Block WAN Access - Allow LAN Access - Linux hosts
What I am looking to do is block access to WAN and only allow these hosts to talk to each other on the 192.168.1.0/24 LAN. This configuration should be done on the hosts in question.
There are some similar posts to this, but tend to be too specific use case, or overly complicated. I now pay for internet per/GB. I have certain VM's that don't really need WAN Access after being setup, but seem to be using large amounts of data. (LDAP Server for some reason?)
I'm looking into DD-WRT Filtering, but I wondered how to do this host side.
I will also be looking into enabling WAN Access for 1 hour daily. This could be done via "iptables script" with CRON, or just via DD-WRT.
I'm guessing IPTables is the way to go. I think all of my servers use IPTables, some have UFW and some have FirewallD.
I figure this can be a "generic question" with mostly answers that should work across many/all distros. But just to add, I'm mostly using Ubuntu 14/16 and CentOS 6/7.
networking iptables
add a comment |
What I am looking to do is block access to WAN and only allow these hosts to talk to each other on the 192.168.1.0/24 LAN. This configuration should be done on the hosts in question.
There are some similar posts to this, but tend to be too specific use case, or overly complicated. I now pay for internet per/GB. I have certain VM's that don't really need WAN Access after being setup, but seem to be using large amounts of data. (LDAP Server for some reason?)
I'm looking into DD-WRT Filtering, but I wondered how to do this host side.
I will also be looking into enabling WAN Access for 1 hour daily. This could be done via "iptables script" with CRON, or just via DD-WRT.
I'm guessing IPTables is the way to go. I think all of my servers use IPTables, some have UFW and some have FirewallD.
I figure this can be a "generic question" with mostly answers that should work across many/all distros. But just to add, I'm mostly using Ubuntu 14/16 and CentOS 6/7.
networking iptables
Do you intend to do the configuration on VMs (or somewhere else)?
– sebasth
Oct 5 '17 at 7:56
Yes via the CLI
– FreeSoftwareServers
Oct 5 '17 at 7:57
Just to note, I ended up using DD-WRT w/ IP Range WAN Blocking Rules. It was much easier to setup, i now have IP Pools for WAN BLOCk, WAN BLOCK 23/7 and WAN ACCESS
– FreeSoftwareServers
Oct 3 '18 at 6:29
add a comment |
What I am looking to do is block access to WAN and only allow these hosts to talk to each other on the 192.168.1.0/24 LAN. This configuration should be done on the hosts in question.
There are some similar posts to this, but tend to be too specific use case, or overly complicated. I now pay for internet per/GB. I have certain VM's that don't really need WAN Access after being setup, but seem to be using large amounts of data. (LDAP Server for some reason?)
I'm looking into DD-WRT Filtering, but I wondered how to do this host side.
I will also be looking into enabling WAN Access for 1 hour daily. This could be done via "iptables script" with CRON, or just via DD-WRT.
I'm guessing IPTables is the way to go. I think all of my servers use IPTables, some have UFW and some have FirewallD.
I figure this can be a "generic question" with mostly answers that should work across many/all distros. But just to add, I'm mostly using Ubuntu 14/16 and CentOS 6/7.
networking iptables
What I am looking to do is block access to WAN and only allow these hosts to talk to each other on the 192.168.1.0/24 LAN. This configuration should be done on the hosts in question.
There are some similar posts to this, but tend to be too specific use case, or overly complicated. I now pay for internet per/GB. I have certain VM's that don't really need WAN Access after being setup, but seem to be using large amounts of data. (LDAP Server for some reason?)
I'm looking into DD-WRT Filtering, but I wondered how to do this host side.
I will also be looking into enabling WAN Access for 1 hour daily. This could be done via "iptables script" with CRON, or just via DD-WRT.
I'm guessing IPTables is the way to go. I think all of my servers use IPTables, some have UFW and some have FirewallD.
I figure this can be a "generic question" with mostly answers that should work across many/all distros. But just to add, I'm mostly using Ubuntu 14/16 and CentOS 6/7.
networking iptables
networking iptables
edited Oct 5 '17 at 13:11
sebasth
8,71932450
8,71932450
asked Oct 5 '17 at 7:44
FreeSoftwareServersFreeSoftwareServers
1,00931941
1,00931941
Do you intend to do the configuration on VMs (or somewhere else)?
