Block one computer from Internet access - should be easy :-(
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
#1 have you tried unsetting the default route on that node? If that works (as it should) then blocking at the router should also work. If that does not work, then we are looking at a whole different issue that it appears.
#2 check traceroute to an external address or site. If the first hop is your gateway, then it is not blocking and your node network is routing to it.
We need a bigger and more detailed picture showing what is really going on to make sense of it, and this should help.
[ken@localhost Desktop]$ traceroute www.centos.org
traceroute to www.centos.org (85.12.30.226), 30 hops max, 60 byte packets
1 10.42.0.1 (10.42.0.1) 0.802 ms 0.575 ms 0.404 ms
2 10.8.8.1 (10.8.8.1) 47.276 ms 49.618 ms 51.196 ms
3 192.168.0.1 (192.168.0.1) 52.898 ms 55.127 ms 55.847 ms
4 ip1.23-29-136.static.steadfastdns.net (23.29.136.1) 58.552 ms 60.488 ms 62.106 ms
5 ae1.core1.edi03.steadfast.net (67.202.117.10) 63.654 ms 67.229 ms 67.191 ms
6 ae0.core2.edi03.steadfast.net (67.202.117.9) 69.056 ms 44.888 ms 46.534 ms
7 te0-0-1-7.rcr21.ewr06.atlas.cogentco.com (38.122.244.129) 48.704 ms 45.176 ms 45.804 ms
8 be3118.rcr21.ewr02.atlas.cogentco.com (154.24.11.85) 49.146 ms 154.24.56.153 (154.24.56.153) 51.648 ms be3118.rcr21.ewr02.atlas.cogentco.com (154.24.11.85) 52.272 ms
9 be2601.rcr24.jfk01.atlas.cogentco.com (154.54.40.49) 55.006 ms be2600.rcr23.jfk01.atlas.cogentco.com (154.54.40.29) 57.304 ms be2601.rcr24.jfk01.atlas.cogentco.com (154.54.40.49) 58.690 ms
10 be2896.ccr41.jfk02.atlas.cogentco.com (154.54.84.201) 60.407 ms 62.183 ms 63.601 ms
11 be2490.ccr42.lon13.atlas.cogentco.com (154.54.42.86) 131.883 ms be2317.ccr41.lon13.atlas.cogentco.com (154.54.30.186) 141.343 ms 118.894 ms
12 be12488.ccr42.ams03.atlas.cogentco.com (130.117.51.42) 128.774 ms 126.681 ms 127.664 ms
13 be2434.agr21.ams03.atlas.cogentco.com (130.117.2.241) 124.823 ms be2440.agr21.ams03.atlas.cogentco.com (130.117.50.6) 124.600 ms be2434.agr21.ams03.atlas.cogentco.com (130.117.2.241) 127.159 ms
14 xe-7-2.rt1.ams3.baseip.com (149.6.128.198) 136.997 ms 139.004 ms 136.943 ms
15 xe-1-1.rt1.ams1.baseip.com (91.148.255.65) 132.321 ms 143.028 ms 141.323 ms
16 85.12.30.226 (85.12.30.226) 138.060 ms !X 139.448 ms !X 141.401 ms !X
1)
Code:
[root@localhost Desktop]# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.42.0.0 * 255.255.255.0 U 1 0 0 eth0
default 10.42.0.1 0.0.0.0 UG 0 0 0 eth0
[root@localhost Desktop]# ip route delete default
[root@localhost Desktop]# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.42.0.0 * 255.255.255.0 U 1 0 0 eth0
[root@localhost Desktop]# traceroute www.centos.org
traceroute to www.centos.org (85.12.30.226), 30 hops max, 60 byte packets
connect: Network is unreachable
And now after a reboot of the node computer
Code:
[root@localhost Desktop]# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.42.0.0 * 255.255.255.0 U 0 0 0 eth0
link-local * 255.255.0.0 U 1002 0 0 eth0
default 10.42.0.1 0.0.0.0 UG 0 0 0 eth0
[root@localhost Desktop]# ip route delete default
[root@localhost Desktop]# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.42.0.0 * 255.255.255.0 U 0 0 0 eth0
link-local * 255.255.0.0 U 1002 0 0 eth0
[root@localhost Desktop]# traceroute www.centos.org
traceroute to www.centos.org (85.12.30.226), 30 hops max, 60 byte packets
connect: Network is unreachable
The only difference I see is that after the rich rule is removed from the firewall computer the "link local" entry appears in the route table on the node computer.
