ip6tables rules to allow port 80 and port 443 traffic to only a few specific IP addressesiptables allow dyndns domain name and auto update rulesHow does ufw handle conflicting rules?Do I also need to set up another iptables rules for ipv6 if I just used iptables?Maybe abuse of my serverAdding firewall rule makes multiple entriesHow to allow traffic from a specific IP for a specific port in UFW?Open a port in ubuntu 17.10 for dosbox

Subverting the emotional woman and stoic man trope

Is this a Sherman, and if so what model?

Everyone and NTFS permissions

word frequency from file using partial match

How can an attacker use robots.txt?

Is it a good idea to leave minor world details to the reader's imagination?

My Project Manager does not accept carry-over in Scrum, Is that normal?

To what extent is it worthwhile to report check fraud / refund scams?

What do you do if you have developments on your paper during the long peer review process?

Why is there not a feasible solution for a MIP?

Going to France with limited French for a day

Should the average user with no special access rights be worried about SMS-based 2FA being theoretically interceptable?

Organisational search option

What is the meaning of word 'crack' in chapter 33 of A Game of Thrones?

Worms crawling under skin

Drawing line in notebook with Mathematica command

Does Sitecore have support for Sitecore products in containers?

Palatino font (newpxmath) misaligns text in fraction numerators

Does wetting a beer glass change the foam characteristics?

Detect duplicates without exposing underlying data

How to deal with my team leader who keeps calling me about project updates even though I am on leave for personal reasons?

Hilbert's hotel: why can't I repeat it infinitely many times?

Social leper versus social leopard

Does "as soon as" imply simultaneity?



ip6tables rules to allow port 80 and port 443 traffic to only a few specific IP addresses


iptables allow dyndns domain name and auto update rulesHow does ufw handle conflicting rules?Do I also need to set up another iptables rules for ipv6 if I just used iptables?Maybe abuse of my serverAdding firewall rule makes multiple entriesHow to allow traffic from a specific IP for a specific port in UFW?Open a port in ubuntu 17.10 for dosbox






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








0















Im using ubuntu 18.04 and successfully setup nginx and uwsgi to host multiple websites.



I have an AAAA record mapped to an IPV6 address through my DNS provider, and I have my nginx config file listening on ports 80 and 443 for that IPV6 address.



This setup is working just fine.



However, I would like to restrict IPV6 traffic to ports 80 and 443 to ONLY a few specific IP addresses.



When I list the current ip6table rules using ip6tables -S, there is a line towards the bottom like this.



-A ufw6-user-input -p tcp -m multiport --dports 80,443 -m comment --comment "'dapp_Nginx%20Full'" -j ACCEPT


I am new to iptables in general but from all the reading and tutorials I have done it sounds like:



  1. You need to make sure rules are in the correct order.

  2. You want to save the rules to a file before making changes in case you screw something up.

  3. After you have your rules the way you want them you want to use something like the persistent flag so the rules persist in event of reboot.

My question is what rules would i need to have to achieve the stated goal above, and in what order, and will this only apply to ipv6 traffic on the 80/443 ports?



foo@example:~# sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To Action From
-- ------ ----
22/tcp (OpenSSH) ALLOW IN Anywhere
80,443/tcp (Nginx Full) ALLOW IN Anywhere
22/tcp (OpenSSH (v6)) ALLOW IN Anywhere (v6)
80,443/tcp (Nginx Full (v6)) ALLOW IN Anywhere (v6)





iptables nginx ufw







share|improve this question





















  • 1





    ufw6-user-input is a UFW rule table. Are you using ufw on this system? If so the 'allow' rules get entered via UFW, not via direct iptables manipulation.

    – Thomas Ward
    Apr 15 at 22:55












  • @ThomasWard Hi Thomas, yes ufw is enabled, and I am sure this rule was autogenerated made obvious by the comment in the rule. However, my understanding is that ufw is just a wrapper around iptables. So I should be able to override anything ufw inserted and/or extend ufw limitations by directly inserting rules using ip6tables commands? I am still am looking for a way to achieve the above regardless of the method I have to use. Thanks for responding!

    – guht
    Apr 15 at 23:01











  • If you are using ufw set everything through UFW because any manual changes you make are going to be overridden eventually by ufw if it resets or refreshes the ruleset.

    – Thomas Ward
    Apr 15 at 23:02











  • I'm confused though, what's the ruleset already in use on here? Default deny outbound or allow outbound?

    – Thomas Ward
    Apr 15 at 23:13











  • @ThomasWard I updated my post to show ufw status. I am confused too, because the ufw rules listed when I use ufw command show very little, but if I type iptables -S it shows a ton of entries. I realize its the "Uncomplicated Firewall", but obviously its doing a lot of stuff behind the scenes in terms of what its actually putting in the iptable rules.

    – guht
    Apr 15 at 23:20

















0















Im using ubuntu 18.04 and successfully setup nginx and uwsgi to host multiple websites.



I have an AAAA record mapped to an IPV6 address through my DNS provider, and I have my nginx config file listening on ports 80 and 443 for that IPV6 address.



This setup is working just fine.



However, I would like to restrict IPV6 traffic to ports 80 and 443 to ONLY a few specific IP addresses.



When I list the current ip6table rules using ip6tables -S, there is a line towards the bottom like this.



-A ufw6-user-input -p tcp -m multiport --dports 80,443 -m comment --comment "'dapp_Nginx%20Full'" -j ACCEPT


I am new to iptables in general but from all the reading and tutorials I have done it sounds like:



  1. You need to make sure rules are in the correct order.

  2. You want to save the rules to a file before making changes in case you screw something up.

  3. After you have your rules the way you want them you want to use something like the persistent flag so the rules persist in event of reboot.

My question is what rules would i need to have to achieve the stated goal above, and in what order, and will this only apply to ipv6 traffic on the 80/443 ports?



foo@example:~# sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To Action From
-- ------ ----
22/tcp (OpenSSH) ALLOW IN Anywhere
80,443/tcp (Nginx Full) ALLOW IN Anywhere
22/tcp (OpenSSH (v6)) ALLOW IN Anywhere (v6)
80,443/tcp (Nginx Full (v6)) ALLOW IN Anywhere (v6)





iptables nginx ufw







share|improve this question





















  • 1





    ufw6-user-input is a UFW rule table. Are you using ufw on this system? If so the 'allow' rules get entered via UFW, not via direct iptables manipulation.

    – Thomas Ward
    Apr 15 at 22:55












  • @ThomasWard Hi Thomas, yes ufw is enabled, and I am sure this rule was autogenerated made obvious by the comment in the rule. However, my understanding is that ufw is just a wrapper around iptables. So I should be able to override anything ufw inserted and/or extend ufw limitations by directly inserting rules using ip6tables commands? I am still am looking for a way to achieve the above regardless of the method I have to use. Thanks for responding!

    – guht
    Apr 15 at 23:01











  • If you are using ufw set everything through UFW because any manual changes you make are going to be overridden eventually by ufw if it resets or refreshes the ruleset.

    – Thomas Ward
    Apr 15 at 23:02











  • I'm confused though, what's the ruleset already in use on here? Default deny outbound or allow outbound?

    – Thomas Ward
    Apr 15 at 23:13











  • @ThomasWard I updated my post to show ufw status. I am confused too, because the ufw rules listed when I use ufw command show very little, but if I type iptables -S it shows a ton of entries. I realize its the "Uncomplicated Firewall", but obviously its doing a lot of stuff behind the scenes in terms of what its actually putting in the iptable rules.

    – guht
    Apr 15 at 23:20













0












0








0








Im using ubuntu 18.04 and successfully setup nginx and uwsgi to host multiple websites.



I have an AAAA record mapped to an IPV6 address through my DNS provider, and I have my nginx config file listening on ports 80 and 443 for that IPV6 address.



This setup is working just fine.



However, I would like to restrict IPV6 traffic to ports 80 and 443 to ONLY a few specific IP addresses.



When I list the current ip6table rules using ip6tables -S, there is a line towards the bottom like this.



-A ufw6-user-input -p tcp -m multiport --dports 80,443 -m comment --comment "'dapp_Nginx%20Full'" -j ACCEPT


I am new to iptables in general but from all the reading and tutorials I have done it sounds like:



  1. You need to make sure rules are in the correct order.

  2. You want to save the rules to a file before making changes in case you screw something up.

  3. After you have your rules the way you want them you want to use something like the persistent flag so the rules persist in event of reboot.