– sebasth
Oct 5 '17 at 7:56
Yes via the CLI
– FreeSoftwareServers
Oct 5 '17 at 7:57
Just to note, I ended up using DD-WRT w/ IP Range WAN Blocking Rules. It was much easier to setup, i now have IP Pools for WAN BLOCk, WAN BLOCK 23/7 and WAN ACCESS
– FreeSoftwareServers
Oct 3 '18 at 6:29
add a comment |
Do you intend to do the configuration on VMs (or somewhere else)?
– sebasth
Oct 5 '17 at 7:56
Yes via the CLI
– FreeSoftwareServers
Oct 5 '17 at 7:57
Just to note, I ended up using DD-WRT w/ IP Range WAN Blocking Rules. It was much easier to setup, i now have IP Pools for WAN BLOCk, WAN BLOCK 23/7 and WAN ACCESS
– FreeSoftwareServers
Oct 3 '18 at 6:29
Do you intend to do the configuration on VMs (or somewhere else)?
– sebasth
Oct 5 '17 at 7:56
Do you intend to do the configuration on VMs (or somewhere else)?
– sebasth
Oct 5 '17 at 7:56
Yes via the CLI
– FreeSoftwareServers
Oct 5 '17 at 7:57
Yes via the CLI
– FreeSoftwareServers
Oct 5 '17 at 7:57
Just to note, I ended up using DD-WRT w/ IP Range WAN Blocking Rules. It was much easier to setup, i now have IP Pools for WAN BLOCk, WAN BLOCK 23/7 and WAN ACCESS
– FreeSoftwareServers
Oct 3 '18 at 6:29
Just to note, I ended up using DD-WRT w/ IP Range WAN Blocking Rules. It was much easier to setup, i now have IP Pools for WAN BLOCk, WAN BLOCK 23/7 and WAN ACCESS
– FreeSoftwareServers
Oct 3 '18 at 6:29
add a comment |
2 Answers
2
active
oldest
votes
Filtering with IPTABLES
This can be accomplished by creating a set of rules for allowed traffic and dropping the rest.
For the OUTPUT
chain, create rules to accept loopback traffic and traffic to 192.168.1.0/24
network. Default action is applied when no rules are matched, set it to REJECT
.
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -d 192.168.1.0/24 -j ACCEPT
iptables -P OUTPUT REJECT
For INPUT
chain, you can create similar rules. Allow traffic from loopback and local network, drop the rest.
You can match established traffic (reply traffic to connections initiated by your host) with a single rule using -m conntrack --ctstate ESTABLISHED
. This way you do not need to alter the chain when you want to enable Internet access. This works when you do not run any programs/daemons expecting connections from outside of your local network.
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -P INPUT DROP
If you need to allow connections initiated outside of your local network, you need to configure the INPUT
chain in the same way as the OUTPUT
chain and use similar mechanism to apply
To allow unrestricted (WAN access) network access, change the default action to ACCEPT
. To put the limits back, change the default action back to REJECT
. Same effect is achieved by adding/removing -j ACCEPT
as last rule.
iptables -P OUTPUT ACCEPT
You can also use iptables time module to accept the traffic at specific time of a day, in which case you do not need to use cron. For example, to allow any outgoing traffic between 12:00 and 13:00 with following rule:
iptables -A OUTPUT -m time --timestart 12:00 --timestop 13:00 -j ACCEPT
1
I suggest to use REJECT for outgoing - DROP may stall processes running on the local servers.
– countermode
Oct 5 '17 at 8:42
+1 for using built in iptables timestop, will test soon and accept an answer, im leaning towards iptables. What would you use? IPTables or Default Gateway/Routing?
– FreeSoftwareServers
Oct 5 '17 at 9:34
1
Do not use-m state --state
because it deprecated. Use-m conntrack --ctstate
instead
– Egor Vasilyev
Oct 5 '17 at 19:42
add a comment |
Removing the default route
When you remove the default route from your host's routing table, it prevents it from communicating with other hosts outside the local network. Default route is configured with ip route
: ip route default add ...
to add the default route and ip route del default
to remove it.
