Block WAN Access - Allow LAN Access - Linux hosts












3















What I am looking to do is block access to WAN and only allow these hosts to talk to each other on the 192.168.1.0/24 LAN. This configuration should be done on the hosts in question.



There are some similar posts to this, but tend to be too specific use case, or overly complicated. I now pay for internet per/GB. I have certain VM's that don't really need WAN Access after being setup, but seem to be using large amounts of data. (LDAP Server for some reason?)



I'm looking into DD-WRT Filtering, but I wondered how to do this host side.



I will also be looking into enabling WAN Access for 1 hour daily. This could be done via "iptables script" with CRON, or just via DD-WRT.



I'm guessing IPTables is the way to go. I think all of my servers use IPTables, some have UFW and some have FirewallD.



I figure this can be a "generic question" with mostly answers that should work across many/all distros. But just to add, I'm mostly using Ubuntu 14/16 and CentOS 6/7.










share|improve this question

























  • Do you intend to do the configuration on VMs (or somewhere else)?

    – sebasth
    Oct 5 '17 at 7:56











  • Yes via the CLI

    – FreeSoftwareServers
    Oct 5 '17 at 7:57











  • Just to note, I ended up using DD-WRT w/ IP Range WAN Blocking Rules. It was much easier to setup, i now have IP Pools for WAN BLOCk, WAN BLOCK 23/7 and WAN ACCESS

    – FreeSoftwareServers
    Oct 3 '18 at 6:29


















3















What I am looking to do is block access to WAN and only allow these hosts to talk to each other on the 192.168.1.0/24 LAN. This configuration should be done on the hosts in question.



There are some similar posts to this, but tend to be too specific use case, or overly complicated. I now pay for internet per/GB. I have certain VM's that don't really need WAN Access after being setup, but seem to be using large amounts of data. (LDAP Server for some reason?)



I'm looking into DD-WRT Filtering, but I wondered how to do this host side.



I will also be looking into enabling WAN Access for 1 hour daily. This could be done via "iptables script" with CRON, or just via DD-WRT.



I'm guessing IPTables is the way to go. I think all of my servers use IPTables, some have UFW and some have FirewallD.



I figure this can be a "generic question" with mostly answers that should work across many/all distros. But just to add, I'm mostly using Ubuntu 14/16 and CentOS 6/7.










share|improve this question

























  • Do you intend to do the configuration on VMs (or somewhere else)?

    – sebasth
    Oct 5 '17 at 7:56











  • Yes via the CLI

    – FreeSoftwareServers
    Oct 5 '17 at 7:57











  • Just to note, I ended up using DD-WRT w/ IP Range WAN Blocking Rules. It was much easier to setup, i now have IP Pools for WAN BLOCk, WAN BLOCK 23/7 and WAN ACCESS

    – FreeSoftwareServers
    Oct 3 '18 at 6:29
















3












3








3


0






What I am looking to do is block access to WAN and only allow these hosts to talk to each other on the 192.168.1.0/24 LAN. This configuration should be done on the hosts in question.



There are some similar posts to this, but tend to be too specific use case, or overly complicated. I now pay for internet per/GB. I have certain VM's that don't really need WAN Access after being setup, but seem to be using large amounts of data. (LDAP Server for some reason?)



I'm looking into DD-WRT Filtering, but I wondered how to do this host side.



I will also be looking into enabling WAN Access for 1 hour daily. This could be done via "iptables script" with CRON, or just via DD-WRT.



I'm guessing IPTables is the way to go. I think all of my servers use IPTables, some have UFW and some have FirewallD.



I figure this can be a "generic question" with mostly answers that should work across many/all distros. But just to add, I'm mostly using Ubuntu 14/16 and CentOS 6/7.










share|improve this question
















What I am looking to do is block access to WAN and only allow these hosts to talk to each other on the 192.168.1.0/24 LAN. This configuration should be done on the hosts in question.



There are some similar posts to this, but tend to be too specific use case, or overly complicated. I now pay for internet per/GB. I have certain VM's that don't really need WAN Access after being setup, but seem to be using large amounts of data. (LDAP Server for some reason?)



I'm looking into DD-WRT Filtering, but I wondered how to do this host side.



I will also be looking into enabling WAN Access for 1 hour daily. This could be done via "iptables script" with CRON, or just via DD-WRT.



I'm guessing IPTables is the way to go. I think all of my servers use IPTables, some have UFW and some have FirewallD.



I figure this can be a "generic question" with mostly answers that should work across many/all distros. But just to add, I'm mostly using Ubuntu 14/16 and CentOS 6/7.







networking iptables






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Oct 5 '17 at 13:11









sebasth

8,71932450




8,71932450










asked Oct 5 '17 at 7:44









FreeSoftwareServersFreeSoftwareServers

1,00931941




1,00931941













  • Do you intend to do the configuration on VMs (or somewhere else)?

    – sebasth
    Oct 5 '17 at 7:56











  • Yes via the CLI

    – FreeSoftwareServers
    Oct 5 '17 at 7:57











  • Just to note, I ended up using DD-WRT w/ IP Range WAN Blocking Rules. It was much easier to setup, i now have IP Pools for WAN BLOCk, WAN BLOCK 23/7 and WAN ACCESS

    – FreeSoftwareServers
    Oct 3 '18 at 6:29





















  • Do you intend to do the configuration on VMs (or somewhere else)?

    – sebasth
    Oct 5 '17 at 7:56











  • Yes via the CLI

    – FreeSoftwareServers
    Oct 5 '17 at 7:57











  • Just to note, I ended up using DD-WRT w/ IP Range WAN Blocking Rules. It was much easier to setup, i now have IP Pools for WAN BLOCk, WAN BLOCK 23/7 and WAN ACCESS

    – FreeSoftwareServers
    Oct 3 '18 at 6:29



















Do you intend to do the configuration on VMs (or somewhere else)?

– sebasth
Oct 5 '17 at 7:56





Do you intend to do the configuration on VMs (or somewhere else)?

– sebasth
Oct 5 '17 at 7:56













Yes via the CLI

– FreeSoftwareServers
Oct 5 '17 at 7:57





Yes via the CLI

– FreeSoftwareServers
Oct 5 '17 at 7:57













Just to note, I ended up using DD-WRT w/ IP Range WAN Blocking Rules. It was much easier to setup, i now have IP Pools for WAN BLOCk, WAN BLOCK 23/7 and WAN ACCESS

– FreeSoftwareServers
Oct 3 '18 at 6:29







Just to note, I ended up using DD-WRT w/ IP Range WAN Blocking Rules. It was much easier to setup, i now have IP Pools for WAN BLOCk, WAN BLOCK 23/7 and WAN ACCESS

– FreeSoftwareServers
Oct 3 '18 at 6:29












2 Answers
2






active

oldest

votes


















5














Filtering with IPTABLES



This can be accomplished by creating a set of rules for allowed traffic and dropping the rest.



For the OUTPUT chain, create rules to accept loopback traffic and traffic to 192.168.1.0/24 network. Default action is applied when no rules are matched, set it to REJECT.



iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -d 192.168.1.0/24 -j ACCEPT
iptables -P OUTPUT REJECT


For INPUT chain, you can create similar rules. Allow traffic from loopback and local network, drop the rest.



You can match established traffic (reply traffic to connections initiated by your host) with a single rule using -m conntrack --ctstate ESTABLISHED. This way you do not need to alter the chain when you want to enable Internet access. This works when you do not run any programs/daemons expecting connections from outside of your local network.



iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -P INPUT DROP


If you need to allow connections initiated outside of your local network, you need to configure the INPUT chain in the same way as the OUTPUT chain and use similar mechanism to apply



To allow unrestricted (WAN access) network access, change the default action to ACCEPT. To put the limits back, change the default action back to REJECT. Same effect is achieved by adding/removing -j ACCEPT as last rule.



iptables -P OUTPUT ACCEPT


You can also use iptables time module to accept the traffic at specific time of a day, in which case you do not need to use cron. For example, to allow any outgoing traffic between 12:00 and 13:00 with following rule:



iptables -A OUTPUT -m time --timestart 12:00 --timestop 13:00 -j ACCEPT





share|improve this answer





















  • 1





    I suggest to use REJECT for outgoing - DROP may stall processes running on the local servers.

    – countermode
    Oct 5 '17 at 8:42











  • +1 for using built in iptables timestop, will test soon and accept an answer, im leaning towards iptables. What would you use? IPTables or Default Gateway/Routing?

    – FreeSoftwareServers
    Oct 5 '17 at 9:34






  • 1





    Do not use -m state --state because it deprecated. Use -m conntrack --ctstate instead

    – Egor Vasilyev
    Oct 5 '17 at 19:42





















2














Removing the default route



When you remove the default route from your host's routing table, it prevents it from communicating with other hosts outside the local network. Default route is configured with ip route: ip route default add ... to add the default route and ip route del default to remove it.



