Hello,
I'm using csf with cPanel and so as we offer free webhosting and paid we've setup 2 network nics eth0 and eth1
eth0 - Which is default and primary, is used for free clients and has been limited to 80-100MB/s internet speed,
eth1 - Isn't limited it is just for paid clients.
Due to abuses i was forced to do this so now while setting this up i had some problems with port configurations,
i won't apply csf rules for my eth1 i just want them for eth0, is there anyway to make csf to ignore eth1 ?!
I know that i can open ports as i can for eth0, but csf has some other rules which limit usage of service ofcourse for protection reasons but they shouldn't be applied in my case for paid clients!
Is this possible?
Thank you for support..
Ignore eth1 from iptables rules!
Re: Ignore eth1 from iptables rules!
You are playing with fire. You can but this would be ill-advised as bots scan across IPs and attack anything.
ETH_DEVICE_SKIP = "eth1"
ETH_DEVICE_SKIP = "eth1"
Re: Ignore eth1 from iptables rules!
I wanted to block all the incoming route to eth1 but only allow port 21. Just so that external IP can't access to our web server, ftp server, etc. Only allow port 21 for SSH access. Ping should work too.
The cleanest way would be to configure the web/ftp-servers to listen only on the internal interface. This way, you wouldn't have to worry about any networking related techniques at all.
If you can't do that for any reason, apply these rules:
(SSH's default port is 22 by the way, but I think you know best where your SSH listens.)
On the local network (eth0), anyone should be able to access anything but just block local ip's 192.168.1.20 and 192.168.1.30 from accessing to 192.168.1.50 server.
Simple:
That drops all packets from these hosts. If you want ping allowed here as well, use a similar rule for icmp like on eth1.
The cleanest way would be to configure the web/ftp-servers to listen only on the internal interface. This way, you wouldn't have to worry about any networking related techniques at all.
If you can't do that for any reason, apply these rules:
Code: Select all
iptables -A INPUT -i eth1 -p icmp -j ACCEPT # allow ping
iptables -A INPUT -i eth1 -p tcp --dport 21 -j ACCEPT # allow SSH
iptables -A INPUT -i eth1 -j DROP # drop everything elseOn the local network (eth0), anyone should be able to access anything but just block local ip's 192.168.1.20 and 192.168.1.30 from accessing to 192.168.1.50 server.
Simple:
Code: Select all
iptables -A INPUT -i eth0 -s 192.168.1.20 -j DROP
iptables -A INPUT -i eth0 -s 192.168.1.30 -j DROP