Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Not allow whole private subnet access to containers #124

Closed
XxAcielxX opened this issue Sep 24, 2024 · 6 comments
Closed

Not allow whole private subnet access to containers #124

XxAcielxX opened this issue Sep 24, 2024 · 6 comments

Comments

@XxAcielxX
Copy link

Hello,

I have added your rules at the bottom of after.rules, and everything works. Now I don't want everyone on my private subnet 192.168.1.0/24 to access my containers on 192.168.1.21.

How can this be implemented, so I can create rules to allow incoming from certain IPs, e.g, allow from 192.168.1.2 to 192.168.1.21 port 8989/tcp.

Regards
@deviationist
Copy link

Bump

@deviationist
Copy link

@chaifeng Any update on this?

@chaifeng
Copy link
Owner

chaifeng commented Nov 8, 2024

  • Deny access from network 192.168.1.0/24: ufw route deny from 192.168.1.0/24 to any
  • Allow all access from an IP: ufw route allow from 192.168.1.2 to any
  • Allow access a certain port from an IP: ufw route allow from 192.168.1.2 to any port 8989/tcp

@XxAcielxX
Copy link
Author

  • Deny access from network 192.168.1.0/24: ufw route deny from 192.168.1.0/24 to any

    • Allow all access from an IP: ufw route allow from 192.168.1.2 to any

    • Allow access a certain port from an IP: ufw route allow from 192.168.1.2 to any port 8989/tcp

Adding a block rule above and then allow rules below, doesn't that make the allow rules ineffective?

@chaifeng
Copy link
Owner

chaifeng commented Nov 9, 2024

  • Deny access from network 192.168.1.0/24: ufw route deny from 192.168.1.0/24 to any

    • Allow all access from an IP: ufw route allow from 192.168.1.2 to any
    • Allow access a certain port from an IP: ufw route allow from 192.168.1.2 to any port 8989/tcp

Adding a block rule above and then allow rules below, doesn't that make the allow rules ineffective?

Yes, without the first deny rule, both allow rules are ineffective.

The original rules already include 192.168.0.0/16. The first deny rule still works as expected, allowing all IPs from 192.168.0.0/16 except 192.168.1.0/24 to access the containers. Based on this precondition, the following two allow rules permit certain IPs from 192.168.1.0/16 to access the containers.

@XxAcielxX
Copy link
Author

I have tested the above solution and it works, but one thing to keep in mind is that:

You will first need to add the route allow rules then block route of whole subnet, else it will not work and will block everything.

Example

... 
ufw route allow from 192.168.1.5
ufw route allow from 192.168.1.6 to any port 80,443 proto tcp
ufw route allow from 192.168.1.7 to any port 80,443 proto tcp 
... 
ufw route deny from 192.168.1.0/24

I'll mark this as solved now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@chaifeng @deviationist @XxAcielxX