I was playing with the rules… and groups.
What I understood: if I create a group and I add MAC of my devices, I can choose the group in the source field of the rule, and all devices in that rule will access to that rule and follow the behavior… correct?
Now… the real example:
- created a VPN in my router Fritxbox, NOT in ipfire. By the way: ipfire is linked to one LAN-port of Fritz.
- installed the same VPN access in both android and iphone mobile
- created a group in ipfire, assigning only android mac address. Iphone is out.
- IN the rule:
a. selected the group in the source field.
b. set the NAT → RED
c. set the IP and the port in the Raspberry for destination
- I activate VPN in both mobiles.
- Both mobiles are working fine, reaching the destination server, despite the restriction imposed in the group.
My expectation: only android working. Iphone NOT.
Which and where is my mistake?
The ovpnblock in the iptables is run before the inputfw so your additional rules never get seen by the OpenVPN connection.
See the IPFire FW chains diagram at the bottom of this link.
You will need to add your additional rules into the firewall.local file - see the following link from the Firewall Documentation section of the wiki.
I’m not so confident with iptables rule… but I try… looking also to the man page of iptables:
In the start section of firewall.local i put, something like:
iptables -A CUSTOMPREROUTING -d 192.168.x.x/32 -p tcp -m tcp --dport x -m mac --mac-source xx -m limit --limit 10/sec --limit-burst 20 -j LOG --log-prefix "CUSTOMPREROUTING "
iptables -A CUSTOMPREROUTING -d x.x/32 -p tcp -m tcp --dport x-m mac --mac-source x -j ACCEPT
- have I to write this 2 rules for every mac I have? or can I enter the name of the ipfire group… somewhere?
- have I to enter also something in stop and reload section?
I am not very familiar with iptable rules, certainly not enough to be able to comment on your proposals.
Need to wait and get some additional input from people more familiar with the details of writing iptables rules directly.
ok i will wait for someone more familiar on writing iptables rules.