I am new to Linode and somewhat familiar w/ Linux (read hack). I have a very specific need for a server to run as a no cache web proxy from my location ONLY.
I am running CentOS 3.1 and I turned off and uninsulated most unneeded services, but spammers were relaying their "Products" through it.

Is there a simple IPTables command that could block ALL from accessing my server except my subnet? I am asking this in case it is all figured out and I dont screw up and block my own SSH access to the server and have to start from scratch.

thanks,

It'd probably be better to use the web proxy ACL to limit it to your IP instead of through iptables for such an occassion if you have to access your linode from outside of your subnet you'd still be able to get access to it.

Is that something provided through the Linode web to manage my server, or are you speaking of my accounts web server acl? b/c I want a much more broad block that just my web traffic.
thanks!

I might just be talking out my nose here, I can't try it. But it looks like it might work.

I guess you are using plain iptables rules? I use Firehol. I find I actually UNDERSTAND Firehol, even if it gives me fits every once in a while! (All badly written rules on my part, but from what I understand, a miswritten IPtables rule is just as bad (if not much worse) than a miswritten Firehol rule (as Firehol tries to failsafe badly written rules) )

If you use Firehol to make your firewall rules, you should be able to modify your interface statement thusly:

interface eth0 linode src "xxx.yyy.zzz.0/24 1.2.3.4"

What this rule SHOULD do (I haven't used it, the docs are here: http://firehol.sourceforge.net/commands.html#parameters) is that it will match the SOURCE of the incoming packet to the rules in quotes (Is the source in subnet xxx.yyy.zzz.0? Is the source 1.2.3.4?). If so, it moves on into your firewall rules. If not, the packet is dropped. And you can add addresses as you need to by just putting "{space} {ip address}" into the quotes in the rule.

Is that what you were looking for?[/url]

Even if you overly restrict network access by messing up your iptables chains or misconfigure firewall software, you can always still log in over the console (log in to host machine to access). So you don't need to be afraid to experiment.

I don't think there is any single iptables command that will work for you with any existing configuration. A new iptables rule needs to work with the other rules that are already in place. It may be easiest for you to use firewall software and configure that to do what you want rather than deal with iptables directly.

If you dump and post your current iptables state, with 'iptables -n -L -v' it's possible that some iptables guru would be able to tell you a magic incantation to do what you want. Of course, it's also possible some lowlife will use it to discover a vulnerability.

Roy

I think you will find that if you do that kind of a firewall rule, your web proxy will stop working. It's called DNS.

If spammers are using your server to send email, then remove your smtp server. If it's your web proxy they are using, then use the ACLs it (hopefully) provides to restrict it to yourself only. Better yet, make it require authentication (a username/password) to use.

If you must, then use iptables to firewall out all incoming new connections except from your own subnet (which probably also includes a bunch of other people as well). However, you will probably find that some other things that will end up not working and lots of inconveniences.