Page 1 of 1

Help needed: Deny blue clients access to the IPFire web interface

Posted: February 15th, 2019, 9:22 pm
by trafficprogram
Hi there,

I just installed IPFire (2.21 - Core Update 127) for the first time (RED-GREEN-BLUE configuration). Internet access works all as intended but now I want to block access to the web interface for the entire BLUE network.

My BLUE net is 192.168.0.1/24

I read the following wiki info: https://wiki.ipfire.org/configuration/f ... cesstoblue

I made the following changes in /etc/sysconfig/firewall.local:

## Start rule
iptables -A CUSTOMINPUT -s 192.168.0.1/24 -p tcp -d 192.168.0.254 --dport 444 -j DROP

## Stop rule
iptables -D CUSTOMINPUT -s 192.168.0.1/24 -p tcp -d 192.168.0.254 --dport 444 -j DROP

After "/etc/sysconfig/firewall.local reload" clients in the BLUE network can still access the web interface.

What am I missing?

Thanks a lot for your help!

Re: Help needed: Deny blue clients access to the IPFire web interface

Posted: February 18th, 2019, 3:20 pm
by cfusco
Are you using IPFire proxy?

Re: Help needed: Deny blue clients access to the IPFire web interface

Posted: February 18th, 2019, 8:59 pm
by trafficprogram
No, no proxy whatsoever right now. The green network has a pi-hole running but that shouldn't matter in this case, right?

Re: Help needed: Deny blue clients access to the IPFire web interface

Posted: February 18th, 2019, 9:05 pm
by trafficprogram
Posting the complete config file here just in case I made a mistake somewhere:

#!/bin/sh
# Used for private firewall rules

# See how we were called.
case "$1" in
start)
iptables -A CUSTOMINPUT -s 192.168.0.1/24 -p tcp -d 192.168.0.254 --dport 444 -j DROP
;;
stop)
iptables -D CUSTOMINPUT -s 192.168.0.1/24 -p tcp -d 192.168.0.254 --dport 444 -j DROP
;;
reload)
$0 stop
$0 start
## add your 'reload' rules here
;;
*)
echo "Usage: $0 {start|stop|reload}"
;;
esac

Re: Help needed: Deny blue clients access to the IPFire web interface

Posted: February 18th, 2019, 9:13 pm
by BeBiMa
Your blue net isn't 192.168.0.1/24 but 192.168.0.0/24, i suppose.
How look the rules like in iptables?

Re: Help needed: Deny blue clients access to the IPFire web interface

Posted: February 18th, 2019, 9:59 pm
by trafficprogram
Not sure if this is what you were asking for. I copied it from the webgui -- Firewall - iptables - custominput

And I have no clue where the 192.168.49.254 is coming from...

Chain CUSTOMINPUT (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 192.168.49.0/24 192.168.49.254 tcp dpt:444
0 0 DROP tcp -- * * 192.168.0.0/24 192.168.0.254 tcp dpt:444

Re: Help needed: Deny blue clients access to the IPFire web interface

Posted: February 19th, 2019, 12:38 pm
by cfusco
trafficprogram wrote:
February 15th, 2019, 9:22 pm
[...]
## Start rule
iptables -A CUSTOMINPUT -s 192.168.0.1/24 -p tcp -d 192.168.0.254 --dport 444 -j DROP

## Stop rule
iptables -D CUSTOMINPUT -s 192.168.0.1/24 -p tcp -d 192.168.0.254 --dport 444 -j DROP
The way I read the rule is the following, you are taking the TCP traffic from the machine 192.168.0.1 (*) and dropping any packet directed over the port 444 toward the ip address 192.168.0.254. Is that the address of the machine in the green network you are testing? Moreover, is the IPFire machine located at 192.168.0.254?

(*) by not ending the IP address with a 0, the CIDR notation "/24" is indicating the routing prefix of (in your case) 192.168.0.1, which is 192.168.0.0 and not the entire network, if you wanted that, you should have put 192.168.0.0/24 (at least this is how I understand the CIDR notation, please somebody correct me if I am wrong).

Re: Help needed: Deny blue clients access to the IPFire web interface

Posted: February 19th, 2019, 12:44 pm
by cfusco
trafficprogram wrote:
February 18th, 2019, 9:59 pm
And I have no clue where the 192.168.49.254 is coming from...
It is the example given here: https://wiki.ipfire.org/configuration/f ... esstoblue . Copy and paste misfiring?

Re: Help needed: Deny blue clients access to the IPFire web interface

Posted: February 20th, 2019, 12:41 am
by trafficprogram
Thank you very much for your help so far! I think I got it working with the following entries:

iptables -A CUSTOMINPUT -s 192.168.0.0/24 -p tcp -d 192.168.0.1 --dport 444 -j DROP
iptables -D CUSTOMINPUT -s 192.168.0.0/24 -p tcp -d 192.168.0.1 --dport 444 -j DROP

The blue clients can no longer access the web interface right now.


