Use Nginx and iptables for access control (IP and MAC)

Use Nginx and iptables for access control (IP and MAC)

The previously configured server is public to the entire intranet. Besides indirectly accessing various services through nginx on port 80, you can also bypass nginx, it is wrong to directly access the corresponding service by using IP addresses and ports, so we need to make some restrictions, because only services are provided to specific people, And the lan ip address and MAC address are fixed, so you can use the White List directly, and reject all others.

/************************************ Use nginx implements access permission control *********************************/

Configure nginx first

Create ip. conf under/etc/nginx/conf. d.

All. conf files in this directory will be included in nginx. conf.

Suppose we only allow access to 192.168.1.2 192.168.1.3

The content is

allow 192.168.1.2;   allow 192.168.1.3;   deny all;

This is done.

Of course, nginx can do better, and control by directory

Ip. conf is equivalent to the first whitelist, that is, the global whitelist. You can add a whitelist to the conf file of the reverse proxy.

For example, for a Forum opened on port 4567, only access to 192.168.1.2 is allowed.

The original configuration file (refer to another article on installing Nginx, MediaWiki, NodeBB, Everything, GitLab in Ubuntu 14.04)

server {    listen 80;        server_name www.forum.zqb.local forum.zqb.local;            location / {            proxy_set_header X-Real-IP $remote_addr;            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;            proxy_set_header Host $http_host;            proxy_set_header X-NginX-Proxy true;            proxy_pass http://127.0.0.1:4567/;            proxy_redirect off;            # Socket.IO Support            proxy_http_version 1.1;            proxy_set_header Upgrade $http_upgrade;            proxy_set_header Connection "upgrade";            }}

Change

Server {listen 80; server_name www. forum. zqb. local forum. zqb. local; location/{allow 192.168.1.2; # allow access to deny all; proxy_set_header X-Real-IP $ remote_addr; proxy_set_header X-Forwarded-For $ scheme; proxy_set_header Host $ http_host; proxy_set_header X-NginX-Proxy true; proxy_pass http: // 127.0.0.1: 4567/; proxy_redirect off; # Socket. IO Support proxy_http_version 1.1; proxy_set_header Upgrade $ http_upgrade; proxy_set_header Connection "upgrade ";}}

In this way, the access permissions of each service can be controlled separately, instead of being one-size-fits-all.

After modifying the configuration file, restart the service.

service nginx restart

Of course, you can also configure the entire CIDR block or the blacklist. You can also configure the google or Baidu syntax on your own.

/************************************ Use use iptables to control access permissions *********************************/

However, it is not enough to restrict IP addresses. We still want to do better. For example, we also want to restrict MAC addresses.

Nginx will not work at this time. iptables is required.

You can write commands one by one or edit files and write them in batches.

First, write the current configuration to the file/etc/iptables. test. rules.

Iptables-save>/etc/iptables. test. rules

Then modify the/etc/iptables. test. rules file.

Write it back after modification

iptables-restore < /etc/iptables.test.rules

It takes effect.

Assume that the IP address of the server is 192.168.1.2 and the mac address is aa: bb: cc: dd: ee: ff.

To achieve the following results:

The server can access all its ports at will.

Other machines are not allowed to access port 4567 (that is, they cannot directly access the Forum opened on port 4567 and must be indirectly accessed through nginx on port 80)

This can be configured

# Generated by iptables-save v1.4.21 on Mon May  2 15:53:51 2016*filter:INPUT ACCEPT [96:9703]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [1531:1424833]-A INPUT -s 192.168.1.2/32 -m mac --mac-source aa:bb:cc:dd:ee:ff  -p tcp -j ACCEPT-A INPUT -i lo -j ACCEPT-A INPUT -p tcp -m tcp --dport 4567 -j REJECT --reject-with icmp-port-unreachable-A INPUT -s 192.168.1.3/32 -m mac --mac-source ab:cd:ef:ab:cd:ef  -p tcp -m tcp --dport 80  -j ACCEPT-A INPUT -p tcp -m tcp --dport 80 -j REJECT --reject-with icmp-port-unreachableCOMMIT# Completed on Mon May  2 15:53:51 2016

The first four rows are automatically generated.

The fifth line indicates that if the IP address is 192.168.1.2 and the mac address is aa: bb: cc: dd: ee: ff, the ACCEPT is used directly.

Line 6 indicates that loop communication is allowed.

Line 7 indicates that access to port 4567 is prohibited.

The eighth line indicates that for IP address 192.168.1.3 and mac address AB: cd: ef: AB: cd: ef, port 80 is allowed to be accessed.

The ninth line indicates that access to port 80 is prohibited.

 

This rule is matched in order. If any one of the matches, it will end. Otherwise, the matching will continue.

Therefore, for the server itself, the fifth line matches, and the subsequent rules do not matter, there are no restrictions

For other machines, if the fifth line does not match, the seventh line prohibits direct access to port 4567.

For 192.168.1.3, match to the eighth line, so you can access port 80.

If other machines do not match, the access to port 80 is disabled when the ninth line is executed.

 

The above configuration only disables several ports. Other ssh and other ports are not restricted.

A bit of port blacklist feeling, more strict can also be made into a port whitelist, only open and other ports, all other prohibited

 

Oh, by the way, you have to make it automatically loaded upon startup.

iptables-save > /etc/iptables.up.rules

Modify/etc/network/interfaces

Add a line at the end

pre-up iptables-restore < /etc/iptables.up.rules

/*************************************** ********************************/

In summary, we first use iptables to allow machines on the whitelist (IP and MAC must match at the same time) to access only port 80, that is, services through nginx instead of directly accessing.

Then nginx further restricts the service.

Of course, each service itself requires an account and password for use. For example, you can set the registration permission in the Forum background, but that is what the service itself provides.

In addition, doing so will have some additional effects, for example, what gitlab gives is:

http://192.168.1.2:8081/zhuangqiubin/Books_ceshi.git

But you cannot directly access 8081.

http://www.gitlab.zqb.local/zhuangqiubin/Books_ceshi.git

/*************************************** ********************************/

However, both the IP address and the MAC address can be modified =

Modify IP Address

sudo ifconfig eth0 192.168.2.1 netmask 255.255.255.0sudo /etc/init.d/networking restart

Modify MAC

ifconfig eth0 downifconfig eth0 hw ether xx:xx:xx:xx:xx:xxifconfig eth0 up

For more iptables tutorials, see the following:

Disable the default firewall in CentOS 7.0 and enable the iptables firewall.

Iptables examples

Linux Firewall iptables

Basic use of iptables backup, recovery, and firewall scripts

Detailed description of firewall iptables usage rules in Linux

Iptables firewall settings in Linux

This article permanently updates the link address: