Sometimes it may be necessary to block access to some/all services offered by a server without shutting it down or disconnecting it from the network, at the same time displaying a message for users accessing websites on it.

Prerequisites:

10.0.0.10, 10.0.0.11, 10.0.0.12 and 10.0.0.101 are all IP addresses allocated on the server. 10.0.0.101 is the IP address dedicated to a “disabled” website (that displays the unavailable/offline message), while the other are the functional/shared/hosted IPs.

Iptables rules:

iptables -t nat -A PREROUTING -p tcp -d 10.0.0.10 --dport 80 -j DNAT --to 10.0.0.101:80
iptables -t nat -A PREROUTING -p tcp -d 10.0.0.11 --dport 80 -j DNAT --to 10.0.0.101:80
iptables -t nat -A PREROUTING -p tcp -d 10.0.0.12 --dport 80 -j DNAT --to 10.0.0.101:80
iptables -I INPUT -p tcp --dport 143 -j REJECT   # also lock down imap
iptables -I INPUT -p tcp --dport 110 -j REJECT   # pop3
iptables -I INPUT -p tcp --dport 25 -j REJECT    # and smtp

Leave a Reply