I was wondering what the best way to block a server's internet access is while allowing LAN connections. Essentially, I want a server to be only accessible by LAN. What ips, ports, etc should I block?
Asked
Active
Viewed 4,797 times
1
-
1To even attempt to answer this we'd have to know your infrastructure. Do you want to block ON the server? On a firewall it sits behind (natting or not) ... – tink Aug 14 '14 at 00:39
1 Answers
0
This really depends on your network topology. Based on your question, it sounds like you wish to block outbound connectivity and not just filter inbound.
One of the easiest things you could do would be to create a firewall rule that blocks traffic to the default gateway. If you have a single default gateway providing internet access, this would prevent them from accessing the outside.
Another set of rules you might want to apply is DENY everything except for RFC 1918 space.
Here is an example that might work if your gateway was 192.168.1.1
iptables -A INPUT -s 192.168.1.1/32 -j DROP
iptables -A INPUT -d 192.168.1.1/32 -j DROP
iptables -A INPUT -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -d 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/16 -j ACCEPT
iptables -A INPUT -d 192.168.0.0/16 -j ACCEPT
iptables -A INPUT -s 172.16.0.0/12 -j ACCEPT
iptables -A INPUT -d 172.16.0.0/12 -j ACCEPT
It is worth noting that your question without any further detail is not going to allow me to provide you with an answer that is likely to fit your real world needs. Cutting off internet access completely will pose a problem when trying to update software, etc.
Blocking direct access to the gateway isn't going to ensure no outbound internet access. It would be possible for another server on the network to act as a gateway, proxy, etc.
David Houde
- 3,160
- 1
- 15
- 19