Blocking all access to a server except for one IP

Post Reply
dwhs
Junior Member
Posts: 39
Joined: 30 Apr 2007, 10:17
Location: LA
Contact:

Blocking all access to a server except for one IP

Post by dwhs »

Hi,

I have a server we need to block everything on it from every IP expect for one.

So the server would not ping or allow any connections to it other than from that IP.

Is that possible?
keat63
Junior Member
Posts: 116
Joined: 17 Dec 2014, 14:50

Re: Blocking all access to a server except for one IP

Post by keat63 »

I replied on the WHM forum, but we can keep it on here.
What exactly are you trying to achieve.

If you block all traffic, then you'll have no email.
There would be no web services
DNS wouldn't work.

etc etc etc.

In effect, all you'd have would be a stand alone PC.
dwhs
Junior Member
Posts: 39
Joined: 30 Apr 2007, 10:17
Location: LA
Contact:

Re: Blocking all access to a server except for one IP

Post by dwhs »

Thanks, yes this is just so another server can retrieve backups off the server via SSH. It's o.k. if things are not working.

We cannot open the server to the public in anyway. We can only allow access to the server from one IP.

Everything else has to be blocked as if the server is still offline.
keat63
Junior Member
Posts: 116
Joined: 17 Dec 2014, 14:50

Re: Blocking all access to a server except for one IP

Post by keat63 »

This should work

The first thing to do would be to whitelist your IP address in the CSF allow list.
In fact, I'd even go as far as trying to set up another IP, just in case.
Maybe your home IP if it's static, even if it's dynamic, give yourself a means of getting back in today, if something goes wrong.

Contact your data centre and maybe obtain their support team IP range also.
The last thing you want to do is inadvertently lock yourself out, with no other means of getting back in.


Then in CSF Config "Allow incoming TCP ports", and " Allow outgoing TCP ports " I'd just remove all ports.
Copy (or screenshot) the port numbers, so you could roll back easily if needed.

The CSF allow list should bypass the missing port numbers, allowing only your IP address (or any others in the allow list).

If you want to test beforehand, maybe try closing a few ports at a time.
Post Reply