How to block ipfire webgui access from BLUE?

General questions.
Post Reply
danimal1228
Posts: 4
Joined: July 27th, 2014, 4:13 am

How to block ipfire webgui access from BLUE?

Post by danimal1228 » July 27th, 2014, 4:19 am

I have spent hours searching and can't find it.

Can someone tell me how to block access to the webgui from the BLUE network?

I realize that it is password protected but I still want to prevent people from trying.

I have RED + GREEN + BLUE.

Green interface = 192.168.1.1/24
Blue interface = 192.168.2.1/24

As it is now, all of the defaults are left as is.
Blue can't access Green. Green can access Blue.

I want to prevent clients on BLUE from accessing the ipfire webgui. As it is now, they can't access the Green ipfire adapter (https://192.168.1.1:444) but they are able to access the blue ipfire adapter (https://192.168.2.1:444). I have tried to set up a firewall but it will not allow me to block between addresses on the same subnet.

Thanks

Frank.M
Posts: 520
Joined: September 13th, 2013, 6:26 am
Contact:

Re: How to block ipfire webgui access from BLUE?

Post by Frank.M » July 27th, 2014, 7:14 am

In /etc/sysconfig/firewall.local

Code: Select all

#!/bin/sh
# Used for private firewall rules

# See how we were called.
case "$1" in
  start)
        ## add your 'start' rules here
        # Block WUI from blue
        /sbin/iptables -A CUSTOMINPUT -s 192.168.3.0/24 -p tcp -d 192.168.1.254 --dport 444 -j DROP
        ;;
  stop)
        ## add your 'stop' rules here
        # Webinterface von blau sperren
        /sbin/iptables -D CUSTOMINPUT -s 192.168.3.0/24 -p tcp -d 192.168.1.254 --dport 444 -j DROP
        ;;
  reload)
        $0 stop
        $0 start
        ## add your 'reload' rules here
        ;;
  *)
        echo "Usage: $0 {start|stop|reload}"
        ;;
esac
Image

danimal1228
Posts: 4
Joined: July 27th, 2014, 4:13 am

Re: How to block ipfire webgui access from BLUE?

Post by danimal1228 » July 27th, 2014, 4:53 pm

Thanks. I will give that a try.

It looks like that rule will drop any packet from 192.168.3.0/24 (presumably the blue network) to 192.168.1.254:444 (presumably the ipfire green interface).

The problem is, ipfire allows webgui connections on the blue interface (192.168.3.1:444) and you can't block connections on the same network zone. How can I prevent the webgui from responding to the blue network?

burningpenguin
Posts: 173
Joined: December 5th, 2012, 7:37 pm

Re: How to block ipfire webgui access from BLUE?

Post by burningpenguin » July 28th, 2014, 6:57 pm

hm, das webui ist doch eh mit einem Passwort geschützt. Wenn das nicht trivial ist und nur die Leute wissen, die grün benutzen, ist über blau kein Zugriff auf das webui erlaubt.

Nachtrag:
das müsste auch über Squid config gehen.
Typisch

Code: Select all

acl IPFire_blue_network     src 192.168.3.0/24
acl IPFire_blue_servers     dst 192.168.3.0/24
...
http_access allow CONNECT IPFire_ips IPFire_networks IPFire_https


vielleicht funktioniert

Code: Select all


http_access deny CONNECT IPFire_blue_servers IPFire_networks IPFire_https


ich habe das nicht probiert ...
Last edited by burningpenguin on July 28th, 2014, 7:43 pm, edited 1 time in total.

ummeegge
Community Developer
Community Developer
Posts: 5001
Joined: October 9th, 2010, 10:00 am

Re: How to block ipfire webgui access from BLUE?

Post by ummeegge » July 28th, 2014, 7:59 pm

Hi all,
burningpenguin wrote:Nachtrag:
das müsste auch über Squid config gehen.
Typisch

Code: Select all

acl IPFire_blue_network     src 192.168.3.0/24
acl IPFire_blue_servers     dst 192.168.3.0/24
...
http_access allow CONNECT IPFire_ips IPFire_networks IPFire_https


vielleicht funktioniert

Code: Select all


http_access deny CONNECT IPFire_blue_servers IPFire_networks IPFire_https


ich habe das nicht probiert ...

I don´t think that this will work cause IPFire´s WUI is also reachable over the blue0 address and so requests from the blue network won´t reach the proxy.

Frank.M´s Solution should work if the IP´s for "-s" and "-d" are correct.

If IPFire have 192.168.2.1 on blue interface and so the blue subnet are 192.168.2.0/24 e.g.

Code: Select all

#!/bin/sh
# Used for private firewall rules

# See how we were called.
case "$1" in
  start)
        ## add your 'start' rules here
        # Block WUI from blue
        /sbin/iptables -A CUSTOMINPUT -s 192.168.2.0/24 -p tcp -d 192.168.2.1 --dport 444 -j DROP
        ;;
  stop)
        ## add your 'stop' rules here
        # Webinterface von blau sperren
        /sbin/iptables -F CUSTOMINPUT
        ;;
  reload)
        $0 stop
        $0 start
        ## add your 'reload' rules here
        ;;
  *)
        echo "Usage: $0 {start|stop|reload}"
        ;;
esac


and after editing the firewall.local execute a

Code: Select all

/etc/init.d/firewall restart

so the rules will be read in.

You can overlook the new rules over the WUI under --> Firewall --> iptables --> iptables: --> CUSTOMINPUT .

Greetings,

UE
Image
Image

Post Reply