Traffic from your router might still be able to reach your host. You can discard traffic for which there is no known route to source address by enabling reverse path filtering.



There are two ways to configure reverse path filtering: sysctl or iptables. The sysctl method only applies to ipv4, iptables rule can be written for both both ipv4 and ipv6.





  • To enable reverse path filtering using sysctl rp_filter:



    sysctl net.ipv4.conf.all.rp_filter = 1



  • With iptables, using rpfilter module:



    iptables -t raw -I PREROUTING -m rpfilter --invert -j DROP


    Same rule also works for ip6tables. For nftables, use fib statement.




For removing and restoring the default route, you could use a simple script with cron:



#!/bin/sh -e
FILE="/root/default.gw"

case "$1" in
"remove")
route="$(ip route show default 0.0.0.0/0)"

if [ -z "$route" ]; then
echo "no default route configured"
exit 1
fi

echo "$route" > $FILE
ip route del default
ip route flush cache
;;

"restore")
route="$(cat $FILE)"

if [ -z "$route" ]; then
echo "no default route saved"
exit 1
fi

ip route add $route
;;

*)
echo "invalid argument"
echo "usage: $(basename -- $0) remove|restore"
exit 1
esac





share|improve this answer


























    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "106"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f396218%2fblock-wan-access-allow-lan-access-linux-hosts%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    5














    Filtering with IPTABLES



    This can be accomplished by creating a set of rules for allowed traffic and dropping the rest.



    For the OUTPUT chain, create rules to accept loopback traffic and traffic to 192.168.1.0/24 network. Default action is applied when no rules are matched, set it to REJECT.



    iptables -A OUTPUT -o lo -j ACCEPT
    iptables -A OUTPUT -d 192.168.1.0/24 -j ACCEPT
    iptables -P OUTPUT REJECT


    For INPUT chain, you can create similar rules. Allow traffic from loopback and local network, drop the rest.



    You can match established traffic (reply traffic to connections initiated by your host) with a single rule using -m conntrack --ctstate ESTABLISHED. This way you do not need to alter the chain when you want to enable Internet access. This works when you do not run any programs/daemons expecting connections from outside of your local network.



    iptables -A INPUT -i lo -j ACCEPT
    iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
    iptables -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
    iptables -P INPUT DROP


    If you need to allow connections initiated outside of your local network, you need to configure the INPUT chain in the same way as the OUTPUT chain and use similar mechanism to apply



    To allow unrestricted (WAN access) network access, change the default action to ACCEPT. To put the limits back, change the default action back to REJECT. Same effect is achieved by adding/removing -j ACCEPT as last rule.



    iptables -P OUTPUT ACCEPT


    You can also use iptables time module to accept the traffic at specific time of a day, in which case you do not need to use cron. For example, to allow any outgoing traffic between 12:00 and 13:00 with following rule:



    iptables -A OUTPUT -m time --timestart 12:00 --timestop 13:00 -j ACCEPT





    share|improve this answer





















    • 1





      I suggest to use REJECT for outgoing - DROP may stall processes running on the local servers.

      – countermode
      Oct 5 '17 at 8:42











    • +1 for using built in iptables timestop, will test soon and accept an answer, im leaning towards iptables. What would you use? IPTables or Default Gateway/Routing?

      – FreeSoftwareServers
      Oct 5 '17 at 9:34






    • 1





      Do not use -m state --state because it deprecated. Use -m conntrack --ctstate instead

      – Egor Vasilyev
      Oct 5 '17 at 19:42


















    5














    Filtering with IPTABLES



    This can be accomplished by creating a set of rules for allowed traffic and dropping the rest.



    For the OUTPUT chain, create rules to accept loopback traffic and traffic to 192.168.1.0/24 network. Default action is applied when no rules are matched, set it to REJECT.



    iptables -A OUTPUT -o lo -j ACCEPT
    iptables -A OUTPUT -d 192.168.1.0/24 -j ACCEPT
    iptables -P OUTPUT REJECT


    For INPUT chain, you can create similar rules. Allow traffic from loopback and local network, drop the rest.