My question is what rules would i need to have to achieve the stated goal above, and in what order, and will this only apply to ipv6 traffic on the 80/443 ports?



foo@example:~# sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To Action From
-- ------ ----
22/tcp (OpenSSH) ALLOW IN Anywhere
80,443/tcp (Nginx Full) ALLOW IN Anywhere
22/tcp (OpenSSH (v6)) ALLOW IN Anywhere (v6)
80,443/tcp (Nginx Full (v6)) ALLOW IN Anywhere (v6)





iptables nginx ufw







share|improve this question
















Im using ubuntu 18.04 and successfully setup nginx and uwsgi to host multiple websites.



I have an AAAA record mapped to an IPV6 address through my DNS provider, and I have my nginx config file listening on ports 80 and 443 for that IPV6 address.



This setup is working just fine.



However, I would like to restrict IPV6 traffic to ports 80 and 443 to ONLY a few specific IP addresses.



When I list the current ip6table rules using ip6tables -S, there is a line towards the bottom like this.



-A ufw6-user-input -p tcp -m multiport --dports 80,443 -m comment --comment "'dapp_Nginx%20Full'" -j ACCEPT


I am new to iptables in general but from all the reading and tutorials I have done it sounds like:



  1. You need to make sure rules are in the correct order.

  2. You want to save the rules to a file before making changes in case you screw something up.

  3. After you have your rules the way you want them you want to use something like the persistent flag so the rules persist in event of reboot.

My question is what rules would i need to have to achieve the stated goal above, and in what order, and will this only apply to ipv6 traffic on the 80/443 ports?



foo@example:~# sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To Action From
-- ------ ----
22/tcp (OpenSSH) ALLOW IN Anywhere
80,443/tcp (Nginx Full) ALLOW IN Anywhere
22/tcp (OpenSSH (v6)) ALLOW IN Anywhere (v6)
80,443/tcp (Nginx Full (v6)) ALLOW IN Anywhere (v6)





iptables nginx ufw




iptables nginx ufw






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Apr 15 at 23:18







guht

















asked Apr 15 at 22:45









guhtguht

32 bronze badges




32 bronze badges










  • 1





    ufw6-user-input is a UFW rule table. Are you using ufw on this system? If so the 'allow' rules get entered via UFW, not via direct iptables manipulation.

    – Thomas Ward
    Apr 15 at 22:55












  • @ThomasWard Hi Thomas, yes ufw is enabled, and I am sure this rule was autogenerated made obvious by the comment in the rule. However, my understanding is that ufw is just a wrapper around iptables. So I should be able to override anything ufw inserted and/or extend ufw limitations by directly inserting rules using ip6tables commands? I am still am looking for a way to achieve the above regardless of the method I have to use. Thanks for responding!

    – guht
    Apr 15 at 23:01











  • If you are using ufw set everything through UFW because any manual changes you make are going to be overridden eventually by ufw if it resets or refreshes the ruleset.

    – Thomas Ward
    Apr 15 at 23:02











  • I'm confused though, what's the ruleset already in use on here? Default deny outbound or allow outbound?

    – Thomas Ward
    Apr 15 at 23:13











  • @ThomasWard I updated my post to show ufw status. I am confused too, because the ufw rules listed when I use ufw command show very little, but if I type iptables -S it shows a ton of entries. I realize its the "Uncomplicated Firewall", but obviously its doing a lot of stuff behind the scenes in terms of what its actually putting in the iptable rules.

    – guht
    Apr 15 at 23:20












  • 1





    ufw6-user-input is a UFW rule table. Are you using ufw on this system? If so the 'allow' rules get entered via UFW, not via direct iptables manipulation.

    – Thomas Ward
    Apr 15 at 22:55












  • @ThomasWard Hi Thomas, yes ufw is enabled, and I am sure this rule was autogenerated made obvious by the comment in the rule. However, my understanding is that ufw is just a wrapper around iptables. So I should be able to override anything ufw inserted and/or extend ufw limitations by directly inserting rules using ip6tables commands? I am still am looking for a way to achieve the above regardless of the method I have to use. Thanks for responding!

    – guht
    Apr 15 at 23:01











  • If you are using ufw set everything through UFW because any manual changes you make are going to be overridden eventually by ufw if it resets or refreshes the ruleset.

    – Thomas Ward
    Apr 15 at 23:02











  • I'm confused though, what's the ruleset already in use on here? Default deny outbound or allow outbound?

