Easiest/best way to only allow certain IP ranges for access

I'm looking for the easiest/best way to only certain IP ranges to access my Ubuntu 20.04 installation. I would mainly like this so I can block web traffic (apache), but a full server block would be best.

I realize that a hardware option is best for this, but I can't afford that. I also realize that 'easiest' and 'best' don't always go together.

Also, does having more IP ranges slow down the server?

Any help would be appreciated.


You can filter all IP traffic except the one you want quite easily on most Linux installations. Remember that when doing this you might lose access to server.

Here is a small base that might work.

# Allow some related traffic
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow single source ip
iptables -A INPUT -s x.x.x.x/net -j ACCEPT
# Drop everything else
iptables -P INPUT DROP

Before running the last drop line which activates everything, you can use iptables -vnL which shows you counters for when rule matches, make sure that it does.

Doing ip-filtering does use CPU cycles, but so does answering any packets. This is almost never a concern unless you are doing complex rules on high throughput. this is not complex rules.