How can I make a white list for n (about 300 and plans to grow to 700) the number of ip addresses to port 80?

Server information: Ubuntu v16.04.1 (Linux v4.4.0-31) and Nginx v1.11.3

    3 answers 3

    You need to add approximately the following lines to the virtual host configuration if you want to do this via NGINX

    location / { allow 100.23.45.14; ## IP которому нужно разрешить доступ allow 100.23.45.15; ## IP которому нужно разрешить доступ deny all; }

    If you want to do this through iptables, then you need to register the following lines:

     iptables -I INPUT -s <allowed_ip> -p tcp --dport 80 -i eth0 -j ACCEPT iptables -A INPUT -j DROP -p tcp -i eth0 --dport 80

    The first line must be repeated as many times as necessary to add IP to the list of allowed.

    Consider the iptables options:

    • I: Insert the rule at the beginning
    • A: Paste rule to end
    • s: source IP address
    • j: Perform an action if the packet matches the current rule (ACCEPT accept packet, DROP blocking packet)
    • p: Protocol
    • dport: The port through which the packet is expected.
    • i: Interface
    • five
      The HARDWARE of course the number of ip did not say, but if there are a lot of them, then iptables will slow down the kernel (for> 1000 rules). It is strongly recommended to branch the rules into chains or use ipset - Mike
    • And what less resource cost in terms of blocking NGINX, iptables or ipset, if we are talking about a list of +300 thousands of addresses? - users
    • @ Skar404, Of the proposed solutions, of course ipset, thanks to the hashing algorithms, the response time is almost independent of the size of the table, unlike iptables which has a linear increase in response time (comparison of all rules). - Firepro
    • It depends on what we are blocking - all traffic or specific sites. I definitely don't recommend iptables. It works in kernel mode and the processor is well-populated with so many rules - gecube

    I will add as a separate answer, I have already given it in the comments to the previous answer, just the formatting is lost in the comments.

    First of all, for nginx you need to allocate all the allow in a separate file - in order not to clutter up the config file and improve readability.

     location / { include whitelist.txt; }

    File whitelist.txt :

      allow 100.23.45.14; allow 100.23.45.15; deny all;

    Secondly, it slipped in the comments about a large number of hosts: do not forget that nginx (unlike apache , which still does not know how shameful!) Understands the subnet:

     # Rostelecom provider, Belgorod allow 213.24.126.0/24; deny all;

      For the white list I used ipset + iptables

      Create 2 new listings:

       ipset -N whitelist iphash # Для адресов ipset -N whitelist_net nethash # Для сетей

      Add new addresses to whitelist:

       ipset -A whitelist 100.23.45.14 ipset -A whitelist_net 100.23.45.0/24

      A rule is created for using lists:

       iptables -A INPUT -m set --match-set whitelist src -p tcp --dport 80 -j ACCEPT iptables -A INPUT -m set --match-set whitelist_net src -p tcp --dport 80 -j ACCEPT

      and close 80:

       iptables -A INPUT -j DROP -p tcp --dport 80

      Additional Information:

      https://habrahabr.ru/post/108691/