How to block ports (in Linux) based on the IP used to connect?

Question

I'd like to block specific ports based on the IP used to connect to my (Linux) dedicated server.

For example, I have the following IP's assigned to my dedicated server:

192.168.0.1
192.168.0.2
192.168.0.3

The first IP (192.168.0.1) would be used specifically for administrative purposes, such as SSH, FTP, WHM, and cPanel. This means that I would want things such as port 80 and port 443 blocked.

Then for the other two IP addresses (192.168.0.2 and 192.168.0.3), I'd want to block the following ports: 21, 22, 2083, 2087, etc. This is because those IP addresses would only be used to serve websites, and should not be allowing access to "administrative ports".

I'd assume I'd have to use some sort of iptables rule, but I'm not exactly sure what.

Also, if it matters, I'm using CENTOS 5.

Answer 1

I'd go the other way round: block everything and only allow specific services. In this example, your eth0 is configured with the 192.168.0.1, and the other two interfaces are used for the public services.

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p tcp -m multiport --dports 21,22,2083,2087 -m state --state NEW -j ACCEPT
-A INPUT -i ! eth0 -p tcp -m multiport --dports 80,443 -m state --state NEW -j ACCEPT
-A INPUT -j DROP
COMMIT