I'd like to limit (via iptables or otherwise) inbound traffic on 80/443 to traffic coming from my load balancer. I have the public IP (which doesn't change, of course), but the only private IP info I get is a range (I'm using Rackspace's "Cloud Load Balancer"), and I don't want any traffic coming in from anywhere but my own load balancer (otherwise, somebody who knows my server's IP can just create a cloud load balancer and point it to my server). If I use the public IP, won't the TCP handshake cause a lot of latency (vs being able to directly connect from within my data center)? I want to be able to take my servers entirely offline when I have problems or for updates, but without having to mess with low-level networking junk during these problems/updates.
Answer
How about filtering on something that does NOT change, like mac address?
http://tecadmin.net/mac-address-filtering-using-iptables
Allow Full Access to specific MAC
# iptables -I INPUT -m mac --mac-source 3E:D7:88:A6:66:8E -j ACCEPT
Allow port 80
# iptables -I INPUT -p tcp --dport 80 -m mac --mac-source 3E:D7:88:A6:66:8E -j ACCEPT
No comments:
Post a Comment