Hello;
i need to know how to make the webconfig & SSH access from specific IP ?
because my firewall now can anyone in the LAN & External can access both ports 81&22 !!
so i need to know where is the file can edit it to make this rule? or must add the rule in custom firewall ?
i need to know how to make the webconfig & SSH access from specific IP ?
because my firewall now can anyone in the LAN & External can access both ports 81&22 !!
so i need to know where is the file can edit it to make this rule? or must add the rule in custom firewall ?
Share this post:
Accepted Answer
-i and -I are different. -i is used for specifying the incoming interface, -I is for Insert (as opposed to -A (append) and -D (delete)) and is used before the chain you want to insert the rule into.
-w tells the firewall to wait if two or more firewall operations clash, but is only from ClearOS 6.8 onwards. I am not sure why it is not working for you (I've just locked myself out of my system testing it!).
-w tells the firewall to wait if two or more firewall operations clash, but is only from ClearOS 6.8 onwards. I am not sure why it is not working for you (I've just locked myself out of my system testing it!).
Responses (8)
-
Accepted Answer
after added your code i saw same result in the firewall service not running and failed
but if i removed -w and make itiptables -I INPUT
working fine with me.
what is the -w and -i ?
also i have last question about this point my friend and i appreciated your effort with me
how to change the webconfig port 81? and the web proxy port 8080 when user access it from browser he input 8080
thank you very much my friend i am very happy to see your help with me and i hope to contact with you on message to talk with you. -
Accepted Answer
-
Accepted Answer
now i have removed my rule in incoming
and added this rule only in custom firewall
iptables -w -I INPUT -p tcp --dports 22,81 -j DROP
after that i am still access webconfig & SSH from all computers in lan
so i have restarted the firewall by
/sbin/service firewall restart
and it's shown failed and if removed this rule from custom firewall the firewall service working fine !!
i think there are problem with this code or what?
also how to add the switch in code as you said on my LAN only -
Accepted Answer
If you remove SSH and Webconfig from the incoming firewall, it only affects the WAN. The whole server is open to the LAN, so you don't have to do anything to gain access to it from anywhere on your LAN. If you want you can use the rules I posted to restrict LAN access to a few machines, but it is then best if they have static IP's or permanently assigned leases in the DHCP server.
Note you should really also add the switch "-i your_LAN_interface" to the above rules if you want them to operate on the LAN only but they should be safe without as the LAN IP's should never exist on the WAN. -
Accepted Answer
-
Accepted Answer
-
Accepted Answer
By default the server is completely open to your LAN and it is generally acceptable.
I really don't recommend opening up SSH to the WAN. There are too many bots out there trying to crack SSH passwords. I normally suggest using OpenVPN instead. Then you can connect by SSH as if you are on your LAN.
If you really want to open SSH to the WAN and use firewall rules then you want something like:
These should be custom firewall rules placed in that order. Alternatively you can add them to /etc/clearos/firewall.d/local, but replace "iptables -w" with "$IPTABLES".iptables -w -I INPUT -p tcp -m multiport --dports 22,81 -j DROP
iptables -w -I INPUT -p tcp -m multiport --dports 22,81 -s allowed_IP_1 -j ACCEPT
iptables -w -I INPUT -p tcp -m multiport --dports 22,81 -s allowed_IP_2 -j ACCEPT
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »