Koozali.org: home of the SME Server
Contribs.org Forums => General Discussion => Topic started by: smnirosh on April 05, 2016, 05:25:28 PM
-
how can I make deny accessing the server from specific computer of the network?
-
please, give us more details.. explain your aim and your needs
thank you
-
We have installed openerp. I want to know if there any possibility to deny access to openerp webportal to specific computer or specific domain user etc..
-
I don't know openerp but, if it is a web app served by apache, you can use a .htaccess file (search with google)
if it isn't, your best bet is to ask on openerp's support page
-
No it is not important openerp. But i need to know that is there any posibility to deny access to this linux server by other users who is not in the domain. Eg: if it is not a domain joined computer. On windows we can block by firewall. How to do it in linux?
-
well, this is different from what you said before..
please, when asked for clarification, explain your problem, not your solution..
in any case, it isn't still clear to me what you need..
do you need to "ban" some hosts? if so, is it a "per app/protocol" need or not?
do you need to "ban" users?
please be aware (and remember) that "domain", in windows' perspective, is related to AD.. we have no such a feature here.
please, again, explain (with all the details) what you want to do
thank you
-
Now the word came out. BAN. All the computers are joined to sme domain. I want to ban other computers who are not domain. I want to do exact the thing now i explained. (You gave me the correct word "ban". )
-
OK, you want to "ban" them. I'm not sure that's any more useful of a term than "block", but it's certainly an alternative. But from what? From OpenERP? From any web applications? From being able to send email? Receive? Share files? Access the Internet?
And, to elaborate on Stefano's mention, what exactly do you mean here by "domain"? A Windows/Active Directory domain? An Internet domain (example.com)? Those two concepts are completely unrelated, except for the name--Microsoft appropriated a term that was already in widespread use in IT, and used it to mean something completely different.
-
smnirosh
You ask how to do "it" in Linux after saying you know how to do "it" in Windows using the firewall.
Well unless you can find a suitable db command in the wiki or find a suitable howto or FAQ example, then I think iptables can/will probably do what you want
Typically you would need to read up on iptables
eg
man iptables
or
Google for iptables
then create a custom template for masq
Ie
read the wiki for examples re how to create custom templates.
This is effectively changing the firewall (same as you say you do in Windows).
You need to specify more clearly & precisely the parameters you want to block or ban on eg workstation IP, logged in usernane & so on.
-
Yes by the the ip address. If i go to port (8089), all the clients might not have access? Better to go to ip address blocking :-P
-
well, assuming that on port TCP 8089 you have a service defined in SME's configuration db, you can use the AllowHosts key
something like
db config setprop yourservice AllowHosts a.b.c.d,x.y.z.0/32
signal-event remoteaccess-update
search the wiki, the FAQ and here in the forums
-
something like
db config setprop yourservice AllowHosts a.b.c.d,x.y.z.0/32
signal-event remoteaccess-update
Ok. an important code. Can i change "Allowhosts" to "Denyhosts" and type the ip address of the host which is planned to banned?
-
if you use the AllowHosts directive only those hosts are permitted.. IMO it's easier
-
Note that AllowHosts/DenyHosts are only effective for external IP, not for clients from the LAN
-
ok stefano it seems helpful. But for me, can i go for a "Deny" term instead of Allow? like iptables ?
-
try and test, we can't tell you which is the best way :)
-
Note that AllowHosts/DenyHosts are only effective for external IP, not for clients from the LAN
important to me. bcos i want to deny a clinet who is in the Lan. but not joined to the domain. (The client gets the ip from DHCP server.) thanks
-
I will try this with iptable. if any problem, will contact you
-
IMO you're using a wrong approach
Anyway, if you decide for the iptables way, please be aware you must use the templates/fragments way
-
My godness. I don't know how to use templates/fragments way.
-
well, the wiki is there.. and if you search here you'll find a zillions of examples :-)
-
Fail2ban can be used to ban hosts manually, and it should work for lan clients too. Install the contrib as detailed in the wiki, then create your rules:
db fail2ban set bad_client_1 ban Host 192.168.18.12 UnbanTimestamp 9999999999
signal-event fail2ban-update
The UnbanTimestamp is just a ridiculously high value so the rule will never be deleted. You can also specify Port and Protocol if you only want to deny a single service, eg:
db fail2ban set bad_client_1 ban Host 192.168.18.12 UnbanTimestamp 9999999999 Port 8089 Protocol tcp
signal-event fail2ban-update
-
https://wiki.contribs.org/Template_Tutorial
https://wiki.contribs.org/Firewall#Custom_templates
-
well, Dani's suggestion is really easy and powerfull
chapeau :-)
-
please read here:
https://wiki.contribs.org/Fail2ban#DB_command
-
ok stefano it seems helpful. But for me, can i go for a "Deny" term instead of Allow? like iptables ?
Here is the FAQ (there is a link at top of forums)
https://wiki.contribs.org/SME_Server:Documentation:FAQ
Within the FAQ is this section on Firewall
https://wiki.contribs.org/SME_Server:Documentation:FAQ:Section05
Plesae read all of this, some of it may apply to your situation.
Especially see
https://wiki.contribs.org/SME_Server:Documentation:FAQ:Section05#Block_outgoing_IPs_or_mac_addresses
&
https://wiki.contribs.org/SME_Server:Documentation:FAQ:Section05#Block_outgoing_ports
If you want to do something else, then you will need to create your own iptables rules, using custom templates.
Anything is (usually) possible in Linux, you just have to learn how to do it (which typically means reading & learning).
....and make sure you read this
https://forums.contribs.org/index.php/topic,46036.0/all.html
-
Dear all,
as explained in the janet's comment, i renamed 40DenyRiffRaff with 20DenyRiffRaff. It works.
If anybody helps me, could i know what is this 40;20;10 meaning?
thanks very much again
-
smnirosh
It defines the order in which the template fragments are processed
eg you should not turn something off after previously turning it on, so you move the turn on commands after the turn off comnands have happened by changing the fragment numerical name.
See
https://wiki.contribs.org/Template_Tutorial
Also see the Developers Manual re templates, link in documentation section on main contribs.org Wiki page, link to Wiki at top of Forums.
-
Thanks very much janet. I will refer these links to get more infor.