1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Only allow specific IP to access https?

Discussion in 'Tomato Firmware' started by Gnurf, Jan 28, 2007.

  1. Gnurf

    Gnurf LI Guru Member

    Hi all.

    Reverted to Tomato a while ago, first mainly due to the fact that Tomato gives me 55 mbit downloadspeed instead of DD-WRTs 35 mbit.. That is A LOT to gain when using Tomato) and after that, it grew on me. Great job!!

    My question is:
    Is there any possibilities to only allow access to https (forwarded to a computer on my LAN) from a specific IP on internet? Meaning that i only want https available to a specific IP-adress.. HTTP should be available from any IP on internet.

    If so, how? Custom firewall-script?

    If I am unclear of what I want, please ask.
    Thanks to everyone...!
     
  2. digitalgeek

    digitalgeek Network Guru Member

    In port forwarding you can specify a port to forward to an IP, try use an unual port and map it to 443 on your lan.
     
  3. u3gyxap

    u3gyxap Network Guru Member

    ... or remove the port forwarding rule for the https in the GUI (if you have any) and add this to your firewall:
    iptables -t nat -I PREROUTING -s 11.22.33.44 -p tcp --dport 443 -j DNAT --to-dest 192.168.1.2
    replace the 11.22.33.44 with the specific IP form the internet and 192.168.1.2 with the IP of the local machine you wish to use.
     
  4. Gnurf

    Gnurf LI Guru Member

    Forgot to mention that already is done.. A port over 40000 is used to map to 443 on the computer in question...

    Ok.. So the above line stops any other IP from getting through?

    Say I want to be able to reach my https-server from work at say 11.22.33.44 and not let anyone else be able to reach it.
    Also, how do I remove that block in the future? How do I add IP´s that I want to be able to reach the https-server in the future? Will that line stay active in case of a poweroff? Is there anywhare in Tomato that I can see the blocked IP´s? (firewall-log?)

    Thanks!
     
  5. u3gyxap

    u3gyxap Network Guru Member

    This should allow https requests only from 11.22.33.44. All the rest will be left unanswered.
    If you want to allow more IPs, then just add more lines, say:
    iptables -t nat -I PREROUTING -s 11.22.33.44 -p tcp --dport 443 -j DNAT --to-dest 192.168.1.2
    iptables -t nat -I PREROUTING -s 11.22.33.45 -p tcp --dport 443 -j DNAT --to-dest 192.168.1.2
    iptables -t nat -I PREROUTING -s 11.22.33.46 -p tcp --dport 443 -j DNAT --to-dest 192.168.1.2
    iptables -t nat -I PREROUTING -s 11.22.33.47 -p tcp --dport 443 -j DNAT --to-dest 192.168.1.2

    To have this rule always valid, just add it into the Firewall, and click Save Firewall (if I am not mistaken). You can always see how many rules you have added there, and delete whatever line you want. They will stay if you power off or restart, but will be gone if you do a reset to defaults.
    But, see if it works first :)
     
  6. Gnurf

    Gnurf LI Guru Member

    Sorry... No go..
    Didn´t do it.
    Actually, it stopped everything to that computer regarding https....
     
  7. u3gyxap

    u3gyxap Network Guru Member

    Yes... I see why.
    Try with this:
    iptables -t nat -I PREROUTING -p tcp -s 11.22.33.44 --dport 443 -j DNAT --to 192.168.1.2:443
    iptables -I FORWARD -p tcp -d 192.168.1.2 --dport 443 -j ACCEPT

    It works here. Make sure that there is no other rule set regarding https.
     
  8. Gnurf

    Gnurf LI Guru Member

    Thanks!!
    Worked perfectly!!!
    I even managed to change your line to still be pointing towards a port above 40000 and only allowing access from the IP´s I want!

    Thank you!
     
  9. u3gyxap

    u3gyxap Network Guru Member

    Most welcome :)
     

Share This Page