[SOLVED} Iptables > Block Internet Access to a LAN Computer.
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
[SOLVED} Iptables > Block Internet Access to a LAN Computer.
Hello and thanks for reading my post. I'm running an Ubuntu Server (v18.01) with Iptables (v1.6.1) here at home. It provides a whole host of services to my LAN computers. This question pertains to my Iptables Firewall. I'm trying to stop internet access to one of the computers on my LAN. So far, I haven't been able to achieve this. The following code works, but stops all LAN computers from accessing the internet:
iptables -A OUTPUT -p all -s $LO_IP -j ACCEPT
iptables -A OUTPUT -p all -s $LAN_IP -j ACCEPT
iptables -A OUTPUT -p all -s $INET_IP -j ACCEPT
As you can see, the IP of the LAN computer I want to deny internet access is 192.168.1.14. These OUTPUT rules that I have tried were placed below the 3 OUTPUT rules listed above. I must be overlooking
something that's causing it not to work.
Any suggestions you might have would be appreciated.
Can you explain your network topology? I assume that the Ubuntu server has two interfaces, one connected to the internet, the other to the internal LAN. It is used to forward/filter traffic from the internet to the LAN. Is that correct so far?
Please also tell us about the addresses, 192.168.1.0/24, $LO_IP, $LAN_IP, $INET_IP. I can guess what they are, but I'd rather have your confirmation that my guess is correct.
The first iptables command drops all traffic NOT coming from the computer you want to block. What happens when you remove the exclamation mark?
The second command places the rule at the end of the chain, and an earlier rule might accept traffic. Nothing can be said without knowing all OUTPUT rules.
By the way, I don't know too much about networking, but wouldn't the FORWARD chain be a more appropriate place for blocking forwarded traffic?
Can you explain your network topology? I assume that the Ubuntu server has two interfaces, one connected to the internet, the other to the internal LAN. It is used to forward/filter traffic from the internet to the LAN. Is that correct so far?
Yes, that is correct. Enp1s0f0 is my WAN, enp1s0f1 is my LAN
Please also tell us about the addresses, 192.168.1.0/24, $LO_IP, $LAN_IP, $INET_IP. I can guess what they are, but I'd rather have your confirmation that my guess is correct.
192.168.1.0/24 is my LAN. $LO_IP is 127.0.0.1, $LAN_IP is 192.168.1.1 and $INET_IP is my Public WAN IP address.
The first iptables command drops all traffic NOT coming from the computer you want to block. What happens when you remove the exclamation mark?
I've never tried removing the exclamation mark
The second command places the rule at the end of the chain, and an earlier rule might accept traffic. Nothing can be said without knowing all OUTPUT rules.
The default policy of my iptables firewall is DROP. There are only 3 OUTPUT rules at the very end of the file. Those 3 rules are the ones I previously mentioned.
By the way, I don't know too much about networking, but wouldn't the FORWARD chain be a more appropriate place for blocking forwarded traffic?
I haven't had a look at the FORWARD chain rules yet. I'll have a look to see if I've overlooked anything there.
Distribution: openSUSE, Raspbian, Slackware. Previous: MacOS, Red Hat, Coherent, Consensys SVR4.2, Tru64, Solaris
Posts: 2,810
Rep:
Quote:
Originally Posted by kj6eo
Any suggestions you might have would be appreciated.
If you don't want the Internet to be able to send packets to this particular server, what about setting a rule on the firewall's INPUT chain that drops anything coming from the Internet that is destined to that server? Alternatively, what about a rule on the server you wish to protect that drops anything not coming from the LAN? (Perhaps setting the default to DROP and allowing only packets originating on the LAN is clearer.) Same with the OUTPUT: only allow packets headed for systems on the LAN to pass; drop anything not destined for the LAN.
[QUOTE=rnturn;6239379]If you don't want the Internet to be able to send packets to this particular server, what about setting a rule on the firewall's INPUT chain that drops anything coming from the Internet that is destined to that server? Alternatively, what about a rule on the server you wish to protect that drops anything not coming from the LAN? (Perhaps setting the default to DROP and allowing only packets originating on the LAN is clearer.) Same with the OUTPUT: only allow packets headed for systems on the LAN to pass; drop anything not destined for the LAN.[/QUOTE
I have a somewhat limited knowledge of iptables. I know the basics, but over the years my firewall has got complicated. So, most likely whats happening is that there is an ACCEPT rule somewhere else in the file that I'm overlooking. It's most likely superseding
the DROP rule I'm trying to insert. Would you be willing to take a look at my entire firewall script? I don't want to post it here for obvious reasons. Could I PM a copy of it to you?
[SOLVED} Iptables > Block Internet Access to a LAN Computer.
Ok, I figured this out myself and I would like to share the solution with you. The reason that my attempts to block inet access to this LAN Computer wasn't working was due to a Masquerading Rule that SNAT's everything out:
The quickest and easiest solution that I could come up with was to SNAT the LAN Computer I wanted to lock out into a black hole:
Code:
$IPTABLES -t nat -A POSTROUTING -s 192.168.1.14 -j SNAT --to-source 192.168.1.103 -m time --timestart 07:30 --timestop 14:30 --weekdays Sun,Mon,Tue,Wed,Thu
The second SNAT rule has to be placed before the first rule listed of course. My firewall was originally written to trust everything on my LAN and to let everything OUT. Solving the issue the way I did might not be the correct way to do it. But ... it works.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.