Blocking Internal machines from Access to the Internet

I am trying to block a host on my internal network from reaching the
WAN and therefore the internet. I am using shorewall to configure my
iptables firewall but am having trouble crafting a proper rule.

I want something like

DROP 192.168.0.25 inet

but that doesn't seem to be working quite right. I realize that in
the above example, the IP address is not a defined zone. I also tried
the IP in the blacklist but am unsure as to why that does not work.
Of course, if it did work, it would cause problems with the host
reaching other subnets on the internal network.

thank you,
K

--
In Vino Veritas
http://astroturfgarden.com

On 2006-07-30, Kevin T. Neely <(E-Mail Removed)> wrote:
> I am trying to block a host on my internal network from reaching the
> WAN and therefore the internet. I am using shorewall to configure my
> iptables firewall but am having trouble crafting a proper rule.
>
> I want something like
>
> DROP 192.168.0.25 inet

I played with this some more. What I have now is:

REJECT loc:192.168.0.13 inet
DROP loc:192.168.0.13 inet

which seems a bit of overkill, but I want an active computer to stop
talking to the internet when I implement the rule.

What I want is for this to happen at night. Currently, I have two
sets of rules, called rules.night and rules.day. I have a cron job
that runs at "night", or 11pm, and copies rules.night to rules, then
restarts the firewall with the new rules. This goes again in the
morning with the new rules, effectively re-enabling the computer.

This seems a bit inelegant. Does anyone have or know of a better way
to do this?

thanks,
K

--
In Vino Veritas
http://astroturfgarden.com

Kevin T. Neely wrote:
> On 2006-07-30, Kevin T. Neely <(E-Mail Removed)> wrote:
> > I am trying to block a host on my internal network from reaching the
> > WAN and therefore the internet. I am using shorewall to configure my
> > iptables firewall but am having trouble crafting a proper rule.
> >
> > I want something like
> >
> > DROP 192.168.0.25 inet
>
> I played with this some more. What I have now is:
>
> REJECT loc:192.168.0.13 inet
> DROP loc:192.168.0.13 inet
>
> which seems a bit of overkill, but I want an active computer to stop
> talking to the internet when I implement the rule.
>
> What I want is for this to happen at night. Currently, I have two
> sets of rules, called rules.night and rules.day. I have a cron job
> that runs at "night", or 11pm, and copies rules.night to rules, then
> restarts the firewall with the new rules. This goes again in the
> morning with the new rules, effectively re-enabling the computer.
>
> This seems a bit inelegant. Does anyone have or know of a better way
> to do this?
>
> thanks,
> K
>
> --
> In Vino Veritas
> http://astroturfgarden.com

It's been a while since I played with Linux-based firewalls, so forgive
me for not providing real examples. My only recent firewall experience
is on Cisco gear.

My approach would be to deny access by default, and then add it
specifically for those machines that need it. However, with this
approach your user can just change IP addresses to get around your
security limitation.

Better yet, if you can figure a way to have two separate networks you
could enable/disable access for the whole network, which will prevent
your miscreant from just changing the IP address to get access.

For a home network, you could put another ethernet card in your
firewall. If you have several PCs which are to be limited, then add a
switch. If you only have one, just use a crossover cable from the
firewall directly. I would still define that limited PC as a separate
network, even if it's just a crossover cable. Give it something like
192.168.3.0/24.

If the user looks at another PC to find network settings that work, the
open network's addresses will not work on the limited subnet. If this
user has a crossover cable, his/her cable won't work on the same switch
everyone else uses. All this would not prevent the truly determined
from getting a working network if he/she has access to the "server
room" but it would at least make things harder.

On 2006-07-31, Ken Roberts <(E-Mail Removed)> wrote:
>
> Kevin T. Neely wrote:
>> On 2006-07-30, Kevin T. Neely <(E-Mail Removed)> wrote:
>> > I am trying to block a host on my internal network from reaching the
>> > WAN and therefore the internet. I am using shorewall to configure my
>> > iptables firewall but am having trouble crafting a proper rule.
>
> It's been a while since I played with Linux-based firewalls, so forgive
> me for not providing real examples. My only recent firewall experience
> is on Cisco gear.
>
> My approach would be to deny access by default, and then add it
> specifically for those machines that need it. However, with this

Thank you for the help and advice. This is definitely not an office
setup. Basically, my "miscreants" are the children who like to find
sneaky ways to stay up as late as possible using the internet on their
newly-installed computers in their rooms. I have setup DHCP
reservations for their computers and they are currently not skilled
enough to get around that meager security measure. I don't really
mind if they figure out how to get around what I setup, since doing so
would really teach them a lot about computers and networking that I
cannot otherwise get them to learn, so major security is not a big
deal.

What I want, however, is for the connection to drop right as I change
the rule. As it stands, even with the REJECT and DROP rules, open
connections (like an AIM client) remain open until they reboot their
computer or stop/restart the client, which is not what I want.

I'm running a Linux firewall because I want one device that I can use
as firewall, ssh server, mail server, etc. and not run a medium-sized
office's worth of equipment in getting the services I want. I also
want to be able to log certain traffic to hard disk, for which I need
an always-on computer.

I do have an older, managed BayNetworks switch I suppose I could use
and set the port by which my logging server is connected to mirror the
router port. But that is a lot more noise/heat for my little office
closet I'm not sure I want to incur.


> Better yet, if you can figure a way to have two separate networks you
> could enable/disable access for the whole network, which will prevent
> your miscreant from just changing the IP address to get access.

I have it like this:

Inet
|
cable modem
|
router
|
switch - {wired desktop computers}
|
Wireless AP


And it's like that. However, I have a third interface in the router
and am contemplating setting the wireless to a different subet than
the wired lan so that I can protect the internal network a bit more.
Once I do this, I /could/ disable the wireless at night (their
computers are connected via wireless), but then my laptop,
etc. wouldn't work, and I go to bed later than they.

K

--
In Vino Veritas
http://astroturfgarden.com