    – Thomas Ward
    Apr 15 at 23:13











  • @ThomasWard I updated my post to show ufw status. I am confused too, because the ufw rules listed when I use ufw command show very little, but if I type iptables -S it shows a ton of entries. I realize its the "Uncomplicated Firewall", but obviously its doing a lot of stuff behind the scenes in terms of what its actually putting in the iptable rules.

    – guht
    Apr 15 at 23:20







1




1





ufw6-user-input is a UFW rule table. Are you using ufw on this system? If so the 'allow' rules get entered via UFW, not via direct iptables manipulation.

– Thomas Ward
Apr 15 at 22:55






ufw6-user-input is a UFW rule table. Are you using ufw on this system? If so the 'allow' rules get entered via UFW, not via direct iptables manipulation.

– Thomas Ward
Apr 15 at 22:55














@ThomasWard Hi Thomas, yes ufw is enabled, and I am sure this rule was autogenerated made obvious by the comment in the rule. However, my understanding is that ufw is just a wrapper around iptables. So I should be able to override anything ufw inserted and/or extend ufw limitations by directly inserting rules using ip6tables commands? I am still am looking for a way to achieve the above regardless of the method I have to use. Thanks for responding!

– guht
Apr 15 at 23:01





@ThomasWard Hi Thomas, yes ufw is enabled, and I am sure this rule was autogenerated made obvious by the comment in the rule. However, my understanding is that ufw is just a wrapper around iptables. So I should be able to override anything ufw inserted and/or extend ufw limitations by directly inserting rules using ip6tables commands? I am still am looking for a way to achieve the above regardless of the method I have to use. Thanks for responding!

– guht
Apr 15 at 23:01













If you are using ufw set everything through UFW because any manual changes you make are going to be overridden eventually by ufw if it resets or refreshes the ruleset.

– Thomas Ward
Apr 15 at 23:02





If you are using ufw set everything through UFW because any manual changes you make are going to be overridden eventually by ufw if it resets or refreshes the ruleset.

– Thomas Ward
Apr 15 at 23:02













I'm confused though, what's the ruleset already in use on here? Default deny outbound or allow outbound?

– Thomas Ward
Apr 15 at 23:13





I'm confused though, what's the ruleset already in use on here? Default deny outbound or allow outbound?

– Thomas Ward
Apr 15 at 23:13













@ThomasWard I updated my post to show ufw status. I am confused too, because the ufw rules listed when I use ufw command show very little, but if I type iptables -S it shows a ton of entries. I realize its the "Uncomplicated Firewall", but obviously its doing a lot of stuff behind the scenes in terms of what its actually putting in the iptable rules.

– guht
Apr 15 at 23:20





@ThomasWard I updated my post to show ufw status. I am confused too, because the ufw rules listed when I use ufw command show very little, but if I type iptables -S it shows a ton of entries. I realize its the "Uncomplicated Firewall", but obviously its doing a lot of stuff behind the scenes in terms of what its actually putting in the iptable rules.

– guht
Apr 15 at 23:20










1 Answer
1






active

oldest

votes


















0
















You are already using ufw. So set the rules with ufw.



For IPv4 Allow In to 80,443, try:



ufw allow proto tcp from 0.0.0.0/0 to port 80,443


For IPv6 we need to use a few more rules:



ufw allow proto tcp from IPV6ADDRESS/128 to port 80,443
# Do the above more than once for more than one IPv6 address
ufw deny proto tcp from ::0/0 to port 80,443


Based on the manpage for ufw, this would achieve what you want - allow IPv4 to TCP ports 80 and 443, allow IPV6ADDRESS to TCP ports 80 and 443, and disallow all other IPv6 addresses from reaching TCP ports 80 and 443.



Note that you can't access IPv6 addresses without IPv6 connectivity, so if you don't have IPv6 access on the boxes in question (that're IPv4) you can't really access the v6 address easily.



Note that we ultimately decomplexified this XY Problem via Chat and narrowed down their goals for access control to a specific website/subdomain, and as they were using NGINX as the backend, I provided them the details on how to implement access controls per-site.






share|improve this answer



























  • I should have specified that the addresses I want to allow to visit MY IPV6 address are IPv4 addresses. For eg, I want to allow a PUT response from one of googles APIs, and I know that the response is going to come from a particular set IPv4 addresses. Is that possible? I am sure my lack of fully understanding the concepts at play here are aiding my confusion, but I feel like what I am asking should be possible. When I externally ping my foo.example.com it returns my IPv6 address. Additionally is there anything I can do to preserve my existing rules so I do dont hose something messing around?

