[Solved] Allow web access only for a specific mac address

laiba · May 19, 2023, 6:37am

Hi, i want to allow web page access only for specific mac address or on a specific interface only .
i try editing /etc/config/uhttpd to
config uhttpd 'main'
list listen_http '80'
list listen_http '[::]:80'
list listen_https '192.168.16.1:443' // static interface address
#list listen_https '[::]:443'
option redirect_https '0'
option home '/www'
option rfc1918_filter '1'
option max_requests '3'
option max_connections '100'
option cert '/etc/uhttpd.crt'
option key '/etc/uhttpd.key'
option cgi_prefix '/cgi-bin'
list lua_prefix '/cgi-bin/luci=/usr/lib/lua/luci/sgi/uhttpd.lua'
option script_timeout '60'
option network_timeout '30'
option http_keepalive '20'
option tcp_keepalive '1'
option ubus_prefix '/ubus'

but unable to access web on this.
is there anything wrong with my config file or there is some other problem?

thanks in advance

ncompact · May 19, 2023, 6:45am

remove
list listen_http '80'

change from
list listen_http '[::]:80'
to
list listen_http '192.168.16.1:80'

change from
option redirect_https '0'
to
option redirect_https '1'
and
/etc/init.d/uhttpd restart

badulesia · May 19, 2023, 6:47am

uhttpd config file doesn't allow MAC filtering

You must set a firewall rule. Have a look at

ncompact · May 19, 2023, 6:51am

i was trying to answer the first problem he wants to access the uhttpd interface then when he would have accessed the interface an iptables rule is created to allow access to a certain ip/mac ...

laiba · May 19, 2023, 7:21am

not working

laiba · May 19, 2023, 7:24am

okay what if i want to access web page only on a specific interface or by specific ip except lan ?

ncompact · May 19, 2023, 7:38am

can you reach https://192.168.16.1 ?

please post your /etc/config/uhttpd ...

if the answer is yes then you need to create a new firewall rule
that allows only a specific ip/mac to access

config rule
         option dest_port '80 443'
         list proto 'tcp'
         option name 'block access_web_interface'
         list src_ip '!192.168.16.2'
         option target 'DROP'
         option src 'lan'
         option family 'ipv4'

if the answer is no then first you need to solve the first problem...

laiba · May 19, 2023, 7:46am

Answer is "NO"

/etc/config/uhttpd
config uhttpd 'main'
list listen_http '192.168.15.1:80'

list listen_http '[::]:80'

list listen_https '0.0.0.0:443'

    #list listen_https '[::]:443'
    option redirect_https '1'
    option home '/www'
    option rfc1918_filter '1'
    option max_requests '3'
    option max_connections '100'
    option cert '/etc/uhttpd.crt'
    option key '/etc/uhttpd.key'
    option cgi_prefix '/cgi-bin'
    list lua_prefix '/cgi-bin/luci=/usr/lib/lua/luci/sgi/uhttpd.lua'
    option script_timeout '60'
    option network_timeout '30'
    option http_keepalive '20'
    option tcp_keepalive '1'
    option ubus_prefix '/ubus'

config cert 'defaults'
option days '730'
option key_type 'ec'
option bits '2048'
option ec_curve 'P-256'
option country 'ZZ'
option state 'Somewhere'
option location 'Unknown'
option commonname 'OpenWrt'

laiba · May 19, 2023, 7:48am

i guess i have a problem with /etc/config/network
config globals 'globals'
option ula_prefix 'fdca:67d0:5e7d::/48'
option packet_steering '1'

config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option ip6assign '60'

config interface 'wan'
option device 'wan'
option proto 'static'
option ipaddr '192.168.16.1'
option netmask '255.255.255.0'
option delegate '0'
list dns '8.8.8.8'
list dns '1.1.1.1'
list dns '8.8.4.4'

config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'

config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan4'

config interface 'test'
option proto 'static'
option device 'lan2'
option ipaddr '192.168.15.1'
option netmask '255.255.255.0'

wants to access web on 192.168.15.1

ncompact · May 19, 2023, 7:51am

ip address ?

list listen_https '192.168.16.1:443'

or

list listen_http '192.168.15.1:80'

ncompact · May 19, 2023, 7:54am

accessing from wan to your router is a very bad idea ...

ncompact · May 19, 2023, 8:12am

verify

good (firewall lan zone)

no good (firewall not set zone)

no good (firewall wan zone)

trendy · May 19, 2023, 9:08am

Leave the uhttpd configuration as it was and create a firewall rule to allow only the specific mac to destination port 80 and 443 on the device from the desired zone. Make sure the zone has input deny or you have another rule to deny ports 80 and 443.

laiba · May 19, 2023, 9:08am

192.168.15.1

laiba · May 19, 2023, 9:11am

can you show sample rule?

ncompact · May 19, 2023, 9:15am

if test yours interface (and firewall test zone )

config rule
         option dest_port '80 443'
         list proto 'tcp'
         option name 'block access_web_interface'
         list src_ip '!192.168.15.2'
         option target 'DROP'
         option src 'test'
         option family 'ipv4'

trendy · May 19, 2023, 9:15am

uci add firewall rule
uci set firewall.@rule[-1].name='allow http'
uci add_list firewall.@rule[-1].proto='tcp'
uci set firewall.@rule[-1].src='test'
uci add_list firewall.@rule[-1].src_mac='00:EE:DD:CC:BB:AA'
uci set firewall.@rule[-1].dest_port='80 443'
uci set firewall.@rule[-1].target='ACCEPT'

uci add firewall rule
uci set firewall.@rule[-1].name='deny http others'
uci add_list firewall.@rule[-1].proto='tcp'
uci set firewall.@rule[-1].src='test'
uci set firewall.@rule[-1].dest_port='80 443'
uci set firewall.@rule[-1].target='REJECT'

uci commit firewall
service firewall restart

laiba · May 19, 2023, 9:32am

it works thanks

trendy · May 19, 2023, 9:41am

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks!

system · May 29, 2023, 9:41am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.