Traffic from your router might still be able to reach your host. You can discard traffic for which there is no known route to source address by enabling reverse path filtering.
There are two ways to configure reverse path filtering: sysctl or iptables. The sysctl method only applies to ipv4, iptables rule can be written for both both ipv4 and ipv6.
To enable reverse path filtering using sysctl
rp_filter
:
sysctl net.ipv4.conf.all.rp_filter = 1
With iptables, using
rpfilter
module:
iptables -t raw -I PREROUTING -m rpfilter --invert -j DROP
Same rule also works for
ip6tables
. For nftables, usefib
statement.
For removing and restoring the default route, you could use a simple script with cron:
#!/bin/sh -e
FILE="/root/default.gw"
case "$1" in
"remove")
route="$(ip route show default 0.0.0.0/0)"
if [ -z "$route" ]; then
echo "no default route configured"
exit 1
fi
echo "$route" > $FILE
ip route del default
ip route flush cache
;;
"restore")
route="$(cat $FILE)"
if [ -z "$route" ]; then
echo "no default route saved"
exit 1
fi
ip route add $route
;;
*)
echo "invalid argument"
echo "usage: $(basename -- $0) remove|restore"
exit 1
esac
add a comment |
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f396218%2fblock-wan-access-allow-lan-access-linux-hosts%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
Filtering with IPTABLES
This can be accomplished by creating a set of rules for allowed traffic and dropping the rest.
For the OUTPUT
chain, create rules to accept loopback traffic and traffic to 192.168.1.0/24
network. Default action is applied when no rules are matched, set it to REJECT
.
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -d 192.168.1.0/24 -j ACCEPT
iptables -P OUTPUT REJECT
For INPUT
chain, you can create similar rules. Allow traffic from loopback and local network, drop the rest.
You can match established traffic (reply traffic to connections initiated by your host) with a single rule using -m conntrack --ctstate ESTABLISHED
. This way you do not need to alter the chain when you want to enable Internet access. This works when you do not run any programs/daemons expecting connections from outside of your local network.
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -P INPUT DROP
If you need to allow connections initiated outside of your local network, you need to configure the INPUT
chain in the same way as the OUTPUT
chain and use similar mechanism to apply
To allow unrestricted (WAN access) network access, change the default action to ACCEPT
. To put the limits back, change the default action back to REJECT
. Same effect is achieved by adding/removing -j ACCEPT
as last rule.
iptables -P OUTPUT ACCEPT
You can also use iptables time module to accept the traffic at specific time of a day, in which case you do not need to use cron. For example, to allow any outgoing traffic between 12:00 and 13:00 with following rule:
iptables -A OUTPUT -m time --timestart 12:00 --timestop 13:00 -j ACCEPT
1
I suggest to use REJECT for outgoing - DROP may stall processes running on the local servers.
– countermode
Oct 5 '17 at 8:42
+1 for using built in iptables timestop, will test soon and accept an answer, im leaning towards iptables. What would you use? IPTables or Default Gateway/Routing?
– FreeSoftwareServers
Oct 5 '17 at 9:34
1
Do not use-m state --state
because it deprecated. Use-m conntrack --ctstate
instead
– Egor Vasilyev
Oct 5 '17 at 19:42
add a comment |
Filtering with IPTABLES
This can be accomplished by creating a set of rules for allowed traffic and dropping the rest.
For the OUTPUT
chain, create rules to accept loopback traffic and traffic to 192.168.1.0/24
network. Default action is applied when no rules are matched, set it to REJECT
.
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -d 192.168.1.0/24 -j ACCEPT
iptables -P OUTPUT REJECT
For INPUT
chain, you can create similar rules. Allow traffic from loopback and local network, drop the rest.
You can match established traffic (reply traffic to connections initiated by your host) with a single rule using -m conntrack --ctstate ESTABLISHED
. This way you do not need to alter the chain when you want to enable Internet access. This works when you do not run any programs/daemons expecting connections from outside of your local network.