If the firewall blocking at the gateway were really working then that traceroute output would not obtain. In other works, the result "network unreachable" or something similar would result for the external address in either case. Since it only results when the default is removed, we know that the block at the gate is NOT working.
Conclusions:
#1 removing the default gate ON the node DOES work as intended. It is suitable as a "first cut" solution. Since it may be reversed ON the node additional research on the gateway blocking is indicated.
#2 the command you are using at the gateway is clearly NOT adequate. Additional research is indicated.
As an aside, I seem to recall blocking some WIFI devices by MAC address. If you can do that it adds a slightly greater layer of security. Changing the MAC is less obvious and less likely to occur, though still doable if you have root access.
Good morning wpeckham and thank you again for your assistance.
Stopping Internet access at the node is certainly a viable approach for this situation. Just for completeness I will explain in a moment what is behind this whole experiment.
Fundamentally dropping all packets at the incoming interface to the firewall should, it seems to me, DROP ALL PACKETS. Unless DNS packets are carried on neutrinos or are made of anti-matter or something, this issue seems absurd. When I was testing my firewall for the Internet facing side I had setup a test environment and used some penetration testing software, the name of which escapes me until I have some coffee. Let me find my notes and perhaps I can do some testing from the LAN side.
As to controlling access by MAC address, I do that routinely with WiFi connections using the software on the WiFi router/access point. I had wondered about specifying that in the firewall but have not come across a command to do that. I will do some more looking.
Why I am doing this... I purchased an Osborne Executive suitcase computer in 1983. About two weeks before Osborne went bankrupt The dealer then had a closeout sale on Osborne software. I picked up a copy of dBase II for $100 (list price was about $800.) I have done considerable programming in the xBase language over the years - dBase II, dBase III+, FoxBase+, FoxPro and Visual FoxPro. I have data files going back 35 years which I occasionally need to access.
Visual FoxPro 6 was last supported on Windows XP. It will run under Wine on Linux. However, on CentOS 7 and recent Ubuntu versions I get occasional strange errors when running a pseudo compile - which FoxPro does when one executes a .prg (program) file. I though had this fixed by installing Wine 2.x on Ubuntu but that has quit working and I received these errors last time I tried to run on Wine 2.x. So...
I built a CentOS 6 virtual machine in VMWare with the appropriate version of Wine and Visual FoxPro. I use an nfs mount to my data files on the host and have this mount point called drive D: in Wine. Works great. When support for CentOS 6 ends in November 2020 I would plan to keep the CentOS 6 virtual machine in use. Provided it cannot play on the Internet I am not too concerned that it is no longer receiving updates. Unless I figure out a fix for VFP/Wine/newer Linux in the mean time, this is my long term fallback.
Had my fill of coffee and determined that the scanning tool I had used was nmap (zenmap gui). I installed same on the node virtual machine. With no blocking rule installed in the firewall I found
Code:
Discovered open port 53/tcp on 10.42.0.1
Discovered open port 22/tcp on 10.42.0.1
Discovered open port 5901/tcp on 10.42.0.1
I added my blocking rule and ran the scan again. This time I found
Code:
Discovered open port 53/tcp on 10.42.0.1
These ports correspond to:
53 - DNS
22 - SSH
5901 - VNC
I have the second and third ports open to my LAN so I can manage the firewall machine as it runs headless. It seems that the first port is opened by dnsmasq. If I kill the dnsmasq process the port is closed and thennode cannot access the Internet. Of course neither can any other machine on my LAN.
It looks like the issue boils down to... why is dnsmasq overriding the blocking rule or why is the blocking rule ignoring port 53?
Here is a thought: if your node is a virtual machine then any traffic from it appears at some layers to come from the host node.