However, iptables still shows the following entries:

Chain CUSTOMINPUT (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 192.168.49.0/24 192.168.49.254 tcp dpt:444
0 0 DROP tcp -- * * 192.168.0.0/24 192.168.0.254 tcp dpt:444
0 0 DROP tcp -- * * 192.168.0.0/24 192.168.0.1 tcp dpt:444

How can I delete the first two (I do not think they are needed, right)?


And (sorry, slightly offtopic): If I wanted to also deny ssh access from the blue network to IPfire, would the following entries do the trick:

iptables -A CUSTOMINPUT -s 192.168.0.0/24 -p tcp -d 192.168.0.1 --dport 22 -j DROP
iptables -D CUSTOMINPUT -s 192.168.0.0/24 -p tcp -d 192.168.0.1 --dport 22 -j DROP

Re: Help needed: Deny blue clients access to the IPFire web interface

Posted: February 20th, 2019, 3:35 pm
by cfusco
trafficprogram wrote:
February 20th, 2019, 12:41 am
[...]
However, iptables still shows the following entries:

Chain CUSTOMINPUT (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 192.168.49.0/24 192.168.49.254 tcp dpt:444
0 0 DROP tcp -- * * 192.168.0.0/24 192.168.0.254 tcp dpt:444
0 0 DROP tcp -- * * 192.168.0.0/24 192.168.0.1 tcp dpt:444

How can I delete the first two (I do not think they are needed, right)?
from the console, you manually call iptables to delete the rule, you have already seen how to do it from the firewall.local script, something like:

Code: Select all

iptables -D CUSTOMINPUT -s 192.168.49.0/24 -p tcp -d 192.168.49.254 --dport 444 -j DROP
I suggest that you do not copy and paste, check it first and also make the second one yourself. Maybe you want to read a basic tutorial for iptables, very useful stuff if you want to unleash the full power of IPFire.
trafficprogram wrote:
February 20th, 2019, 12:41 am
And (sorry, slightly offtopic): If I wanted to also deny ssh access from the blue network to IPfire, would the following entries do the trick:

iptables -A CUSTOMINPUT -s 192.168.0.0/24 -p tcp -d 192.168.0.1 --dport 22 -j DROP
iptables -D CUSTOMINPUT -s 192.168.0.0/24 -p tcp -d 192.168.0.1 --dport 22 -j DROP
IPFire ssh port is 222 (port 22 is continuously scanned by few trillions of scripts coming from all over the world of wannabe hackers). I think with the right port it will work, however there is an other way. In the IPFire web interface go to system/SSH access, select "Allow password based authentication" or even better "Allow public key based authentication" (much more secure, but you have to set it up). Then the server is down by default and every time you click the button "stop ssh demon in 15 minutes" a script will bring up the server and once you finish your ssh session, the server will be automatically stopped after 15 min.

Re: Help needed: Deny blue clients access to the IPFire web interface

Posted: February 20th, 2019, 9:15 pm
by trafficprogram
I was able to manually remove the two iptables rules according to your suggestion and also added the tcp 22 drop rule for ssh.

The default ssh port is set to 22 in my IPfire installation (port 222 can be selected as an alternative in the GUI). Password based authentication was also configured by default.

Again, this is only to block ssh access from the blue internal network to the firewall. SSH requests coming from outside (i.e. the red network) should be blocked by default as far as i know.

Thanks again very much for your help!

Re: Help needed: Deny blue clients access to the IPFire web interface

Posted: December 29th, 2019, 7:59 pm
by stan
trafficprogram wrote:
February 20th, 2019, 12:41 am
Thank you very much for your help so far! I think I got it working with the following entries:

iptables -A CUSTOMINPUT -s 192.168.0.0/24 -p tcp -d 192.168.0.1 --dport 444 -j DROP
iptables -D CUSTOMINPUT -s 192.168.0.0/24 -p tcp -d 192.168.0.1 --dport 444 -j DROP

The blue clients can no longer access the web interface right now.
Trying to do the same.
My IPFireBox has Blue NIC with address 192.168.2.1 (and AP connected with 192.168.2.2.)

Adding

iptables -A CUSTOMINPUT -s 192.168.2.0/24 -p tcp -d 192.168.2.1 --dport 444 -j DROP
iptables -D CUSTOMINPUT -s 192.168.2.0/24 -p tcp -d 192.168.2.1 --dport 444 -j DROP

still lets Blue devices to access WebInterface.
I've also checked the wiki at https://wiki.ipfire.org/configuration/f ... cesstoblue.

Some help would be appreciated.

Thank you

Re: Help needed: Deny blue clients access to the IPFire web interface

Posted: January 1st, 2020, 11:54 am
by stan
...by default the WebInteface is available on the green network,
so dropping all the connection to (green) 192.168.0.1 -dport 444 instead of (Blue) 192.168.2.1
seems to block access to it from wifi devices.