # Socket.io Support Proxy_http_version1.1; Proxy_set_header Upgrade $http _upgrade; Proxy_set_header Connection"Upgrade"; }}
This allows you to control access for each service individually, rather than cutting
Note When you finish modifying the configuration file, you restart the service
Service Nginx Restart
Of course, you can also configure the entire network segment, you can also configure the blacklist, the specific Google or Baidu grammar
Oh, yes, it's going to be automatically loaded before the boot.
Iptables-save >/etc/iptables.up.rules
Modify/etc/network/interfaces
Add a line at the end
Pre-up Iptables-restore </etc/iptables.up.rules
/************************************** access control using Iptables *********************************/
But it's not enough to limit the IP, and we want to do better, for example, to limit the MAC address.
This time, Nginx will not be iptables
Configuration can be written in a single command, you can edit the file after the bulk write
Write the current configuration to the file/etc/iptables.test.rules first
Iptables-save >/etc/iptables.test.rules
Then modify the file/etc/iptables.test.rules
Revise and write back
Iptables-restore </etc/iptables.test.rules
It came into effect.
Assume that the server's own IP is 192.168.1.2,mac address aa:bb:cc:dd:ee:ff
Want to achieve the following effect
The server can freely access all of its own ports
Other machines do not allow access to port 4567 (that is, no direct access to the open on the 4567 port of the forum, must be through the 80-port Nginx to indirectly access)
You can configure this
# Generated by Iptables-save v1.4.21On Mon May2 the: -:Wuyi .*filter:input ACCEPT [ the:9703]:forward ACCEPT [0:0]:output ACCEPT [1531:1424833]-A Input-s192.168.1.2/ +-M mac--mac-source AA:BB:cc:DD: Ee:ff-p TCP-J ACCEPT-A input-i lo-J ACCEPT-A input-p tcp-m TCP--dport4567-j REJECT--reject-with icmp-port-Unreachable-A Input-s192.168.1.3/ +-M Mac--mac-source ab:cd:ef:ab:cd:ef-p tcp-m TCP--dport the-J ACCEPT-A input-p tcp-m TCP--dport the-j REJECT--reject-with icmp-port-unreachablecommit# completed on Mon may2 the: -:Wuyi .
The first four lines are generated automatically
The five line indicates that for the IP address 192.168.1.2,mac address is aa:bb:cc:dd:ee:ff, the direct accept
Line six indicates that loopback communication is allowed
Line seventh indicates that access to port 4567 is forbidden
Line eighth, which allows access to port 80 for IP address 192.168.1.3,mac address Ab:cd:ef:ab:cd:ef
Line Nineth indicates that access to port 80 is forbidden
This rule is matched sequentially, matches to any one end, otherwise continues to match down
So for the server itself, the fifth line is matched, the following rules no matter, no restrictions
For other machines, line fifth is not matched and line seventh prohibits direct access to port 4567
For 192.168.1.3, match to line eighth, so you can access port 80
Other machines do not match, execute to line nineth, prohibit access to port 80
Above this configuration, only a few ports are banned, and other ssh and the like do not limit
A bit of the port blacklist feel, more strict can also be made into the port whitelist, only open 23,80 and other ports, the other all banned
/***********************************************************************/
In summary, first through the iptables, let the white list (IP and Mac must match) the machine can only access 80 ports, that is, must be through nginx and not directly access the service
Then nginx further restrictions on the service
Of course, each service itself is required account password to use, such as in the forum background can also set the registration rights, but that is the service itself provided by the
In addition, this will bring some additional effects, such as the Gitlab given will be
http://192.168.1.2:8081/zhuangqiubin/books_ceshi.git
But you can't directly access 8081, so change to
http://www.gitlab.zqb.local/zhuangqiubin/Books_ceshi.git
/***********************************************************************/
However, both the IP and MAC addresses are modifiable = =
Modify IP
sudo ifconfig 192.168. 2.1 255.255. 255.0 sudo /etc/init.d/networking restart
Modify Mac
ifconfig eth0 Down ifconfig eth0 hw ether xx:xx:xx:xx:xx:xx ifconfig eth0 up
Access control using Nginx and Iptables (IP and Mac)