    – guht
    Apr 16 at 0:00











  • Google's APIs come from a huge range of IPs, ther'es no way to really account for them all unless they provide documentation of what IPs

    – Thomas Ward
    Apr 16 at 0:09











  • @guht Also, v4 can't visit v6. It's not possible. You need v6 to visit v6 addresses :P

    – Thomas Ward
    Apr 16 at 0:09












  • That was just an example the particular API I am working with has a set list of IPv4 addresses it provides.

    – guht
    Apr 16 at 0:10











  • @guht v4 -> v6 doesn't work usually, it's not in the same 'IP Family' so you can't really get to v6 addresses from solely v4 connected systems. And not every ISP is capable of routing v4 to v6 when there's no other IP(s) available. From the prespective of your firewall that is also not possible to permit/reject

    – Thomas Ward
    Apr 16 at 0:11














Your Answer








StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "89"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/4.0/"u003ecc by-sa 4.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);














draft saved

draft discarded
















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1134207%2fip6tables-rules-to-allow-port-80-and-port-443-traffic-to-only-a-few-specific-ip%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









0
















You are already using ufw. So set the rules with ufw.



For IPv4 Allow In to 80,443, try:



ufw allow proto tcp from 0.0.0.0/0 to port 80,443


For IPv6 we need to use a few more rules:



ufw allow proto tcp from IPV6ADDRESS/128 to port 80,443
# Do the above more than once for more than one IPv6 address
ufw deny proto tcp from ::0/0 to port 80,443


Based on the manpage for ufw, this would achieve what you want - allow IPv4 to TCP ports 80 and 443, allow IPV6ADDRESS to TCP ports 80 and 443, and disallow all other IPv6 addresses from reaching TCP ports 80 and 443.



Note that you can't access IPv6 addresses without IPv6 connectivity, so if you don't have IPv6 access on the boxes in question (that're IPv4) you can't really access the v6 address easily.



Note that we ultimately decomplexified this XY Problem via Chat and narrowed down their goals for access control to a specific website/subdomain, and as they were using NGINX as the backend, I provided them the details on how to implement access controls per-site.






share|improve this answer



























  • I should have specified that the addresses I want to allow to visit MY IPV6 address are IPv4 addresses. For eg, I want to allow a PUT response from one of googles APIs, and I know that the response is going to come from a particular set IPv4 addresses. Is that possible? I am sure my lack of fully understanding the concepts at play here are aiding my confusion, but I feel like what I am asking should be possible. When I externally ping my foo.example.com it returns my IPv6 address. Additionally is there anything I can do to preserve my existing rules so I do dont hose something messing around?

    – guht
    Apr 16 at 0:00











  • Google's APIs come from a huge range of IPs, ther'es no way to really account for them all unless they provide documentation of what IPs

    – Thomas Ward
    Apr 16 at 0:09











  • @guht Also, v4 can't visit v6. It's not possible. You need v6 to visit v6 addresses :P

    – Thomas Ward
    Apr 16 at 0:09












  • That was just an example the particular API I am working with has a set list of IPv4 addresses it provides.

    – guht
    Apr 16 at 0:10











  • @guht v4 -> v6 doesn't work usually, it's not in the same 'IP Family' so you can't really get to v6 addresses from solely v4 connected systems. And not every ISP is capable of routing v4 to v6 when there's no other IP(s) available. From the prespective of your firewall that is also not possible to permit/reject

    – Thomas Ward
    Apr 16 at 0:11
















0
















You are already using ufw. So set the rules with ufw.



For IPv4 Allow In to 80,443, try:



ufw allow proto tcp from 0.0.0.0/0 to port 80,443


For IPv6 we need to use a few more rules:



ufw allow proto tcp from IPV6ADDRESS/128 to port 80,443
# Do the above more than once for more than one IPv6 address
ufw deny proto tcp from ::0/0 to port 80,443


Based on the manpage for ufw, this would achieve what you want - allow IPv4 to TCP ports 80 and 443, allow IPV6ADDRESS to TCP ports 80 and 443, and disallow all other IPv6 addresses from reaching TCP ports 80 and 443.



Note that you can't access IPv6 addresses without IPv6 connectivity, so if you don't have IPv6 access on the boxes in question (that're IPv4) you can't really access the v6 address easily.



