Block one computer from Internet access - should be easy :-(
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Block one computer from Internet access - should be easy :-(
I have a CentOS 7 box which acts as an Internet connection sharing device, firewall, VPN sharing device and DHCP server. I set one NIC to "Shared to other computers" and the other NIC is connected to my DSL modem. Ignoring the VPN which is not running at the moment, here is what I have
This is done to the runtime environment of firewalld so I believe it SHOULD take effect immediately. But it has no effect. The computer which I a trying to block can still access the Internet. If I add the same rule with the --permanent option and do a firewall-cmd reload the computer IS blocked. However, all other computers on my LAN (10.42.0.*) are also blocked.
Stranger still - If I remove the rule and reload the firewall my LAN is still blocked. I must reboot the firewall machine to reestablish connection.
I have tried doing this with the firewall-config gui and I see the same results. I am at a loss. Can someone tell me what I am doing wrong or what else I need to check?
TIA,
Ken
Last edited by taylorkh; 03-14-2018 at 03:31 PM.
Reason: removed erroneous --permanent option
With "--permanent" you add a permanent rule and you have to reload the daemon (firewallctl reload) for the rule to take effect.
Without the "--permanent" switch, you add a runtime rule which takes effect immediately and can be made permanent with the command "firewallctl runtime-to-permanent".
Have you tried ; firewall-cmd --zone=drop --add-source=x.x.x.x/xx
Or use IPTBALES?
yum install ipset
Create your blacklist ipset add blacklist x.x.x.x iptables -I INPUT -m set --match-set blacklist src -j DROP
iptables -I FORWARD -m set --match-set blacklist src -j DROP
You can always remove the system(s) you want to block internet access to gateway leaving only the IP and subnet, it wil still be able to access resources on the network in the same network range. Policy block the network.
However, x.x.x.x/xx will block a range of IP addresses. I am trying to block ONE IP address. As far as IPTABLES, I seem to recall that only firewalld OR iptables can be run at one time. I have managed to get firewalld to do what I need up to this point so I don't want to throw that away. firewalld should be able to do this from what I have read. I just seem to be doing something slightly wrong.
However, x.x.x.x/xx will block a range of IP addresses. I am trying to block ONE IP address. As far as IPTABLES, I seem to recall that only firewalld OR iptables can be run at one time. I have managed to get firewalld to do what I need up to this point so I don't want to throw that away. firewalld should be able to do this from what I have read. I just seem to be doing something slightly wrong.
Thanks again,
Ken
Both correct and beside the point. If your range of addresses is one single address then this is still what you want.
Here is a quick/cheater way to block a single PC that has a static IP: Assign it a bogus gateway. Nothing can come in or out from the internet but everything else works. This won't work if a user is savvy enough to change network settings and fix gateway.
Let me make sure I understand your post. Are you saying I should use 10.42.0.217/24 instead of just 10.42.0.217 in my rich rule?
Ken
To be exact, it would be /32 to specify a single IP address.
RE: the gateway trick. Just not specifying ANY gateway would serve that purpose, but making the change ON the gateway will lock the node even if the user has/gains root access and GIVES it the proper gateway. Removing that option entirely appeals to me.
You are quite correct /32. I had never specified a SINGLE address that way. I tried my rule with and without the /32. No difference. However, I did find...
If I create the rule with reject and then try to ping the firewall machine (10.42.0.1) from the offending machine (10.42.0.217) I get a "Destination Port Unreachable" message. If I change reject to drop and try the ping again I get no feedback. This is as expected and shows that the firewall is blocking traffic from the offending machine. The mystery is why it is passing traffic from the offending machine to the Internet? Also why the same rule in permanent mode kills all Internet traffic?
The subject machine has the following on eth0 as supplied by the DHCP server
IP address: 10.42.0.217
Broadcast addrress: 255.255.255.0
Default Route: 10.42.0.1
Primady DNS: 10.42.0.1
On the firewall etc. box (10.42.0.1) I added the rule
[ken@localhost ~]$ ping 10.42.0.1
PING 10.42.0.1 (10.42.0.1) 56(84) bytes of data.
64 bytes from 10.42.0.1: icmp_seq=1 ttl=64 time=2.15 ms
64 bytes from 10.42.0.1: icmp_seq=2 ttl=64 time=0.866 ms
64 bytes from 10.42.0.1: icmp_seq=3 ttl=64 time=0.782 ms
In the first case the subject box can reach the Internet by web address or IP address regardless of the rich rule. In the second case I can ping the Internet by IP address only unless I specify 10.42.0.1 as the Primary DNS.
I can manually configure an IP address on the subject box and leave off the gateway. This will stop Internet access and still allow access to other machines on my LAN which is what I am after. However, I am still confused how the subject box can be passing traffic through the firewall box which it cannot ping?
I am certainly missing something, I think it is my mind With the node blocked and unable to ping the firewall computer I can still access a web site using a browser or ping the web site by its name (e.g. www.centos.org).
On the blocked computer
Code:
[ken@localhost Desktop]$ cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 10.42.0.1
On the firewall computer
Code:
[root@taylor16 ken]# cat /etc/resolv.conf
#resolv.conf.proton
# Generated by Ken - hard coded DNS for this ProtonVPN
nameserver 10.8.8.1
Note that at the moment I have the firewall computer connected to a VPN. I manually set the /etc/resolv.conf file to the VPN's DNS so as to eliminate DNS leakage. I have tested the (non)blocking blocking rich rule when the firewall computer is connected directly to the ISP and using OpenDNS for my DNS. No difference.
Example 7: Black-list source address to reject all connections from 192.168.2.3
firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.2.3" reject'
Example 8: Black-list source address to drop all connections from 192.168.2.4
firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.2.4" drop'
These examples apply the rule to the default zone. In my case
Code:
[root@taylor16 ken]# firewall-cmd --get-default-zone
block
[root@taylor16 ken]# firewall-cmd --get-active-zones
drop
interfaces: p1p2
public
interfaces: enp0s20u1
The LAN is connected to enp0s20u1 (a USB to Ethernet dongle - I have no idea where that device name came from) so I set my rule to the public zone. I have added it to the drop zone as well which made no change - as expected. The drop zone (p1p2) is the interface facing the Internet and the machine I am attempting to block is not on the Internet side of the firewall. Besides, its IP address is a non-routable private address if I recall correctly.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.