Block traffic to LAN but allow traffic to Internet (iptables)

2

1

On my home network I am setting up a CentOS server that will be used by about a dozen or so for educational purposes - e.g. learn how to use the Linux shell and host websites, among other things. I have port 22 and port 80 on my router so they will be able to log in via SSH over the Internet.

As I cannot fully trust these users, I am currently trying to lock down the server as much as possible (checking permissions, blocking torrents, etc.) Since I don't want people probing the rest of the computers on my network though the server, I would like to block traffic to computers on the local LAN while still allowing traffic to the Internet.

I'm not super familiar with iptables, but I've tried setting a few iptables rules - it first allows traffic to 192.168.1.1 (router) and 192.168.1.2 (computer I'm using to configure the server), and then blocks traffic to 192.168.1.0/24 and logs such traffic. The remainder of the traffic should be allowed. However, the problem is that the server cannot make connections to the Internet.

Here is my current iptables config:

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     all  --  0.0.0.0/0            192.168.1.2
2    ACCEPT     all  --  0.0.0.0/0            192.168.1.1
3    LOGGING    all  --  0.0.0.0/0            0.0.0.0/0
4    DROP       all  --  0.0.0.0/0            192.168.1.0/24
5    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

Chain LOGGING (1 references)
num  target     prot opt source               destination
1    LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg 10/min burst 5 LOG flags 0 level 7 prefix `DROP: '
2    DROP       all  --  0.0.0.0/0            0.0.0.0/0

Pinging the allowed IPs (192.168.1.1 and 192.168.1.2) works (good), but pinging Google does not (bad):

[root@server ~]# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
^C
--- 8.8.8.8 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1950ms

[root@server ~]# ping 192.168.1.2
PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data.
64 bytes from 192.168.1.2: icmp_seq=1 ttl=128 time=0.294 ms
64 bytes from 192.168.1.2: icmp_seq=2 ttl=128 time=0.270 ms

Of course I understand that there's a certain level of trust involved in granting people access to a server on my network, but I still want to harden it as much as I can. If anyone can comment on other things I can do I'd appreciate that as well.

Thanks in advance!

tlng5

Posted 2014-11-21T23:46:08.750

Reputation: 43

Answers

2

OK I figured out the problem myself so I'll answer my own question for reference. The issue was that all traffic was going through the LOGGING chain, and the second rule of the LOGGING chain drops all traffic. I just removed rule 2 from the LOGGING chain and everything worked.

tlng5

Posted 2014-11-21T23:46:08.750

Reputation: 43

0

I'm having similar challenge, I have am IOT device with several vulnerabilities I want to segregate on my LAN, but its connected through a switch with other devices that I do NOT want to be segregated. I've tried creating a separate CHAIN and putting a reference to it at the beginning of the INPUT chain for anything with a source of the IOT device or destination of the IOT device, and then in the new chain, if the source is LAN and the destination is IoT then DROP or if the source is IoT and the Destination is LAN then DROP, but I can't get it to drop packets, can still ping and access the device. even tried adding my rules to the beginning of several other chains to see if it made a difference, but no luck - any ideas?

b1tphr34k@RT-AC87U-C598:/tmp/home/root# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
TIVOFILTER  all  --  192.168.10.8         anywhere
TIVOFILTER  all  --  anywhere             192.168.10.8
logdrop    icmp --  anywhere             anywhere             icmp echo-request
logaccept  all  --  anywhere             anywhere             state RELATED,ESTABLISHED
logdrop    all  --  anywhere             anywhere             state INVALID
PTCSRVWAN  all  --  anywhere             anywhere
PTCSRVLAN  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             state NEW
ACCEPT     all  --  anywhere             anywhere             state NEW
logaccept  udp  --  anywhere             anywhere             udp spt:bootps dpt:bootpc
INPUT_ICMP  icmp --  anywhere             anywhere
logdrop    all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
DROP       all  --  192.168.10.8         192.168.10.0/24
DROP       all  --  192.168.10.0/24      192.168.10.8
logaccept  all  --  anywhere             anywhere             state RELATED,ESTABLISHED
logdrop    all  --  anywhere             anywhere
logdrop    all  --  anywhere             anywhere             state INVALID
logaccept  all  --  anywhere             anywhere
SECURITY   all  --  anywhere             anywhere
NSFW       all  --  anywhere             anywhere
logaccept  all  --  anywhere             anywhere             ctstate DNAT
logaccept  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  192.168.10.0/24      192.168.10.8
DROP       all  --  192.168.10.8         192.168.10.0/24

Chain ACCESS_RESTRICTION (0 references)
target     prot opt source               destination

Chain FUPNP (0 references)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             192.168.10.5         udp dpt:54927
ACCEPT     tcp  --  anywhere             192.168.10.7         tcp dpt:32400

Chain INPUT_ICMP (1 references)
target     prot opt source               destination
RETURN     icmp --  anywhere             anywhere             icmp echo-request
RETURN     icmp --  anywhere             anywhere             icmp timestamp-request
logaccept  icmp --  anywhere             anywhere

Chain NSFW (1 references)
target     prot opt source               destination
logdrop    udp  --  anywhere             anywhere             udp spt:https
logdrop    udp  --  anywhere             anywhere             udp dpt:https
logdrop    udp  --  anywhere             anywhere             udp spt:www
logdrop    udp  --  anywhere             anywhere             udp dpt:www
logdrop    icmp --  anywhere             anywhere             icmp timestamp-request
logdrop    icmp --  anywhere             anywhere             icmp timestamp-reply
RETURN     all  --  anywhere             anywhere

Chain PControls (0 references)
target     prot opt source               destination
logaccept  all  --  anywhere             anywhere

Chain PTCSRVLAN (1 references)
target     prot opt source               destination

Chain PTCSRVWAN (1 references)
target     prot opt source               destination

Chain SECURITY (1 references)
target     prot opt source               destination
RETURN     tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5
logdrop    tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,ACK/SYN
RETURN     tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
logdrop    tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,ACK/RST
RETURN     icmp --  anywhere             anywhere             icmp echo-request limit: avg 1/sec burst 5
logdrop    icmp --  anywhere             anywhere             icmp echo-request
RETURN     all  --  anywhere             anywhere

Chain TIVOFILTER (2 references)
target     prot opt source               destination
DROP       all  --  192.168.10.0/24      192.168.10.8
DROP       all  --  192.168.10.8         192.168.10.0/24

Chain logaccept (8 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere             state NEW LOG level warning tcp-sequence tcp-options ip-options prefix "ACCEPT "
ACCEPT     all  --  anywhere             anywhere

Chain logdrop (14 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere             state NEW LOG level warning tcp-sequence tcp-options ip-options prefix "DROP "
DROP       all  --  anywhere             anywhere

Jeremy Sadler

Posted 2014-11-21T23:46:08.750

Reputation: 1

This is a question, not an answer, you had to put it in the question area, so you would surely find help – Rodney Salcedo – 2019-04-10T14:36:13.730

Asked: 2014-11-21T23:46:08.750

Viewed: 4 253 times

Active: 2017-12-08T03:41:38.893