Note that we ultimately decomplexified this XY Problem via Chat and narrowed down their goals for access control to a specific website/subdomain, and as they were using NGINX as the backend, I provided them the details on how to implement access controls per-site.






share|improve this answer



























  • I should have specified that the addresses I want to allow to visit MY IPV6 address are IPv4 addresses. For eg, I want to allow a PUT response from one of googles APIs, and I know that the response is going to come from a particular set IPv4 addresses. Is that possible? I am sure my lack of fully understanding the concepts at play here are aiding my confusion, but I feel like what I am asking should be possible. When I externally ping my foo.example.com it returns my IPv6 address. Additionally is there anything I can do to preserve my existing rules so I do dont hose something messing around?

    – guht
    Apr 16 at 0:00











  • Google's APIs come from a huge range of IPs, ther'es no way to really account for them all unless they provide documentation of what IPs

    – Thomas Ward
    Apr 16 at 0:09











  • @guht Also, v4 can't visit v6. It's not possible. You need v6 to visit v6 addresses :P

    – Thomas Ward
    Apr 16 at 0:09












  • That was just an example the particular API I am working with has a set list of IPv4 addresses it provides.

    – guht
    Apr 16 at 0:10











  • @guht v4 -> v6 doesn't work usually, it's not in the same 'IP Family' so you can't really get to v6 addresses from solely v4 connected systems. And not every ISP is capable of routing v4 to v6 when there's no other IP(s) available. From the prespective of your firewall that is also not possible to permit/reject

    – Thomas Ward
    Apr 16 at 0:11














0














0










0









You are already using ufw. So set the rules with ufw.



For IPv4 Allow In to 80,443, try:



ufw allow proto tcp from 0.0.0.0/0 to port 80,443


For IPv6 we need to use a few more rules:



ufw allow proto tcp from IPV6ADDRESS/128 to port 80,443
# Do the above more than once for more than one IPv6 address
ufw deny proto tcp from ::0/0 to port 80,443


Based on the manpage for ufw, this would achieve what you want - allow IPv4 to TCP ports 80 and 443, allow IPV6ADDRESS to TCP ports 80 and 443, and disallow all other IPv6 addresses from reaching TCP ports 80 and 443.



Note that you can't access IPv6 addresses without IPv6 connectivity, so if you don't have IPv6 access on the boxes in question (that're IPv4) you can't really access the v6 address easily.



Note that we ultimately decomplexified this XY Problem via Chat and narrowed down their goals for access control to a specific website/subdomain, and as they were using NGINX as the backend, I provided them the details on how to implement access controls per-site.






share|improve this answer















You are already using ufw. So set the rules with ufw.



For IPv4 Allow In to 80,443, try:



ufw allow proto tcp from 0.0.0.0/0 to port 80,443


For IPv6 we need to use a few more rules:



ufw allow proto tcp from IPV6ADDRESS/128 to port 80,443
# Do the above more than once for more than one IPv6 address
ufw deny proto tcp from ::0/0 to port 80,443


Based on the manpage for ufw, this would achieve what you want - allow IPv4 to TCP ports 80 and 443, allow IPV6ADDRESS to TCP ports 80 and 443, and disallow all other IPv6 addresses from reaching TCP ports 80 and 443.



Note that you can't access IPv6 addresses without IPv6 connectivity, so if you don't have IPv6 access on the boxes in question (that're IPv4) you can't really access the v6 address easily.



Note that we ultimately decomplexified this XY Problem via Chat and narrowed down their goals for access control to a specific website/subdomain, and as they were using NGINX as the backend, I provided them the details on how to implement access controls per-site.







share|improve this answer














share|improve this answer



share|improve this answer








edited Apr 16 at 1:32

























answered Apr 15 at 23:42









Thomas WardThomas Ward

48k23 gold badges128 silver badges186 bronze badges




48k23 gold badges128 silver badges186 bronze badges















  • I should have specified that the addresses I want to allow to visit MY IPV6 address are IPv4 addresses. For eg, I want to allow a PUT response from one of googles APIs, and I know that the response is going to come from a particular set IPv4 addresses. Is that possible? I am sure my lack of fully understanding the concepts at play here are aiding my confusion, but I feel like what I am asking should be possible. When I externally ping my foo.example.com it returns my IPv6 address. Additionally is there anything I can do to preserve my existing rules so I do dont hose something messing around?

