Block one computer from Internet access - should be easy :-(

taylorkh · 03-14-2018, 12:03 PM

I have a CentOS 7 box which acts as an Internet connection sharing device, firewall, VPN sharing device and DHCP server. I set one NIC to "Shared to other computers" and the other NIC is connected to my DSL modem. Ignoring the VPN which is not running at the moment, here is what I have

Code:

[root@taylor16 ken]# ifconfig
enp0s20u1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.42.0.1  netmask 255.255.255.0  broadcast 10.42.0.255
        ether 00:24:9b:29:90:18  txqueuelen 1000  (Ethernet)
        RX packets 3530  bytes 458662 (447.9 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 4892  bytes 3335525 (3.1 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

p1p2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 71.48.1.131  netmask 255.255.248.0  broadcast 71.48.7.255
        ether 74:e6:e2:de:d2:34  txqueuelen 1000  (Ethernet)
        RX packets 4060  bytes 2825222 (2.6 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2913  bytes 445813 (435.3 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

plp2 is connected to the Internet and is in the drop zone. enp0s20u1 is shared to my LAN and is in the public zone

Code:

[root@taylor16 ken]# firewall-cmd --list-all --zone=block
block
  target: %%REJECT%%
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	
[root@taylor16 ken]# firewall-cmd --list-all --zone=public
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp0s20u1
  sources: 
  services: vnc-server ssh
  ports: 5905/tcp 5901/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

The machine which I wish to block is assigned IP address 10.42.0.217 on my LAN. I added a rich rule to firewalld

Code:

[root@taylor16 ken]# firewall-cmd  --add-rich-rule="rule family='ipv4' source address='10.42.0.217' drop" --zone=public
success

This is done to the runtime environment of firewalld so I believe it SHOULD take effect immediately. But it has no effect. The computer which I a trying to block can still access the Internet. If I add the same rule with the --permanent option and do a firewall-cmd reload the computer IS blocked. However, all other computers on my LAN (10.42.0.*) are also blocked.

Stranger still - If I remove the rule and reload the firewall my LAN is still blocked. I must reboot the firewall machine to reestablish connection.

I have tried doing this with the firewall-config gui and I see the same results. I am at a loss. Can someone tell me what I am doing wrong or what else I need to check?

TIA,

Ken

norobro · 03-14-2018, 02:17 PM

Just an observation, you may already know this so it might not be your problem.

Quote:

Originally Posted by taylorkh

Code:

[root@taylor16 ken]# firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='10.42.0.217' drop" --zone=public
success

With "--permanent" you add a permanent rule and you have to reload the daemon (firewallctl reload) for the rule to take effect.

Without the "--permanent" switch, you add a runtime rule which takes effect immediately and can be made permanent with the command "firewallctl runtime-to-permanent".

HTH

taylorkh · 03-14-2018, 03:31 PM

Thanks norobro,

Yes, I understand the difference with the --permanent option. I copied the wrong command into my post

1) The issue is that the rule does not work without the --permanent option (I looked in my command history and I DID try it that way).

2) When entered with --permanent and the firewall reloaded it kills connectivity to ALL computers on my LAN

3) When the rule is removed --permanent and the firewall reloaded it continues to block all computers on my LAN until I reboot the firewall computer.

Ken

someguy007 · 03-15-2018, 02:53 AM

Have you tried ; firewall-cmd --zone=drop --add-source=x.x.x.x/xx
Or use IPTBALES?

yum install ipset
Create your blacklist
ipset add blacklist x.x.x.x
iptables -I INPUT -m set --match-set blacklist src -j DROP
iptables -I FORWARD -m set --match-set blacklist src -j DROP

You can always remove the system(s) you want to block internet access to gateway leaving only the IP and subnet, it wil still be able to access resources on the network in the same network range. Policy block the network.

Just a thought

taylorkh · 03-15-2018, 06:51 AM

Thanks someguy007,

However, x.x.x.x/xx will block a range of IP addresses. I am trying to block ONE IP address. As far as IPTABLES, I seem to recall that only firewalld OR iptables can be run at one time. I have managed to get firewalld to do what I need up to this point so I don't want to throw that away. firewalld should be able to do this from what I have read. I just seem to be doing something slightly wrong.

Thanks again,

Ken

wpeckham · 03-15-2018, 06:55 AM

Quote:

Originally Posted by taylorkh

Thanks someguy007,

However, x.x.x.x/xx will block a range of IP addresses. I am trying to block ONE IP address. As far as IPTABLES, I seem to recall that only firewalld OR iptables can be run at one time. I have managed to get firewalld to do what I need up to this point so I don't want to throw that away. firewalld should be able to do this from what I have read. I just seem to be doing something slightly wrong.

Thanks again,

Ken

Both correct and beside the point. If your range of addresses is one single address then this is still what you want.

taylorkh · 03-15-2018, 01:21 PM

Thanks wpeckham,

Let me make sure I understand your post. Are you saying I should use 10.42.0.217/24 instead of just 10.42.0.217 in my rich rule?

Ken

nogero · 03-15-2018, 02:18 PM

Here is a quick/cheater way to block a single PC that has a static IP: Assign it a bogus gateway. Nothing can come in or out from the internet but everything else works. This won't work if a user is savvy enough to change network settings and fix gateway.

taylorkh · 03-15-2018, 04:40 PM

Thanks nogero,

That is a creative approach!