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -P INPUT DROP
If you need to allow connections initiated outside of your local network, you need to configure the INPUT
chain in the same way as the OUTPUT
chain and use similar mechanism to apply
To allow unrestricted (WAN access) network access, change the default action to ACCEPT
. To put the limits back, change the default action back to REJECT
. Same effect is achieved by adding/removing -j ACCEPT
as last rule.
iptables -P OUTPUT ACCEPT
You can also use iptables time module to accept the traffic at specific time of a day, in which case you do not need to use cron. For example, to allow any outgoing traffic between 12:00 and 13:00 with following rule:
iptables -A OUTPUT -m time --timestart 12:00 --timestop 13:00 -j ACCEPT
1
I suggest to use REJECT for outgoing - DROP may stall processes running on the local servers.
– countermode
Oct 5 '17 at 8:42
+1 for using built in iptables timestop, will test soon and accept an answer, im leaning towards iptables. What would you use? IPTables or Default Gateway/Routing?
– FreeSoftwareServers
Oct 5 '17 at 9:34
1
Do not use-m state --state
because it deprecated. Use-m conntrack --ctstate
instead
– Egor Vasilyev
Oct 5 '17 at 19:42
add a comment |
Filtering with IPTABLES
This can be accomplished by creating a set of rules for allowed traffic and dropping the rest.
For the OUTPUT
chain, create rules to accept loopback traffic and traffic to 192.168.1.0/24
network. Default action is applied when no rules are matched, set it to REJECT
.
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -d 192.168.1.0/24 -j ACCEPT
iptables -P OUTPUT REJECT
For INPUT
chain, you can create similar rules. Allow traffic from loopback and local network, drop the rest.
You can match established traffic (reply traffic to connections initiated by your host) with a single rule using -m conntrack --ctstate ESTABLISHED
. This way you do not need to alter the chain when you want to enable Internet access. This works when you do not run any programs/daemons expecting connections from outside of your local network.
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -P INPUT DROP
If you need to allow connections initiated outside of your local network, you need to configure the INPUT
chain in the same way as the OUTPUT
chain and use similar mechanism to apply
To allow unrestricted (WAN access) network access, change the default action to ACCEPT
. To put the limits back, change the default action back to REJECT
. Same effect is achieved by adding/removing -j ACCEPT
as last rule.
iptables -P OUTPUT ACCEPT
You can also use iptables time module to accept the traffic at specific time of a day, in which case you do not need to use cron. For example, to allow any outgoing traffic between 12:00 and 13:00 with following rule:
iptables -A OUTPUT -m time --timestart 12:00 --timestop 13:00 -j ACCEPT
Filtering with IPTABLES
This can be accomplished by creating a set of rules for allowed traffic and dropping the rest.
For the OUTPUT
chain, create rules to accept loopback traffic and traffic to 192.168.1.0/24
network. Default action is applied when no rules are matched, set it to REJECT
.
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -d 192.168.1.0/24 -j ACCEPT
iptables -P OUTPUT REJECT
For INPUT
chain, you can create similar rules. Allow traffic from loopback and local network, drop the rest.
You can match established traffic (reply traffic to connections initiated by your host) with a single rule using -m conntrack --ctstate ESTABLISHED
. This way you do not need to alter the chain when you want to enable Internet access. This works when you do not run any programs/daemons expecting connections from outside of your local network.
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -P INPUT DROP
If you need to allow connections initiated outside of your local network, you need to configure the INPUT
chain in the same way as the OUTPUT
chain and use similar mechanism to apply
To allow unrestricted (WAN access) network access, change the default action to ACCEPT
. To put the limits back, change the default action back to REJECT
. Same effect is achieved by adding/removing -j ACCEPT
as last rule.
iptables -P OUTPUT ACCEPT
You can also use iptables time module to accept the traffic at specific time of a day, in which case you do not need to use cron. For example, to allow any outgoing traffic between 12:00 and 13:00 with following rule:
iptables -A OUTPUT -m time --timestart 12:00 --timestop 13:00 -j ACCEPT
edited Mar 7 at 21:14
Community♦
1
1
answered Oct 5 '17 at 8:05
sebasthsebasth
8,71932450
8,71932450
1
I suggest to use REJECT for outgoing - DROP may stall processes running on the local servers.
