How to Block All HTTPS Traffic Except to a Single IP Using iptables

If you’re trying to configure a microservice for your web application and want to restrict it to only accept HTTPS connections from a single IP address, you can use iptables rules to achieve this. Here’s how you can do it:

# iptables -P INPUT DROP
# iptables -P FORWARD DROP
# iptables -P INPUT DROP
# iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT
# iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT
# iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT
# iptables -A INPUT -m conntrack --ctstate INVALID --jump DROP
# iptables -A FORWARD -m conntrack --ctstate INVALID --jump DROP
# iptables -A OUTPUT  -m conntrack --ctstate INVALID --jump DROP

# iptables -A INPUT --in-interface lo --jump ACCEPT
# iptables -A OUTPUT --in-interface lo --jump ACCEPT
# iptables -A INPUT -p tcp -m tcp --source  X.X.X.X/32 --dport 443 -j ACCEPT
# iptables -A INPUT-p tcp -m tcp --source  X.X.X.X/32 --dport 22 -j ACCEPT
# debugging rules to help you set up.
# iptables -A INPUT -j LOG
# iptables -A FORWARD -j LOG 
# iptables -A OUTPUT -j LOG  

This set of iptables rules will drop all incoming and forwarding traffic by default, except for established and related connections. It will also drop any invalid connections. The rules then allow incoming traffic from the specified IP address on ports 443 (for HTTPS) and 22 (for SSH). The last three lines are optional debugging rules to help you set up and troubleshoot your configuration.

If you don’t care about IPv6, you can remove the IPv6-related rules and keep only the loopback interface rules.

Remember that if you need DNS functionality, you’ll need to add additional rules to allow DNS traffic.

By following these steps and configuring your iptables rules accordingly, you can effectively block all HTTPS traffic except to a single IP address for your web application’s microservice.

Leave a Reply

Your email address will not be published. Required fields are marked *