Check for rules in your firewall software that specifically allow the DNSMASQ application or port 53 (tcp or udp or both).
I see no major security issue with CentOS-6 running WINE having limited access to the internet. As long as you are not doing things like browsing for porn from it, the odds of an exploit are minimal.
That was an excellent thought. However, the firewall seems to have a mind of its own and it does not agree. I changed my rule to block the address of a physical machine on my LAN and again ran Zenmap. Before adding the rule I found
Code:
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 2048 a1:d9:a2:87:72:e8:93:06:d1:2b:ae:7d:41:0e:af:1e (RSA)
|_256 c9:9b:b7:c7:92:82:50:8b:fe:fb:7b:9f:53:a9:67:e3 (ECDSA)
53/tcp open domain dnsmasq 2.76
| dns-nsid:
|_ bind.version: dnsmasq-2.76
and after enabling the rule
Code:
PORT STATE SERVICE VERSION
53/tcp open domain dnsmasq 2.76
| dns-nsid:
|_ bind.version: dnsmasq-2.76
I cannot ping the firewall computer from the blocked computer. However, I can ping other computers on the LAN (desired result) and also computers on the Internet (not the desired result).
The firewall is VERY simplistic. The Internet facing interface is in the Drop zone. NOTHING is allowed in unless it is asked for from behind the firewall. The LAN facing interface is in the Public zone. The only services allowed are SSH and vnc-server. dns is NOT checked in the configuration gui. Ports 5901 and 5905 (tcp) are open for vnc. dns is shown to use port 53 tcp and udp. ssh is shown to use port 22 tcp and vnc-server 5900-5903 tcp. I have poked around in the gui and do not see anything else.
Ken
p.s. Browsing for porn - that is best done from a VM installed on an encrypted partition with a vpn and/or Tor - I didn't say that
I was told that I had made my change to the INPUT chain and they need to be made to the FORWARD chain. I have not found out how to do this with firewall-cmd. I have tried but not succeeded in doing this with iptables. Does the FORWARD chain prompt any suggestions?
I was told that I had made my change to the INPUT chain and they need to be made to the FORWARD chain. I have not found out how to do this with firewall-cmd. I have tried but not succeeded in doing this with iptables. Does the FORWARD chain prompt any suggestions?
TIA,
Ken
I see what the thought is there. The behavior indicates that your rule is blocking your isolation nodes access to the CentOS device, but it is still forwarding packets as a gateway for that node. Block forwarding for that node and see if that has the intended effect.
Just curious, why use CentOS instead of a distribution specifically designed as a security gateway?
Perhaps it was the wrong thing to do but I broke this problem into some smaller pieces and started a couple of bite sized threads. I felt that this thread was not well focused. I have managed to block the node computer from using the FORWARD chain and it does stop the node from accessing the Internet (almost). I did not do this "correctly" as I used the iptables command instead of the firewall-cmd --direct command and I added my rule to the main FORWARD chain. firewalld creates a whole lot of subordinate chains under the main 3 (INPUT, FORWRED, OUTPUT) dependent on which zone they apply to etc. I have managed to figure out some of them. I asked a specific questoin about translating iptables speak to firewall-cmd --direct speak here https://www.linuxquestions.org/quest...nd-4175626310/
By "almost" I mean that the node cannot ping an Internet resource by IP address nor by web address. However, it CAN resolve a web address meaning it is somehow talking to DNS on/via the firewall computer even though it is blocked on the INPUT and FORWARD chains. I explained this in detail here https://www.linuxquestions.org/quest...-a-4175626268/
As to why I am using CentOS rather than a router specific product... This fiasco started when I replaced my OLD DSL Modem and OLDER stand alone router with a DSL modem/router combination provided by my ISP. I was tired of arguing with the (in most cases) morons at the ISP tech support every time THEIR system went down and it was the fault of MY old modem. In examining the new box I found that TELNET was open and I could not close it! The Linux kernel on the device was ancient. The version of dnsmasq on the thing had a list of vulnerabilities on it as long as my arm. etc. AND the ISP tech support folks had no clue how to update it. One swore that it did not run Linux and it actually had NO OPERATING SYSTEM! Obviously it needed to run in transparent bridged mode.