– countermode
Oct 5 '17 at 8:42
+1 for using built in iptables timestop, will test soon and accept an answer, im leaning towards iptables. What would you use? IPTables or Default Gateway/Routing?
– FreeSoftwareServers
Oct 5 '17 at 9:34
1
Do not use-m state --state
because it deprecated. Use-m conntrack --ctstate
instead
– Egor Vasilyev
Oct 5 '17 at 19:42
add a comment |
1
I suggest to use REJECT for outgoing - DROP may stall processes running on the local servers.
– countermode
Oct 5 '17 at 8:42
+1 for using built in iptables timestop, will test soon and accept an answer, im leaning towards iptables. What would you use? IPTables or Default Gateway/Routing?
– FreeSoftwareServers
Oct 5 '17 at 9:34
1
Do not use-m state --state
because it deprecated. Use-m conntrack --ctstate
instead
– Egor Vasilyev
Oct 5 '17 at 19:42
1
1
I suggest to use REJECT for outgoing - DROP may stall processes running on the local servers.
– countermode
Oct 5 '17 at 8:42
I suggest to use REJECT for outgoing - DROP may stall processes running on the local servers.
– countermode
Oct 5 '17 at 8:42
+1 for using built in iptables timestop, will test soon and accept an answer, im leaning towards iptables. What would you use? IPTables or Default Gateway/Routing?
– FreeSoftwareServers
Oct 5 '17 at 9:34
+1 for using built in iptables timestop, will test soon and accept an answer, im leaning towards iptables. What would you use? IPTables or Default Gateway/Routing?
– FreeSoftwareServers
Oct 5 '17 at 9:34
1
1
Do not use
-m state --state
because it deprecated. Use -m conntrack --ctstate
instead– Egor Vasilyev
Oct 5 '17 at 19:42
Do not use
-m state --state
because it deprecated. Use -m conntrack --ctstate
instead– Egor Vasilyev
Oct 5 '17 at 19:42
add a comment |
Removing the default route
When you remove the default route from your host's routing table, it prevents it from communicating with other hosts outside the local network. Default route is configured with ip route
: ip route default add ...
to add the default route and ip route del default
to remove it.
Traffic from your router might still be able to reach your host. You can discard traffic for which there is no known route to source address by enabling reverse path filtering.
There are two ways to configure reverse path filtering: sysctl or iptables. The sysctl method only applies to ipv4, iptables rule can be written for both both ipv4 and ipv6.
To enable reverse path filtering using sysctl
rp_filter
:
sysctl net.ipv4.conf.all.rp_filter = 1
With iptables, using
rpfilter
module:
iptables -t raw -I PREROUTING -m rpfilter --invert -j DROP
Same rule also works for
ip6tables
. For nftables, usefib
statement.
For removing and restoring the default route, you could use a simple script with cron:
#!/bin/sh -e
FILE="/root/default.gw"
case "$1" in
"remove")
route="$(ip route show default 0.0.0.0/0)"
if [ -z "$route" ]; then
echo "no default route configured"
exit 1
fi
echo "$route" > $FILE
ip route del default
ip route flush cache
;;
"restore")
route="$(cat $FILE)"
if [ -z "$route" ]; then
echo "no default route saved"
exit 1
fi
ip route add $route
;;
*)
echo "invalid argument"
echo "usage: $(basename -- $0) remove|restore"
exit 1
esac
add a comment |
Removing the default route
When you remove the default route from your host's routing table, it prevents it from communicating with other hosts outside the local network. Default route is configured with ip route
: ip route default add ...
to add the default route and ip route del default
to remove it.
Traffic from your router might still be able to reach your host. You can discard traffic for which there is no known route to source address by enabling reverse path filtering.
There are two ways to configure reverse path filtering: sysctl or iptables. The sysctl method only applies to ipv4, iptables rule can be written for both both ipv4 and ipv6.
To enable reverse path filtering using sysctl
rp_filter
:
sysctl net.ipv4.conf.all.rp_filter = 1
With iptables, using
rpfilter
module:
iptables -t raw -I PREROUTING -m rpfilter --invert -j DROP
Same rule also works for
ip6tables
. For nftables, usefib
statement.
