Folks, This is driving me up the wall... I've written a script which appears to work on my lan - I can successfully accept/deny folk either by their IP, network and port - however when I try it in a live environment, it stops all traffic.
There are too many fences between me and the outside world (BigIP and reverse proxies for example) so I don't know what might be happening to the packets as they come in so I'm wondering if someone can help me write up a ruleset to do the following:
1: Allow all traffic from a selection of ip subnets (for example, allow 192.168.1.0 thru to 192.168.10.0). They should have full access to all ports.- Allow access to port 22 (ssh) and 8001 (weblogic) using tcp/http traffic from specific ip address (for example 192.168.168.168).
- Deny everything else.
What is known: When traffic goes thru my BigIPs and proxies and other fences between me and the outside world, their IP address is carried. I've tested this via dialup internet GPRS connection using my laptop. As soon as I switch off iptables, access to my web based app works - as sooner I enable the firewall, access to my web app fails even though I explicitly have a request to allow it by source ip and port.
One thing that has just crossed my mind - BigIP listens at port 80, does a redirect from HTTP to HTTPS and then from there it goes through some proxies before hitting my application server at port 8001. I would therefore guess that my rules should apply to 8001 (since iptables is on application server).
Is there anything I am omitting? I'm going to persist in learning more about IP tables as it appears to be an art - but when I had my script working on my laptop, and it tested fine on my lan, I would have expected it to work.
Can anyone help? It would be greatly appreciated,
Thanks, Randell D.