I looked at a product called Untangle. They offered a "light weight" free version for home use. A day after I registered and downloaded the product I got an email from their support folks offering to have one of their specialists call me to help. I replied that I was just trying to setup a SIMPLE firewall for a home network. My only questions related to running OpenVPN on the Untangle box. In reply I got an email pointing to a bunch of FOR SALE packages. I could not figure out most of the FREE features much less why I would want them. So...
I have used CentOS and the old RedHat 5.x - 9 distros (with Ubuntu in the middle) for a long time. I started researching how to configure my own firewall/router. This did not make too much progress. I remembered that Windoze XP had a feature in the network setup to "share Internet connection with other computers" or something like that. Low and behold the NetworkManager gui offers the same thing. A couple of clicks and I had a router.
I tweaked the firewall to place the Internet facing interface in the drop zone and the lAN interface in the public zone. I allowed ssh and vnc on the public zone and installed dhcpd as I wished to have some reserved/static IP addresses on the LAN. I am not sure dnsmasq can do that, in fact I did not realize initially that NetworkManager enabled dnsmasq. I did some port scanning and verified that everything Internet facing was stealthed so I went "production."
I can certainly configure the network connection on the node virtual machine manually and leave off the gateway. This will accomplish the original objective. I am simply using this as a learning exercise.
I see. DNS traffic can be UDP, so if your rules only affect TCP then it will not block the UDP traffic.
I have always used a dumb device for the ISP connection with a server I loaded (generally Debian) running as a DNS/DHCP and firewall server. Until Comcast/Xfinity with their "special" devices: don't get me started.
ISPs who are not terribly bright and assume you know even less are the bane of the country, and perhaps the world.
That said, the value of a device specifically designed or loaded for the tasks is significant. I would not recommend backing our and loading something else now, but if you ever have to start over you should have a look through distrowatch at some of the firewall/router distributions.
Since SOPHOS purchased them, I am not sure if a download of the Astaro Security Gateway software is still available, but that was once (2004-2007 or so at least) about the best in the world.
Let me look at my rules and see if I can block UDP if I am not already. As to the distro... I will have a look around. My description of how this machine came to be was only half the story and sort of backwards.
The hardware in question is a Dell Inspiron 3050 Micro. Dual core Celeron processor (I have two others with Dual core Pentium chips), 4 GB RAM and a 128 GB M.2 SSD. About the size of a small Intel NUC. Super little machines (toys). Initially this was my Usenet leacher machine as it only used about 7 watts compared to 160 for my desktop. I could leave it on 7x24 without worrying about power usage. Handy when I had only a 1.5 Mb/s DSL connection.
Then my Usenet provider added a "free" VPN service to the package if I paid annually. Cool. I tried running the VPN on a small LinkSys router with DD-WRT. Worked OK but heavy downloads overloaded the router cpu and dragged down the throughput. I ran the VNP on the Dell for Usenet and played with another instance on my desktop.
More recently, now with an "up to 10 Mb/s DSL service" I subscribed to ProtonVPN (from the ProtonMail folks). I wanted to share this with my whole LAN. I purchased a more powerful router but before even opening the package I reviewed the documentation for setting up DD-WRT and ... I can't believe I had done it on the little router. The new router went back to the store and I embarked on setting up a VPN sharing box.
The architecture at that point was [DSL modem] <--> [Netgear router] <--> [Dell with VPN] <--> [Switch] <--> LAN.
For my next trick I replaced the DSL modem and Netgear router with the new ISP provided device and eventually moved the whole router/firewall/DHCP functionality to the Dell machine.
The most recent addition to my home data center is a Raspberry Pi 3 running Ubuntu Mate 16.04. It serves as my Bit Torrent machine as it only draws 4 or 5 watts (I must download a lot of Linux ISOs.)
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
The dealer then had a closeout sale on Osborne software. I picked up a copy of dBase II for $100 (list price was about $800.) I have done considerable programming in the xBase language over the years - dBase II, dBase III+, FoxBase+, FoxPro and Visual FoxPro. I have data files going back 35 years which I occasionally need to access. 