Ken

wpeckham · 03-16-2018, 05:19 AM

Quote:

Originally Posted by taylorkh

Thanks wpeckham,

Let me make sure I understand your post. Are you saying I should use 10.42.0.217/24 instead of just 10.42.0.217 in my rich rule?

Ken

To be exact, it would be /32 to specify a single IP address.

RE: the gateway trick. Just not specifying ANY gateway would serve that purpose, but making the change ON the gateway will lock the node even if the user has/gains root access and GIVES it the proper gateway. Removing that option entirely appeals to me.

taylorkh · 03-16-2018, 09:05 AM

Thanks wpeckham,

You are quite correct /32. I had never specified a SINGLE address that way. I tried my rule with and without the /32. No difference. However, I did find...

If I create the rule with reject and then try to ping the firewall machine (10.42.0.1) from the offending machine (10.42.0.217) I get a "Destination Port Unreachable" message. If I change reject to drop and try the ping again I get no feedback. This is as expected and shows that the firewall is blocking traffic from the offending machine. The mystery is why it is passing traffic from the offending machine to the Internet? Also why the same rule in permanent mode kills all Internet traffic?

Ken

tux111 · 03-17-2018, 05:45 PM

What happens if 10.42.0.217 changes his IP address?

taylorkh · 03-17-2018, 06:42 PM

Hello tux111,

Per your question I did the following:

Code:

The subject machine has the following on eth0 as supplied by the DHCP server
IP address: 10.42.0.217
Broadcast addrress: 255.255.255.0
Default Route: 10.42.0.1
Primady DNS: 10.42.0.1

On the firewall etc. box (10.42.0.1) I added the rule

Code:

[root@taylor16 bin]# firewall-cmd  --add-rich-rule="rule family='ipv4' source address='10.42.0.217' drop" --zone=public
success

The subject box cannot ping the firewall box

Code:

[ken@localhost ~]$ ping 10.42.0.1
PING 10.42.0.1 (10.42.0.1) 56(84) bytes of data.
(never comes back)

I change the IP address to manual on the subject box and it now shows

Code:

IP address: 10.42.0.218
Broadcast addrress: 255.255.255.0
Default Route: 10.42.0.1
Primady DNS: 10.42.0.1

And it now can ping the firewall box

Code:

[ken@localhost ~]$ ping 10.42.0.1
PING 10.42.0.1 (10.42.0.1) 56(84) bytes of data.
64 bytes from 10.42.0.1: icmp_seq=1 ttl=64 time=2.15 ms
64 bytes from 10.42.0.1: icmp_seq=2 ttl=64 time=0.866 ms
64 bytes from 10.42.0.1: icmp_seq=3 ttl=64 time=0.782 ms

In the first case the subject box can reach the Internet by web address or IP address regardless of the rich rule. In the second case I can ping the Internet by IP address only unless I specify 10.42.0.1 as the Primary DNS.

I can manually configure an IP address on the subject box and leave off the gateway. This will stop Internet access and still allow access to other machines on my LAN which is what I am after. However, I am still confused how the subject box can be passing traffic through the firewall box which it cannot ping?

Ken

wpeckham · 03-18-2018, 08:31 AM

Could you please go over in detail HOW you determine that the blocked node can still reach the internet?
I feel as if we are missing something here.

taylorkh · 03-18-2018, 09:13 AM

Thanks again wpeckham,

I am certainly missing something, I think it is my mind

With the node blocked and unable to ping the firewall computer I can still access a web site using a browser or ping the web site by its name (e.g. www.centos.org).

On the blocked computer

Code:

[ken@localhost Desktop]$ cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 10.42.0.1

On the firewall computer

Code:

[root@taylor16 ken]# cat /etc/resolv.conf
#resolv.conf.proton
# Generated by Ken - hard coded DNS for this ProtonVPN
nameserver 10.8.8.1

Note that at the moment I have the firewall computer connected to a VPN. I manually set the /etc/resolv.conf file to the VPN's DNS so as to eliminate DNS leakage. I have tested the (non)blocking blocking rich rule when the firewall computer is connected directly to the ISP and using OpenDNS for my DNS. No difference.

I studied the documentation for the firewalld richlanguage https://fedoraproject.org/wiki/Featu...ldRichLanguage ans my rule looks just like the examples for "blacklisting" a specific machine.

Code:

Example 7: Black-list source address to reject all connections from 192.168.2.3

firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.2.3" reject'

Example 8: Black-list source address to drop all connections from 192.168.2.4

firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.2.4" drop'

These examples apply the rule to the default zone. In my case

Code:

[root@taylor16 ken]# firewall-cmd --get-default-zone
block
[root@taylor16 ken]# firewall-cmd --get-active-zones
drop
  interfaces: p1p2
public
  interfaces: enp0s20u1

The LAN is connected to enp0s20u1 (a USB to Ethernet dongle - I have no idea where that device name came from) so I set my rule to the public zone. I have added it to the drop zone as well which made no change - as expected. The drop zone (p1p2) is the interface facing the Internet and the machine I am attempting to block is not on the Internet side of the firewall. Besides, its IP address is a non-routable private address if I recall correctly.

Ken