    – guht
    Apr 16 at 0:00











  • Google's APIs come from a huge range of IPs, ther'es no way to really account for them all unless they provide documentation of what IPs

    – Thomas Ward
    Apr 16 at 0:09











  • @guht Also, v4 can't visit v6. It's not possible. You need v6 to visit v6 addresses :P

    – Thomas Ward
    Apr 16 at 0:09












  • That was just an example the particular API I am working with has a set list of IPv4 addresses it provides.

    – guht
    Apr 16 at 0:10











  • @guht v4 -> v6 doesn't work usually, it's not in the same 'IP Family' so you can't really get to v6 addresses from solely v4 connected systems. And not every ISP is capable of routing v4 to v6 when there's no other IP(s) available. From the prespective of your firewall that is also not possible to permit/reject

    – Thomas Ward
    Apr 16 at 0:11


















  • I should have specified that the addresses I want to allow to visit MY IPV6 address are IPv4 addresses. For eg, I want to allow a PUT response from one of googles APIs, and I know that the response is going to come from a particular set IPv4 addresses. Is that possible? I am sure my lack of fully understanding the concepts at play here are aiding my confusion, but I feel like what I am asking should be possible. When I externally ping my foo.example.com it returns my IPv6 address. Additionally is there anything I can do to preserve my existing rules so I do dont hose something messing around?

    – guht
    Apr 16 at 0:00











  • Google's APIs come from a huge range of IPs, ther'es no way to really account for them all unless they provide documentation of what IPs

    – Thomas Ward
    Apr 16 at 0:09











  • @guht Also, v4 can't visit v6. It's not possible. You need v6 to visit v6 addresses :P

    – Thomas Ward
    Apr 16 at 0:09












  • That was just an example the particular API I am working with has a set list of IPv4 addresses it provides.

    – guht
    Apr 16 at 0:10











  • @guht v4 -> v6 doesn't work usually, it's not in the same 'IP Family' so you can't really get to v6 addresses from solely v4 connected systems. And not every ISP is capable of routing v4 to v6 when there's no other IP(s) available. From the prespective of your firewall that is also not possible to permit/reject

    – Thomas Ward
    Apr 16 at 0:11

















I should have specified that the addresses I want to allow to visit MY IPV6 address are IPv4 addresses. For eg, I want to allow a PUT response from one of googles APIs, and I know that the response is going to come from a particular set IPv4 addresses. Is that possible? I am sure my lack of fully understanding the concepts at play here are aiding my confusion, but I feel like what I am asking should be possible. When I externally ping my foo.example.com it returns my IPv6 address. Additionally is there anything I can do to preserve my existing rules so I do dont hose something messing around?

– guht
Apr 16 at 0:00





I should have specified that the addresses I want to allow to visit MY IPV6 address are IPv4 addresses. For eg, I want to allow a PUT response from one of googles APIs, and I know that the response is going to come from a particular set IPv4 addresses. Is that possible? I am sure my lack of fully understanding the concepts at play here are aiding my confusion, but I feel like what I am asking should be possible. When I externally ping my foo.example.com it returns my IPv6 address. Additionally is there anything I can do to preserve my existing rules so I do dont hose something messing around?

– guht
Apr 16 at 0:00













Google's APIs come from a huge range of IPs, ther'es no way to really account for them all unless they provide documentation of what IPs

– Thomas Ward
Apr 16 at 0:09





Google's APIs come from a huge range of IPs, ther'es no way to really account for them all unless they provide documentation of what IPs

– Thomas Ward
Apr 16 at 0:09













@guht Also, v4 can't visit v6. It's not possible. You need v6 to visit v6 addresses :P

– Thomas Ward
Apr 16 at 0:09






@guht Also, v4 can't visit v6. It's not possible. You need v6 to visit v6 addresses :P

– Thomas Ward
Apr 16 at 0:09














That was just an example the particular API I am working with has a set list of IPv4 addresses it provides.

– guht
Apr 16 at 0:10





That was just an example the particular API I am working with has a set list of IPv4 addresses it provides.

