2

there is a web-hosting server with several sites on it. I need to block some subnets (IP ranges) for some website(s). Is it possible at all? I've tried something like this:

iptables -A OUTPUT -m owner --uid-owner 99 -d 123.123.0.0/13 -j REJECT

but it works only for user 'nobody' and it blocks all sites. With another user IDs it doesn't works. Any suggestions? Please help, thanks in advance.

Evolver
  • 626
  • 2
  • 6
  • 14

1 Answers1

2

I'm not sure if I fully understand the question, but if you want to block incoming connections from an IP range, that's all you need:

iptables -A INPUT -s 192.168.1.0/24 -p tcp --dport 80 -j REJECT

You need to replace 192.168.1.0/24 with the IP range that should not connect to your web server.

On the other hand, if you want to prevent users on the server to connect to certain IP range, you can use the following rule:

iptables -A OUTPUT -d 192.168.1.0/24 -p tcp --dport 80 -j REJECT

Above you need to replace 192.168.1.0/24 with the IP range that shouldn't be connected from your web server.

Vladimir Blaskov
  • 6,183
  • 1
  • 27
  • 22
  • Thanks for quick reply, I need rules not for entire server, but for specific websites hosted on my server. – Evolver Jul 03 '11 at 07:17
  • Are they hosted on different IP addresses? Or you're using name-based virtual hosting and all the sites share 1 IP address? – Vladimir Blaskov Jul 03 '11 at 07:47
  • Yes, there is just one IP and name-based virtual hosting under cPanel. – Evolver Jul 03 '11 at 08:33
  • 2
    Unfortunately there's no easy way to accomplish that with iptables, because it works on lower OSI model level and doesn't know anything about name-based vhosts. It could be possible to hack something up with -m string --string "...", but it'll be slow and not suitable for use in production environment. – Vladimir Blaskov Jul 03 '11 at 12:26
  • I noticed that the flag `-i !lo` causes this rule to NOT work. Why? – Dor Mar 05 '18 at 17:02