Blocking Internal machines from Access to the Internet

Discussion in 'Linux Networking' started by Kevin T. Neely, Jul 30, 2006.

  1. I am trying to block a host on my internal network from reaching the
    WAN and therefore the internet. I am using shorewall to configure my
    iptables firewall but am having trouble crafting a proper rule.

    I want something like

    DROP inet

    but that doesn't seem to be working quite right. I realize that in
    the above example, the IP address is not a defined zone. I also tried
    the IP in the blacklist but am unsure as to why that does not work.
    Of course, if it did work, it would cause problems with the host
    reaching other subnets on the internal network.

    thank you,
    Kevin T. Neely, Jul 30, 2006
    1. Advertisements

  2. I played with this some more. What I have now is:

    REJECT loc: inet
    DROP loc: inet

    which seems a bit of overkill, but I want an active computer to stop
    talking to the internet when I implement the rule.

    What I want is for this to happen at night. Currently, I have two
    sets of rules, called rules.night and I have a cron job
    that runs at "night", or 11pm, and copies rules.night to rules, then
    restarts the firewall with the new rules. This goes again in the
    morning with the new rules, effectively re-enabling the computer.

    This seems a bit inelegant. Does anyone have or know of a better way
    to do this?

    Kevin T. Neely, Jul 31, 2006
    1. Advertisements

  3. Kevin T. Neely

    Ken Roberts Guest

    It's been a while since I played with Linux-based firewalls, so forgive
    me for not providing real examples. My only recent firewall experience
    is on Cisco gear.

    My approach would be to deny access by default, and then add it
    specifically for those machines that need it. However, with this
    approach your user can just change IP addresses to get around your
    security limitation.

    Better yet, if you can figure a way to have two separate networks you
    could enable/disable access for the whole network, which will prevent
    your miscreant from just changing the IP address to get access.

    For a home network, you could put another ethernet card in your
    firewall. If you have several PCs which are to be limited, then add a
    switch. If you only have one, just use a crossover cable from the
    firewall directly. I would still define that limited PC as a separate
    network, even if it's just a crossover cable. Give it something like

    If the user looks at another PC to find network settings that work, the
    open network's addresses will not work on the limited subnet. If this
    user has a crossover cable, his/her cable won't work on the same switch
    everyone else uses. All this would not prevent the truly determined
    from getting a working network if he/she has access to the "server
    room" but it would at least make things harder.
    Ken Roberts, Jul 31, 2006
  4. Thank you for the help and advice. This is definitely not an office
    setup. Basically, my "miscreants" are the children who like to find
    sneaky ways to stay up as late as possible using the internet on their
    newly-installed computers in their rooms. I have setup DHCP
    reservations for their computers and they are currently not skilled
    enough to get around that meager security measure. I don't really
    mind if they figure out how to get around what I setup, since doing so
    would really teach them a lot about computers and networking that I
    cannot otherwise get them to learn, so major security is not a big

    What I want, however, is for the connection to drop right as I change
    the rule. As it stands, even with the REJECT and DROP rules, open
    connections (like an AIM client) remain open until they reboot their
    computer or stop/restart the client, which is not what I want.

    I'm running a Linux firewall because I want one device that I can use
    as firewall, ssh server, mail server, etc. and not run a medium-sized
    office's worth of equipment in getting the services I want. I also
    want to be able to log certain traffic to hard disk, for which I need
    an always-on computer.

    I do have an older, managed BayNetworks switch I suppose I could use
    and set the port by which my logging server is connected to mirror the
    router port. But that is a lot more noise/heat for my little office
    closet I'm not sure I want to incur.

    I have it like this:

    cable modem
    switch - {wired desktop computers}
    Wireless AP

    And it's like that. However, I have a third interface in the router
    and am contemplating setting the wireless to a different subet than
    the wired lan so that I can protect the internal network a bit more.
    Once I do this, I /could/ disable the wireless at night (their
    computers are connected via wireless), but then my laptop,
    etc. wouldn't work, and I go to bed later than they.

    Kevin T. Neely, Aug 1, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.