For removing and restoring the default route, you could use a simple script with cron:
#!/bin/sh -e
FILE="/root/default.gw"
case "$1" in
"remove")
route="$(ip route show default 0.0.0.0/0)"
if [ -z "$route" ]; then
echo "no default route configured"
exit 1
fi
echo "$route" > $FILE
ip route del default
ip route flush cache
;;
"restore")
route="$(cat $FILE)"
if [ -z "$route" ]; then
echo "no default route saved"
exit 1
fi
ip route add $route
;;
*)
echo "invalid argument"
echo "usage: $(basename -- $0) remove|restore"
exit 1
esac
add a comment |
Removing the default route
When you remove the default route from your host's routing table, it prevents it from communicating with other hosts outside the local network. Default route is configured with ip route
: ip route default add ...
to add the default route and ip route del default
to remove it.
Traffic from your router might still be able to reach your host. You can discard traffic for which there is no known route to source address by enabling reverse path filtering.
There are two ways to configure reverse path filtering: sysctl or iptables. The sysctl method only applies to ipv4, iptables rule can be written for both both ipv4 and ipv6.
To enable reverse path filtering using sysctl
rp_filter
:
sysctl net.ipv4.conf.all.rp_filter = 1
With iptables, using
rpfilter
module:
iptables -t raw -I PREROUTING -m rpfilter --invert -j DROP
Same rule also works for
ip6tables
. For nftables, usefib
statement.
For removing and restoring the default route, you could use a simple script with cron:
#!/bin/sh -e
FILE="/root/default.gw"
case "$1" in
"remove")
route="$(ip route show default 0.0.0.0/0)"
if [ -z "$route" ]; then
echo "no default route configured"
exit 1
fi
echo "$route" > $FILE
ip route del default
ip route flush cache
;;
"restore")
route="$(cat $FILE)"
if [ -z "$route" ]; then
echo "no default route saved"
exit 1
fi
ip route add $route
;;
*)
echo "invalid argument"
echo "usage: $(basename -- $0) remove|restore"
exit 1
esac
Removing the default route
When you remove the default route from your host's routing table, it prevents it from communicating with other hosts outside the local network. Default route is configured with ip route
: ip route default add ...
to add the default route and ip route del default
to remove it.
Traffic from your router might still be able to reach your host. You can discard traffic for which there is no known route to source address by enabling reverse path filtering.
There are two ways to configure reverse path filtering: sysctl or iptables. The sysctl method only applies to ipv4, iptables rule can be written for both both ipv4 and ipv6.
To enable reverse path filtering using sysctl
rp_filter
:
sysctl net.ipv4.conf.all.rp_filter = 1
With iptables, using
rpfilter
module:
iptables -t raw -I PREROUTING -m rpfilter --invert -j DROP
Same rule also works for
ip6tables
. For nftables, usefib
statement.
For removing and restoring the default route, you could use a simple script with cron:
#!/bin/sh -e
FILE="/root/default.gw"
case "$1" in
"remove")
route="$(ip route show default 0.0.0.0/0)"
if [ -z "$route" ]; then
echo "no default route configured"
exit 1
fi
echo "$route" > $FILE
ip route del default
ip route flush cache
;;
"restore")
route="$(cat $FILE)"
if [ -z "$route" ]; then
echo "no default route saved"
exit 1
fi
ip route add $route
;;
*)
echo "invalid argument"
echo "usage: $(basename -- $0) remove|restore"
exit 1
esac
edited Oct 9 '17 at 10:19
answered Oct 5 '17 at 9:30
sebasthsebasth
8,71932450
8,71932450
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f396218%2fblock-wan-access-allow-lan-access-linux-hosts%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Do you intend to do the configuration on VMs (or somewhere else)?
– sebasth
Oct 5 '17 at 7:56
Yes via the CLI
– FreeSoftwareServers
Oct 5 '17 at 7:57
Just to note, I ended up using DD-WRT w/ IP Range WAN Blocking Rules. It was much easier to setup, i now have IP Pools for WAN BLOCk, WAN BLOCK 23/7 and WAN ACCESS
– FreeSoftwareServers
Oct 3 '18 at 6:29