    You can match established traffic (reply traffic to connections initiated by your host) with a single rule using -m conntrack --ctstate ESTABLISHED. This way you do not need to alter the chain when you want to enable Internet access. This works when you do not run any programs/daemons expecting connections from outside of your local network.



    iptables -A INPUT -i lo -j ACCEPT
    iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
    iptables -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
    iptables -P INPUT DROP


    If you need to allow connections initiated outside of your local network, you need to configure the INPUT chain in the same way as the OUTPUT chain and use similar mechanism to apply



    To allow unrestricted (WAN access) network access, change the default action to ACCEPT. To put the limits back, change the default action back to REJECT. Same effect is achieved by adding/removing -j ACCEPT as last rule.



    iptables -P OUTPUT ACCEPT


    You can also use iptables time module to accept the traffic at specific time of a day, in which case you do not need to use cron. For example, to allow any outgoing traffic between 12:00 and 13:00 with following rule:



    iptables -A OUTPUT -m time --timestart 12:00 --timestop 13:00 -j ACCEPT





    share|improve this answer





















    • 1





      I suggest to use REJECT for outgoing - DROP may stall processes running on the local servers.

      – countermode
      Oct 5 '17 at 8:42











    • +1 for using built in iptables timestop, will test soon and accept an answer, im leaning towards iptables. What would you use? IPTables or Default Gateway/Routing?

      – FreeSoftwareServers
      Oct 5 '17 at 9:34






    • 1





      Do not use -m state --state because it deprecated. Use -m conntrack --ctstate instead

      – Egor Vasilyev
      Oct 5 '17 at 19:42
















    5












    5








    5







    Filtering with IPTABLES



    This can be accomplished by creating a set of rules for allowed traffic and dropping the rest.



    For the OUTPUT chain, create rules to accept loopback traffic and traffic to 192.168.1.0/24 network. Default action is applied when no rules are matched, set it to REJECT.



    iptables -A OUTPUT -o lo -j ACCEPT
    iptables -A OUTPUT -d 192.168.1.0/24 -j ACCEPT
    iptables -P OUTPUT REJECT


    For INPUT chain, you can create similar rules. Allow traffic from loopback and local network, drop the rest.



    You can match established traffic (reply traffic to connections initiated by your host) with a single rule using -m conntrack --ctstate ESTABLISHED. This way you do not need to alter the chain when you want to enable Internet access. This works when you do not run any programs/daemons expecting connections from outside of your local network.



    iptables -A INPUT -i lo -j ACCEPT
    iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
    iptables -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
    iptables -P INPUT DROP


    If you need to allow connections initiated outside of your local network, you need to configure the INPUT chain in the same way as the OUTPUT chain and use similar mechanism to apply



    To allow unrestricted (WAN access) network access, change the default action to ACCEPT. To put the limits back, change the default action back to REJECT. Same effect is achieved by adding/removing -j ACCEPT as last rule.



    iptables -P OUTPUT ACCEPT


    You can also use iptables time module to accept the traffic at specific time of a day, in which case you do not need to use cron. For example, to allow any outgoing traffic between 12:00 and 13:00 with following rule:



    iptables -A OUTPUT -m time --timestart 12:00 --timestop 13:00 -j ACCEPT





    share|improve this answer















    Filtering with IPTABLES



    This can be accomplished by creating a set of rules for allowed traffic and dropping the rest.



    For the OUTPUT chain, create rules to accept loopback traffic and traffic to 192.168.1.0/24 network. Default action is applied when no rules are matched, set it to REJECT.



    iptables -A OUTPUT -o lo -j ACCEPT
    iptables -A OUTPUT -d 192.168.1.0/24 -j ACCEPT
    iptables -P OUTPUT REJECT


    For INPUT chain, you can create similar rules. Allow traffic from loopback and local network, drop the rest.



    You can match established traffic (reply traffic to connections initiated by your host) with a single rule using -m conntrack --ctstate ESTABLISHED. This way you do not need to alter the chain when you want to enable Internet access. This works when you do not run any programs/daemons expecting connections from outside of your local network.



    iptables -A INPUT -i lo -j ACCEPT
    iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
    iptables -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
    iptables -P INPUT DROP


    If you need to allow connections initiated outside of your local network, you need to configure the INPUT chain in the same way as the OUTPUT chain and use similar mechanism to apply



    To allow unrestricted (WAN access) network access, change the default action to ACCEPT. To put the limits back, change the default action back to REJECT. Same effect is achieved by adding/removing -j ACCEPT as last rule.



    iptables -P OUTPUT ACCEPT


    You can also use iptables time module to accept the traffic at specific time of a day, in which case you do not need to use cron. For example, to allow any outgoing traffic between 12:00 and 13:00 with following rule:



    iptables -A OUTPUT -m time --timestart 12:00 --timestop 13:00 -j ACCEPT






    share|improve this answer














    share|improve this answer



    share|improve this answer








    edited Mar 7 at 21:14









    Community

    1




    1










    answered Oct 5 '17 at 8:05









    sebasthsebasth

    8,71932450




    8,71932450








    • 1





      I suggest to use REJECT for outgoing - DROP may stall processes running on the local servers.

      – countermode
      Oct 5 '17 at 8:42











    • +1 for using built in iptables timestop, will test soon and accept an answer, im leaning towards iptables. What would you use? IPTables or Default Gateway/Routing?

      – FreeSoftwareServers
      Oct 5 '17 at 9:34






    • 1





      Do not use -m state --state because it deprecated. Use -m conntrack --ctstate instead

      – Egor Vasilyev
      Oct 5 '17 at 19:42
















    • 1





      I suggest to use REJECT for outgoing - DROP may stall processes running on the local servers.

      – countermode
      Oct 5 '17 at 8:42











    • +1 for using built in iptables timestop, will test soon and accept an answer, im leaning towards iptables. What would you use? IPTables or Default Gateway/Routing?

      – FreeSoftwareServers
      Oct 5 '17 at 9:34






    • 1





      Do not use -m state --state because it deprecated. Use -m conntrack --ctstate instead

      – Egor Vasilyev
      Oct 5 '17 at 19:42










    1




    1





    I suggest to use REJECT for outgoing - DROP may stall processes running on the local servers.

    – countermode
    Oct 5 '17 at 8:42





    I suggest to use REJECT for outgoing - DROP may stall processes running on the local servers.

    – countermode
    Oct 5 '17 at 8:42













    +1 for using built in iptables timestop, will test soon and accept an answer, im leaning towards iptables. What would you use? IPTables or Default Gateway/Routing?

    – FreeSoftwareServers
    Oct 5 '17 at 9:34





    +1 for using built in iptables timestop, will test soon and accept an answer, im leaning towards iptables. What would you use? IPTables or Default Gateway/Routing?

    – FreeSoftwareServers
    Oct 5 '17 at 9:34




    1




    1





    Do not use -m state --state because it deprecated. Use -m conntrack --ctstate instead

    – Egor Vasilyev
    Oct 5 '17 at 19:42







    Do not use -m state --state because it deprecated. Use -m conntrack --ctstate instead

    – Egor Vasilyev
    Oct 5 '17 at 19:42















    2














    Removing the default route



    When you remove the default route from your host's routing table, it prevents it from communicating with other hosts outside the local network. Default route is configured with ip route: ip route default add ... to add the default route and ip route del default to remove it.



    Traffic from your router might still be able to reach your host. You can discard traffic for which there is no known route to source address by enabling reverse path filtering.



    There are two ways to configure reverse path filtering: sysctl or iptables. The sysctl method only applies to ipv4, iptables rule can be written for both both ipv4 and ipv6.





    • To enable reverse path filtering using sysctl rp_filter:



      sysctl net.ipv4.conf.all.rp_filter = 1



    • With iptables, using rpfilter module:



      iptables -t raw -I PREROUTING -m rpfilter --invert -j DROP


      Same rule also works for ip6tables. For nftables, use fib statement.




    For removing and restoring the default route, you could use a simple script with cron:



    #!/bin/sh -e
    FILE="/root/default.gw"

    case "$1" in
    "remove")
    route="$(ip route show default 0.0.0.0/0)"

    if [ -z "$route" ]; then
    echo "no default route configured"
    exit 1
    fi

    echo "$route" > $FILE
    ip route del default
    ip route flush cache
    ;;

    "restore")
    route="$(cat $FILE)"

    if [ -z "$route" ]; then
    echo "no default route saved"
    exit 1
    fi

    ip route add $route
    ;;

    *)
    echo "invalid argument"
    echo "usage: $(basename -- $0) remove|restore"
    exit 1
    esac





    share|improve this answer






























      2














      Removing the default route



      When you remove the default route from your host's routing table, it prevents it from communicating with other hosts outside the local network. Default route is configured with ip route: ip route default add ... to add the default route and ip route del default to remove it.



      Traffic from your router might still be able to reach your host. You can discard traffic for which there is no known route to source address by enabling reverse path filtering.



      There are two ways to configure reverse path filtering: sysctl or iptables. The sysctl method only applies to ipv4, iptables rule can be written for both both ipv4 and ipv6.





