12

I have seen a couple of dead threads like this

IP Address Restriction in Bonsai ElasticSearch as a Heroku Addon

and this

https://stackoverflow.com/questions/16121531/tomcat-restrict-ip-access-ip-range-format

This is the first time I have hosted an ElasticSearch server to a linux machine . Let's assume my ES server is located at http://161.241.117.47:9200 and I have an app server at 161.241.117.41

Question is what can I do with my ip tables so that http requests to 161.241.117.47:9200 are only catered if they come from 161.241.117.41

Also, is there a possibility of creating a rule in iptable based on ethernet address? So I can connect from my latptop using HTTP?

I know I can use something like following

sudo iptables -A INPUT -p tcp --dport 9200 -j ACCEPT

But this will allow all incoming connections.

When I used the suggestions from the following answer it worked correctly with one IP but didn't for two! My iptable currently looks like this and is not able to filter multiple IPs

 INPUT ACCEPT [554:135189]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3207:497908]
-A INPUT -s 182.72.29.250/32 -p tcp -m tcp --dport 9200:9400 -j ACCEPT
-A INPUT -s 162.243.225.24/32 -p tcp -m tcp --dport 9200:9400 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9200:9400 -j REJECT --reject-with icmp-port-unreachable
COMMIT
Community
  • 1
  • 1
Sap
  • 5,197
  • 8
  • 59
  • 101

1 Answers1

28

First, you need to set which IP's that can reach the computer

iptables -I INPUT 1 -p tcp --dport 9200:9400 -s IP_ADRRESS_1,IP_ADRRESS_2,IP_ADRRESS_3 -j ACCEPT

Then, you need to restrict any ip except specified ones can reach your ports.

iptables -I INPUT 4 -p tcp --dport 9200:9400 -j REJECT

Finally save your settings to a file.

sudo sh -c "iptables-save > /etc/iptables.rules"

If you want these changes persists on reboots, execute sudo vi /etc/network/interfaces and add following pre-up iptables-restore < /etc/iptables.rules

Few things to remember:

  1. You can add more ips to first command.
  2. If you add extra ips you should set the value(4) in the second command. It is the rule order, so it must be latest rule. Thus add 1 for each ip you add.
shyos
  • 1,390
  • 1
  • 16
  • 29
  • Does that mean if I have only two IPs then second command will have 2? Also anyway we can restrict access via ethernet address? – Sap Feb 11 '14 at 08:55
  • if you have two IPs second command will have 3(if you dont have any other IP tables settings). For your second question, i dont have the answer :( – shyos Feb 11 '14 at 08:59
  • 2
    Hey, What is the meaning of 9400? – Sap Feb 11 '14 at 10:49
  • It worked for single IP but when I did multiple IPs it is not working. Any idea? I have updated my question to show the latest IPTABLE – Sap Feb 11 '14 at 12:04
  • It disables from 9200 to 9400. Since defaulty elasticsearch uses these ports. – shyos Feb 11 '14 at 12:05
  • so, what is the current situation? With above settings you can be able to reach the server 9200-9400 from only those two IPs. – shyos Feb 11 '14 at 12:19
  • Well, I tried to access it form 182.72.29.250 but I could not. Neither telnet nor elasticsearch. I finally ended flusing the tables – Sap Feb 11 '14 at 12:43
  • -I INPUT 4 <-- why 4? What does that stand for? – Henley Feb 15 '14 at 19:24
  • 1
    @HenleyChiu it is the order of the rule. rule 1 IP_1, rule 2 IP_2, rule 3 IP_3 and rule 4 is REJECT whats left. – shyos Feb 16 '14 at 10:29
  • 1
    dont forget add 127.0.0.1 to the ip list – Zero Zhang Mar 20 '15 at 18:14