Page 1 of 2 12 LastLast
Results 1 to 10 of 18

Thread: Allow port 80 and 443 only for some IP addresses block the rest in same range

  1. #1

    Wink Allow port 80 and 443 only for some IP addresses block the rest in same range

    Good day all

    I have a Netgear router that has a "Service filter" that be set on an IP Range e.g. Block port 80 from IP 192.168.1.11 to 192.168.1.254

    This means that I can setup the DHCP to give some PC IP address that are not blocked (192.168.1.1 to .10) while the rest of the network can not access the internet.

    How can I do this with opensuse 13.1 firewall...Im still VERY new to opensuse (and enjoying it greatly).
    I'm currtly using yasts on KDE.

    Thank you

    Regards
    ReuSeven

  2. #2
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    29,804

    Default Re: Allow port 80 and 443 only for some IP addresses block the rest in same range

    I am not sure I understand you completely.

    When you say that router blocks port 80 for a range of IP addresses, I assume that those IP addresses are from your LAN, but is that port 80 for traffic from the internet to those range of LAN systems (which will block these systems from serving on the default HTTP port a.k.a. being web-server, to systems on the internet), or do you mean blocking outgoing requests to HTTP servers (default) on the internet (which will block thoses systems on your LAN from accessing most web-servers on the internet).

    Then later you talk about "while the rest of the network can not access the internet.", which is something different. When you want to block systems from accessing the internet, you should either completely block them in your router, or you do not configure any route in those systems to a gateway/router to the internet (in most cases: no route at all, default or otherwise).

    And of course all this configuring on the systems themselves requires that the users of those systems do not know the root password, only you, as system manger, should know.
    Henk van Velden

  3. #3

    Default Re: Allow port 80 and 443 only for some IP addresses block the rest in same range

    Good day

    Lets start again.

    I'm trying to setup a fire wall server that will also be default gateway.

    With internet I mean Port 80 and 443.

    So here is what I need: I have my Opensuse box connected to my ADSL router and another network card connected to the LAN.
    Only a few users on the LAN are allowed to go on websites and download sites.
    At this moment I have a firewall rule on my Netgear ADSL router(old model), all users with a IP of 192.168.1.11 and higher can not use port 80 and 443.

    Can I set the OpenSuse box to drop all traffic from the ports 80 and 443 from IP addresses 192.168.1.11 to 192.168.1.254 but let 192.168.0.1 to 192.168.1.10 got through?

    Thanks for the speed response

    regards

  4. #4
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    29,804

    Default Re: Allow port 80 and 443 only for some IP addresses block the rest in same range

    It is a bit more clear to me now. But you better use the word "internet" when you mean "internet". That is how most people here use it.

    When you block outgoing to port 80/443 packages, you do just that. While those are the default ports for http and shttp protocols, they do by no means block the usage of all "websites and downloadsites". Specialy not the latter ones. And of course all other internet traffic is still allowed. But when the blocking of outgoing port 80 and 443 traffic is what you want that is fine to me.

    Now from your second explanation there is the surprise that you have two NICs on the system and that you want to build a router with it. You never explained that in your first post. That means you have two networks:
    • one with your system and all the other systems;
    • the other being a small one between your system and the router.

    Both networks should of course have different IP address ranges.

    From your story I also understand that those other systems use DHCP to get their IP addresses etc.. Are you thus also planning to run a DHCP server on your firewall/routing system?
    Henk van Velden

  5. #5

    Default Re: Allow port 80 and 443 only for some IP addresses block the rest in same range

    Yes I would like to replace old\end of life products on my network, I have been playing around with SAMBA and the firewall settings but got stuck on the internet access part

    for being a simplistic man I am going to give static IPs or IP reservation on the DHCP (using mac address if possible) to give a few users full access to the net...for others only blocking port 80\443

    I just installed DHCP server for yast2

    I'm almost done...

    Now back to the topic...is it posibile to setup 10 IP addresses that has unrestricted access to the internet while the rest on my network are blocked from using port 80 and 443?

    if so how do I set it up?

    regards
    R7

  6. #6
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    29,804

    Default Re: Allow port 80 and 443 only for some IP addresses block the rest in same range

    I have no doubt you can do thus using IPtables. I am not sure that YaST can create them exactly what you want (imho it is more dedicated to manage a "personal firewall"). But you could ttry. The NIC on the LAN side must be the "internal" one and the NIC to the router to the internet the external one. Then experiment a bit.

    Or wait until someone comes with a ready made IPtables solution.
    Henk van Velden

  7. #7

    Default Re: Allow port 80 and 443 only for some IP addresses block the rest in same range

    Alright I will check for IPtables documents and how to implement them.
    Is there any GUIs for IP tables in Yast?
    I'll keep on playing with the firewall and other apps too

    Regards
    R7

  8. #8
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    29,804

    Default Re: Allow port 80 and 443 only for some IP addresses block the rest in same range

    As I tried to explain, the YaST firewall module is a GUI interface to IPtables.
    But as in general a GUI offers often only a crippled interface with only the most often used facilities of the configuration of a feature, I do not know if in this case the GUI is detailed enough for your wishes.

    As I do not use the firewall on my openSUSE systems and thus do not use the YaST GUI I can not be of much help here. And as you can as good as I look for yourself in what that GUI offers, see for yourself and experiment. I gave you the hint to attach zones to the two NICs. But I am repeating myself. So either you go and see what YaST > Security and users > Firewall can do for you (and ask more detailed questions about it in the hope that others then I come and help), or do not follow my advice.
    Henk van Velden

  9. #9

    Default Re: Allow port 80 and 443 only for some IP addresses block the rest in same range

    Hmm OK I'm sure this happens a lot...

    Notice the second Network card DOES NOT WORK not even in a another PC and maybe that's why nothing is working...

    but will this work?

    Created a custom rule in Yast firewall: Internal) source network) 192.168.0.0/24 protocol)TCP Dest Port)80 Source port)80...This will block all port 80 traffic on the LAN right?

    regards
    R7

    PS thanks for the info it helps.

  10. #10
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    29,804

    Default Re: Allow port 80 and 443 only for some IP addresses block the rest in same range

    It will of course NOT block all port 80 traffic on the LAN. Every system on the LAN can still contact any other system on that same LAN that is listening on port 80. A router can only block traffic that is GOING THROUGH IT.

    It will (my interpretation, II do not use it, thus I do nor promis anything, but youy can easily test youesrlf when your NIC is repaired) block all packages from that IP range connecting to the internal NIC from being forwarded to the external NIC.
    Henk van Velden

Page 1 of 2 12 LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •