Block traffic to LAN but allow traffic to Internet (iptables)
OK I figured out the problem myself so I'll answer my own question for reference. The issue was that all traffic was going through the LOGGING chain, and the second rule of the LOGGING chain drops all traffic. I just removed rule 2 from the LOGGING chain and everything worked.
Related videos on Youtube
09 : 41
11 : 09
06 : 28
34 : 05
03 : 20
tlng5
Updated on September 18, 2022Comments
-
tlng5 over 1 year
On my home network I am setting up a CentOS server that will be used by about a dozen or so for educational purposes - e.g. learn how to use the Linux shell and host websites, among other things. I have port 22 and port 80 on my router so they will be able to log in via SSH over the Internet.
As I cannot fully trust these users, I am currently trying to lock down the server as much as possible (checking permissions, blocking torrents, etc.) Since I don't want people probing the rest of the computers on my network though the server, I would like to block traffic to computers on the local LAN while still allowing traffic to the Internet.
I'm not super familiar with iptables, but I've tried setting a few iptables rules - it first allows traffic to 192.168.1.1 (router) and 192.168.1.2 (computer I'm using to configure the server), and then blocks traffic to 192.168.1.0/24 and logs such traffic. The remainder of the traffic should be allowed. However, the problem is that the server cannot make connections to the Internet.
Here is my current iptables config:
Chain OUTPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT all -- 0.0.0.0/0 192.168.1.2 2 ACCEPT all -- 0.0.0.0/0 192.168.1.1 3 LOGGING all -- 0.0.0.0/0 0.0.0.0/0 4 DROP all -- 0.0.0.0/0 192.168.1.0/24 5 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 Chain LOGGING (1 references) num target prot opt source destination 1 LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 5 LOG flags 0 level 7 prefix `DROP: ' 2 DROP all -- 0.0.0.0/0 0.0.0.0/0Pinging the allowed IPs (192.168.1.1 and 192.168.1.2) works (good), but pinging Google does not (bad):
[root@server ~]# ping 8.8.8.8 PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. ping: sendmsg: Operation not permitted ping: sendmsg: Operation not permitted ^C --- 8.8.8.8 ping statistics --- 2 packets transmitted, 0 received, 100% packet loss, time 1950ms [root@server ~]# ping 192.168.1.2 PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data. 64 bytes from 192.168.1.2: icmp_seq=1 ttl=128 time=0.294 ms 64 bytes from 192.168.1.2: icmp_seq=2 ttl=128 time=0.270 msOf course I understand that there's a certain level of trust involved in granting people access to a server on my network, but I still want to harden it as much as I can. If anyone can comment on other things I can do I'd appreciate that as well.
Thanks in advance!
-
Rodney Salcedo about 5 yearsThis is a question, not an answer, you had to put it in the question area, so you would surely find help