– guht
Apr 16 at 0:10













@guht v4 -> v6 doesn't work usually, it's not in the same 'IP Family' so you can't really get to v6 addresses from solely v4 connected systems. And not every ISP is capable of routing v4 to v6 when there's no other IP(s) available. From the prespective of your firewall that is also not possible to permit/reject

– Thomas Ward
Apr 16 at 0:11






@guht v4 -> v6 doesn't work usually, it's not in the same 'IP Family' so you can't really get to v6 addresses from solely v4 connected systems. And not every ISP is capable of routing v4 to v6 when there's no other IP(s) available. From the prespective of your firewall that is also not possible to permit/reject

– Thomas Ward
Apr 16 at 0:11



















draft saved

draft discarded















































Thanks for contributing an answer to Ask Ubuntu!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1134207%2fip6tables-rules-to-allow-port-80-and-port-443-traffic-to-only-a-few-specific-ip%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

Tamil (spriik) Luke uk diar | Nawigatjuun

Image
Fering ArtiikelDrawiidisk Spriiken SölringÖömrangFeringHalunderHalifreeskMooringWiringhiirderKarhiirderGooshiirderDrawiidisk SpriikTamil NaduIndienSri Lanka (function()var node=document.getElementById("mw-dismissablenotice-anonplace");if(node)node.outerHTML="u003Cdiv class="mw-dismissable-notice"u003Eu003Cdiv class="mw-dismissable-notice-close"u003E[u003Ca tabindex="0" role="button"u003EFersteegu003C/au003E]u003C/divu003Eu003Cdiv class="mw-dismissable-notice-body"u003Eu003Cdiv id="localNotice" lang="frr" dir="ltr"u003Eu003Cdiv id="sitenotice"u003Enu003Ccenteru003Enu003Ctable class="rahmenfarbe4" style="border-style: solid; border-width: thin; width: 70%;"u003Ennu003Ctbodyu003Eu003Ctru003Enu003Ctd style="text-align:center;"u003Eu003Ca href="/wiki/Datei:Nordfriesischeflagge.svg" class="image"u003Eu003Cimg alt="Nordfriesische
Read more

Align equal signs while including text over equalitiesAMS align: left aligned text/math plus multicolumn alignmentMultiple alignmentsAligning equations in multiple placesNumbering and aligning an equation with multiple columnsHow to align one equation with another multline equationUsing \ in environments inside the begintabularxNumber equations and preserving alignment of equal signsHow can I align equations to the left and to the right?Double equation alignment problem within align enviromentAligned within align: Why are they right-aligned?

Image
Why didn't the Universal Translator speak whale? What is /dev/null and why can't I use hx on it? The work of mathematicians outside their professional environment Does the DOJ's declining to investigate the Trump-Zelensky call ruin the basis for impeachment? Are there any tricks to pushing a grand piano? Maintaining distance Does it require less energy to reach the Sun from Pluto's orbit than from Earth's orbit? Object Oriented Design: Where to place behavior that pertains to more than one type of object? Choice of solvent during thin layer chromatography How to catch creatures that can predict the next few minutes? Use floats or doubles when writing mobile games How come the Russian cognate for the Czech word "čerstvý" (fresh) means entirely the opposite thing (stale)? What are the limits on an impeached and not convicted president? How to calculate Limit of this sequence Bash-script as linux-service won't run, but executed
Read more

Where does the image of a data connector as a sharp metal spike originate from?Where does the concept of infected people turning into zombies only after death originate from?Where does the motif of a reanimated human head originate?Where did the notion that Dragons could speak originate?Where does the archetypal image of the 'Grey' alien come from?Where did the suffix '-Man' originate?Where does the notion of being injured or killed by an illusion originate?Where did the term “sophont” originate?Where does the trope of magic spells being driven by advanced technology originate from?Where did the term “the living impaired” originate?

Image
Automatically extend a Python list to N elements if it's too short? Fired for a policy I didnt know about, as well as another false reason Why isn't tilde recognised as home folder in this case? When does an Artillerist's Cannon have disadvantage? How large should a hole be for a bolt to go through? When is TeX better than LaTeX? How to determine if drill is suitable for concrete? Huygens Lander: Why The Short Battery Life? Why do people use bigger cassettes for lower gearing when they could instead use smaller chainrings? Is there a difference between downloading / installing a list of packages and downloading each packge by its own? Question about exercise 21.10 in The TeXbook How to publish a page using tridion core service client in sdl web 8.5 Can one get into trouble if one doesn't show up at the gate 30 minutes before departure (or whatever time window the boarding pass is indicating)? Does an action-reaction pair always contain the same
Read more