I have a Netgear router that has a “Service filter” that be set on an IP Range e.g. Block port 80 from IP 192.168.1.11 to 192.168.1.254
This means that I can setup the DHCP to give some PC IP address that are not blocked (192.168.1.1 to .10) while the rest of the network can not access the internet.
How can I do this with opensuse 13.1 firewall…Im still VERY new to opensuse (and enjoying it greatly).
I’m currtly using yasts on KDE.
When you say that router blocks port 80 for a range of IP addresses, I assume that those IP addresses are from your LAN, but is that port 80 for traffic from the internet to those range of LAN systems (which will block these systems from serving on the default HTTP port a.k.a. being web-server, to systems on the internet), or do you mean blocking outgoing requests to HTTP servers (default) on the internet (which will block thoses systems on your LAN from accessing most web-servers on the internet).
Then later you talk about “while the rest of the network can not access the internet.”, which is something different. When you want to block systems from accessing the internet, you should either completely block them in your router, or you do not configure any route in those systems to a gateway/router to the internet (in most cases: no route at all, default or otherwise).
And of course all this configuring on the systems themselves requires that the users of those systems do not know the root password, only you, as system manger, should know.
I’m trying to setup a fire wall server that will also be default gateway.
With internet I mean Port 80 and 443.
So here is what I need: I have my Opensuse box connected to my ADSL router and another network card connected to the LAN.
Only a few users on the LAN are allowed to go on websites and download sites.
At this moment I have a firewall rule on my Netgear ADSL router(old model), all users with a IP of 192.168.1.11 and higher can not use port 80 and 443.
Can I set the OpenSuse box to drop all traffic from the ports 80 and 443 from IP addresses 192.168.1.11 to 192.168.1.254 but let 192.168.0.1 to 192.168.1.10 got through?
It is a bit more clear to me now. But you better use the word “internet” when you mean “internet”. That is how most people here use it.
When you block outgoing to port 80/443 packages, you do just that. While those are the default ports for http and shttp protocols, they do by no means block the usage of all “websites and downloadsites”. Specialy not the latter ones. And of course all other internet traffic is still allowed. But when the blocking of outgoing port 80 and 443 traffic is what you want that is fine to me.
Now from your second explanation there is the surprise that you have two NICs on the system and that you want to build a router with it. You never explained that in your first post. That means you have two networks:
one with your system and all the other systems;
the other being a small one between your system and the router.
Both networks should of course have different IP address ranges.
From your story I also understand that those other systems use DHCP to get their IP addresses etc… Are you thus also planning to run a DHCP server on your firewall/routing system?
Yes I would like to replace old\end of life products on my network, I have been playing around with SAMBA and the firewall settings but got stuck on the internet access part:(
for being a simplistic man I am going to give static IPs or IP reservation on the DHCP (using mac address if possible) to give a few users full access to the net…for others only blocking port 80\443
I just installed DHCP server for yast2 rotfl!
I’m almost done…
Now back to the topic…is it posibile to setup 10 IP addresses that has unrestricted access to the internet while the rest on my network are blocked from using port 80 and 443?
I have no doubt you can do thus using IPtables. I am not sure that YaST can create them exactly what you want (imho it is more dedicated to manage a “personal firewall”). But you could ttry. The NIC on the LAN side must be the “internal” one and the NIC to the router to the internet the external one. Then experiment a bit.
Or wait until someone comes with a ready made IPtables solution.
Alright :\I will check for IPtables documents and how to implement them.
Is there any GUIs for IP tables in Yast?
I’ll keep on playing with the firewall and other apps too
As I tried to explain, the YaST firewall module is a GUI interface to IPtables.
But as in general a GUI offers often only a crippled interface with only the most often used facilities of the configuration of a feature, I do not know if in this case the GUI is detailed enough for your wishes.
As I do not use the firewall on my openSUSE systems and thus do not use the YaST GUI I can not be of much help here. And as you can as good as I look for yourself in what that GUI offers, see for yourself and experiment. I gave you the hint to attach zones to the two NICs. But I am repeating myself. So either you go and see what YaST > Security and users > Firewall can do for you (and ask more detailed questions about it in the hope that others then I come and help), or do not follow my advice.
Notice the second Network card DOES NOT WORK>:( not even in a another PC and maybe that’s why nothing is working…
but will this work?
Created a custom rule in Yast firewall: Internal) source network) 192.168.0.0/24 protocol)TCP Dest Port)80 Source port)80…This will block all port 80 traffic on the LAN right?
It will of course NOT block all port 80 traffic on the LAN. Every system on the LAN can still contact any other system on that same LAN that is listening on port 80. A router can only block traffic that is GOING THROUGH IT.
It will (my interpretation, II do not use it, thus I do nor promis anything, but youy can easily test youesrlf when your NIC is repaired) block all packages from that IP range connecting to the internal NIC from being forwarded to the external NIC.
Right…I’m going through a lot of IP tabels exampels and firewall docs but can not find the one thing I’m looking for.
How do I block only part of the LAN?
I can go and create a rule for each IP address on the network to block port\allow port 80(I’m sure it will work but that will be a lot of work…)
I’m getting use to the terminal commands ( /sbin/iptables -A INPUT -p tcp -i eth1 -s ! 192.168.0.11 --dport 80 -j DROP) ) but is there no way just to use one command to drop 80 on the IP range 192.168.0.11 ~ 192.168.0.254?
That’s basically all that I need right now to be sorted.
First, please when you copy/paste CLI commands and their output here in a post, do so between CODE tags. You get the tags by clicking on the # button in the tool bar of the post editor. Preferable you copy/paste the prompt, the command, the output and the next prompt between the CODE tags in one sweep.
According to
man iptables
you can use an IP address with mask. Thus the best thing is to split your network addresses in half using a mask of /25. That will apply the rule to one half of the addresses.
If that is not to your liking, it is of course very easy to write a command like (I did not test this, it is an example!):
SYSTEM=11
until (( SYSTEM == 254 ))
do /sbin/iptables -A INPUT -p tcp -i eth1 -s ! 192.168.0.${SYSTEM} --dport 80 -j DROP
(( SYSTEM += 1 ))
done
The best is of course to put this into a bash script to shorten the typing.
I assume you are aware of the fact that IPtables are part of the kernel data and thus gone after a shutdown. Thus you have to run that script at every boot to make those rules working again.
Well, YaST does write them to some configuration files, which are applied after every boot. As far as I the YaST firewall module puts it’s values in /etc/sysconfig/SuSEfirewall2 and /etc/sysconfig/SuSEfirewall2.d/. The is some documentation there, but I do not know any details.
Again, you could either:
use the YaST firewall module,
or configure in those files yourself (be aware of the fact that some files there may be overwritten on re-installation of the firewall package, allways keep a copy of what you need elsewhere).
or create a script to be run on boot (after network start).
How about using SUSE FW zones?
eg
You already have the DMZ and Internal zones configured by default. Both also are pre-configured to enable access and route to the Internet (external zone).
So, split your existing network address range into 2 parts.
eg
Internal 192.168.0.1-100
DMZ 192.168.0.101-250
(always a good idea to not configure an entire address space so left a few addresses outside the DHCP address range)
Option 1
Configure static addresses in one of the two zone, configure the DHCP address range for the other zone
Option 2
Configure DHCP address range to cover both zones, but assign DHCP reserved leases to the higher range zone (DMZ in this example). Reason is because DHCP will allocate addresses starting from the lowest by default
Now, configure your filtering (ports and/or services) for each zone however you wish.
Note if you want to filter egress, SUSE FW doesn’t do that by default. You’ll have to create your own rules.
Also, if you want to enable routing between the two zones, you might have to create rule(s). I doubt any routing table modifications are required.
The above is untested, so YMMV.
If true routing between the DMZ and Internal zones is desired, then modify the subnet mask so the two networks are distinct, or if it’s clearer to you, just select a very different private address range (eg Class B instead of Class C).
On 2/19/2014 5:26 AM, hcvv wrote:
>
> Well, YaST does write them to some configuration files, which are
> applied after every boot. As far as I the YaST firewall module puts it’s
> values in /etc/sysconfig/SuSEfirewall2 and
> /etc/sysconfig/SuSEfirewall2.d/. The is some documentation there, but I
> do not know any details.
>
> Again, you could either:
>
> - use the YaST firewall module,
> - or configure in those files yourself (be aware of the fact that some
> files there may be overwritten on re-installation of the firewall
> package, allways keep a copy of what you need elsewhere).
> - or create a script to be run on boot (after network start).
>
>
I believe this situation requires a “custom firewall setting”. SuSEfirewall2 permits you to write these in
/etc/sysconfig/scripts/SuSEfirewall2-custom. The only real documentation for this feature is contained in the comments
found in this file. SuSEfirewall2 regenerates the IPtables on each boot using the rules found in /etc/sysconfig.
See also: /usr/share/doc/packages/SuSEfirewall2
P.V.
“We’re all in this together, I’m pulling for you” Red Green
That is how most people here use it.
