allowing local network access while blocking internet access

20

8

I have a networked computer that is used as a remote print/scan server (which is shared by numerous users) Is there any way I can block the machines internet access while still allowing it to connect to our local network?

edit-

Essentially, its a Windows XP machine shared between myself and 5 others in my department (a workaround to share a scanner without purchasing a network enabled scanner) VNC server is set up on the acting 'server' computer and each user is using a vnc client to access the machine. The machine has its own account and I would like to disable internet access. Is there a way I can disable all internet access from the computer itself without changing group policy settings?

Jon

Posted 2009-12-10T14:34:19.607

Reputation: 301

Question was closed 2013-07-16T08:46:03.950

4This might actually get a better response on ServerFault. – C. Ross – 2009-12-10T14:35:57.637

can you give us more details? what OS on the networked computer? what is the router/gateway device on the local network? – quack quixote – 2009-12-10T15:30:11.257

Answers

0

The easiest way to do this by far (but anyone technical could bypass) is simply to go to internet properties and change the proxy to something non-existent.

Other than this, If you have no intranet, you could look at Windows Firewall (If this is Vista +, not sure XP supports this) and block port 80 outgoing.

Both of these methods can be countered if the machine is not locked down.

Personally, if there is no reason for users to be on this other than there programs, just completely lock it down through group policy.

William Hilsum

Posted 2009-12-10T14:34:19.607

Reputation: 111 572

6-1: changing proxies and blocking port 80 (not to mention port 443, for HTTPS) might shut down a webbrowser, but "internet access" isn't limited to browsers. +1: locking down through group policy is a good suggestion. – quack quixote – 2009-12-10T15:34:56.503

well, we are talking about a machine used as a server that needs user access - usually, changing proxy or blocking port 80 is enough to discourage people from using it - typically, if they open IE and see page cannot be displayed, that is enough!... but at least I end up with a 0 and not a -1 in your books, so +1 from me! :) – William Hilsum – 2009-12-10T21:13:03.450

maybe the -1 is better applied to the question for being unclear... ;) – quack quixote – 2009-12-11T03:03:14.233

9

Block default gateway in firewall

netsh advfirewall firewall add rule name="Block default gateway" dir=out action=block remoteip=192.168.0.1

is a good method because

  • compared to changing the
    • default gateway address to an invalid address netsh interface ip set address name="Local Area Connection" static 192.168.0.2 255.255.0.0 0.0.0.0 it doesn't require DHCP disabling
    • DNS address to an invalid address netsh interface ip set dns "Local Area Connection" static 127.0.0.1 validate=no access without using DNS (f.e. http://74.125.224.72) is blocked too
  • compared to route delete 0.0.0.0 mask 0.0.0.0 192.168.0.1 the setting is saved

John Peterson

Posted 2009-12-10T14:34:19.607

Reputation: 167

Presumably, in order to reverse this rule, it's just netsh advfirewall firewall delete "Block default gateway"? – Dan Atkinson – 2015-09-07T11:54:23.260

2netsh advfirewall firewall delete rule name="Block default gateway" – John Peterson – 2015-09-08T12:43:44.460

8

I think the simplest way for doing this is to set wrong default gateway.

Maciek Sawicki

Posted 2009-12-10T14:34:19.607

Reputation: 1 072

3or remove the default route entirely, so the only IPs it can route are those of its local interfaces. without experimenting i'm not sure which approach would work better -- Windows may prefer being lied to. :) – quack quixote – 2009-12-10T15:28:19.357

1

I tried the solution @MaciekSawicki proposes, but I couldn't get it to work. When I set the default gateway to something invalid, it was unable to connect to the network at all - even the local intranet.

Instead, I accomplished this by leaving the connection on DHCP (or valid manual config) and and setting the DNS manually. The first DNS server, I set it to an invalid IP address (192.0.0.0) and left the second one blank, so no domains will be able to be resolved to an IP address. This means that anything that explicitly uses the IP instead of a domain name will work, but all names will fail. This makes it pretty useless for end users trying to check their facebook. If you want to add an allow list of domains that users can resolve, you can put them in a hosts file. Just make sure to keep it updated if IP addresses change.

Mike

Posted 2009-12-10T14:34:19.607

Reputation: 83

This will fail when the user is able and clever enough to edit the DNS servers for his network interface. – klaar – 2016-10-05T10:38:52.953

@klaar That is true. This was a specific workstation I was doing this on that only I have administrator rights to. I needed employees to be able to print, but not access the internet on this device and this is what worked for me. If you need this to be done on a larger scale where several clients that you do not have absolute control over shouldn't be able to access the Internet this solution obviously would not work. In that case you might want to use a firewall on your DHCP server to grant access to the gateway IP only to specific clients based on their MAC addresses. – Mike – 2016-10-05T12:49:26.547

0

I believe you could do this at the router level (depending on you QOS) and put in a rule to BLOCK all traffic (outbound off LAN) for that specific server/computer IP.

That way the server can function just fine internally but the router will drop / deny all access externally.

Jakub

Posted 2009-12-10T14:34:19.607

Reputation: 3 111

0

I also think that changing the default route in your router should do the trick. However, this will not stop the router from routing, if one points to it. Changing the default route as published by the DHCP server will only remove the default route from the client computers. Anyone who adds the route manually will then gain internet access back. And removing the default route FOR THE ROUTER ITSELF might not be a good idea, as it denies access to the internet for everyone.

Another solution bight be routing based on the source IP. You could block internet access to IP addresses under x.x.x.128, allowing others. If you have a Linux-based router, such rules could easily be programmed. With a router such as those you buy at the store, this may be a bigger challenge.

Many routers may also have access permissions that can be based on IP range. Check your own router configuration. Or just go Linux !

jfmessier

Posted 2009-12-10T14:34:19.607

Reputation: 2 530

Asked: 2009-12-10T14:34:19.607

Viewed: 123 480 times

Active: 2013-06-15T01:03:38.497