Hello can anyboddy hellp me witt MT setup to deny access one IP to second one. Both of them are from same IP range
Example:
Server: 192.168.1.100
Workstation 1: 192.168.1.101
Workstation 2: 192.168.1.102
WS1 can access to server (let’s say on any port) but WS2 can’t.
I want to replace servers firewall in this way. It can be named “access rights” based on IP. 
That isn’t how TCP/IP works. Nodes on the same subnet do not talk to one another through the router, they talk to one another directly on layer 2. The router only gets involved for traffic that leaves the local network.
One way how to make it work is to force all traffic through the router by setting up masquerading on local interface.
Then use ip firewall to block communication between local addresses.
Even if you masquerade traffic, client 192.168.1.100 trying to talk to server 192.168.1.101 is just going to ARP for that address, receive a reply directly from the server, and build a connection directly with the server. Masquerade doesn’t come into play.