      • To enable reverse path filtering using sysctl rp_filter:



        sysctl net.ipv4.conf.all.rp_filter = 1



      • With iptables, using rpfilter module:



        iptables -t raw -I PREROUTING -m rpfilter --invert -j DROP


        Same rule also works for ip6tables. For nftables, use fib statement.




      For removing and restoring the default route, you could use a simple script with cron:



      #!/bin/sh -e
      FILE="/root/default.gw"

      case "$1" in
      "remove")
      route="$(ip route show default 0.0.0.0/0)"

      if [ -z "$route" ]; then
      echo "no default route configured"
      exit 1
      fi

      echo "$route" > $FILE
      ip route del default
      ip route flush cache
      ;;

      "restore")
      route="$(cat $FILE)"

      if [ -z "$route" ]; then
      echo "no default route saved"
      exit 1
      fi

      ip route add $route
      ;;

      *)
      echo "invalid argument"
      echo "usage: $(basename -- $0) remove|restore"
      exit 1
      esac





      share|improve this answer




























        2












        2








        2







        Removing the default route



        When you remove the default route from your host's routing table, it prevents it from communicating with other hosts outside the local network. Default route is configured with ip route: ip route default add ... to add the default route and ip route del default to remove it.



        Traffic from your router might still be able to reach your host. You can discard traffic for which there is no known route to source address by enabling reverse path filtering.



        There are two ways to configure reverse path filtering: sysctl or iptables. The sysctl method only applies to ipv4, iptables rule can be written for both both ipv4 and ipv6.





        • To enable reverse path filtering using sysctl rp_filter:



          sysctl net.ipv4.conf.all.rp_filter = 1



        • With iptables, using rpfilter module:



          iptables -t raw -I PREROUTING -m rpfilter --invert -j DROP


          Same rule also works for ip6tables. For nftables, use fib statement.




        For removing and restoring the default route, you could use a simple script with cron:



        #!/bin/sh -e
        FILE="/root/default.gw"

        case "$1" in
        "remove")
        route="$(ip route show default 0.0.0.0/0)"

        if [ -z "$route" ]; then
        echo "no default route configured"
        exit 1
        fi

        echo "$route" > $FILE
        ip route del default
        ip route flush cache
        ;;

        "restore")
        route="$(cat $FILE)"

        if [ -z "$route" ]; then
        echo "no default route saved"
        exit 1
        fi

        ip route add $route
        ;;

        *)
        echo "invalid argument"
        echo "usage: $(basename -- $0) remove|restore"
        exit 1
        esac





        share|improve this answer















        Removing the default route



        When you remove the default route from your host's routing table, it prevents it from communicating with other hosts outside the local network. Default route is configured with ip route: ip route default add ... to add the default route and ip route del default to remove it.



        Traffic from your router might still be able to reach your host. You can discard traffic for which there is no known route to source address by enabling reverse path filtering.



        There are two ways to configure reverse path filtering: sysctl or iptables. The sysctl method only applies to ipv4, iptables rule can be written for both both ipv4 and ipv6.





        • To enable reverse path filtering using sysctl rp_filter:



          sysctl net.ipv4.conf.all.rp_filter = 1



        • With iptables, using rpfilter module:



          iptables -t raw -I PREROUTING -m rpfilter --invert -j DROP


          Same rule also works for ip6tables. For nftables, use fib statement.




        For removing and restoring the default route, you could use a simple script with cron:



        #!/bin/sh -e
        FILE="/root/default.gw"

        case "$1" in
        "remove")
        route="$(ip route show default 0.0.0.0/0)"

        if [ -z "$route" ]; then
        echo "no default route configured"
        exit 1
        fi

        echo "$route" > $FILE
        ip route del default
        ip route flush cache
        ;;

        "restore")
        route="$(cat $FILE)"

        if [ -z "$route" ]; then
        echo "no default route saved"
        exit 1
        fi

        ip route add $route
        ;;

        *)
        echo "invalid argument"
        echo "usage: $(basename -- $0) remove|restore"
        exit 1
        esac






        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited Oct 9 '17 at 10:19

























        answered Oct 5 '17 at 9:30









        sebasthsebasth

        8,71932450




        8,71932450






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Unix & Linux Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f396218%2fblock-wan-access-allow-lan-access-linux-hosts%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            How to make a Squid Proxy server?

            Is this a new Fibonacci Identity?

            19世紀