I'd like to limit (via iptables or otherwise) inbound traffic on 80/443 to traffic coming from my load balancer. I have the public IP (which doesn't change, of course), but the only private IP info I get is a range (I'm using Rackspace's "Cloud Load Balancer"), and I don't want any traffic coming in from anywhere but my own load balancer (otherwise, somebody who knows my server's IP can just create a cloud load balancer and point it to my server). If I use the public IP, won't the TCP handshake cause a lot of latency (vs being able to directly connect from within my data center)? I want to be able to take my servers entirely offline when I have problems or for updates, but without having to mess with low-level networking junk during these problems/updates.
Asked
Active
Viewed 677 times
0
-
Can you not set a static private ip address on relevant interface on the load balancer? – joeqwerty Jun 06 '13 at 20:04
1 Answers
1
How about filtering on something that does NOT change, like mac address?
http://tecadmin.net/mac-address-filtering-using-iptables
Allow Full Access to specific MAC
# iptables -I INPUT -m mac --mac-source 3E:D7:88:A6:66:8E -j ACCEPT
Allow port 80
# iptables -I INPUT -p tcp --dport 80 -m mac --mac-source 3E:D7:88:A6:66:8E -j ACCEPT
Greg Askew
- 35,880
- 5
- 54
- 82
-
Excellent, +1 - Do you know happen to know how I would get the mac address of a cloud load balancer? Also, does it not seem feasible that the mac address would change, since it's a virtual appliance, vs a dedicated piece of hardware? – orokusaki Jun 06 '13 at 20:13
-