0

I'm accessing my Ubuntu machine using RDP from a Windows desktop, in the same wifi network (that is, I'm only using RDP locally, not through the internet). I want to disable all internet traffic, but still allow WLAN traffic, because I need it to control the machine via RDP.

Is there a simple option/rule in RDP to make that happen? If possible, I'd like to create a script or have some easy option to quickly block all internet/allow all internet again.

The reason I want to do this is that I often leave the machine on and don't attend it, update it etc. The security config is also not the best, since it's more of a test machine. It's a good idea I think to disable the internet in these cases just to avoid any attacks.

Related question: block internet access and keep LAN access - firewall (it uses iptables directly, but I'm not savvy enough to handle them, I'd prefer to use UFW)

flen
  • 163

1 Answers1

2

Internet is blocked already!

It is not clear what you mean by block internet. If you mean anyone from the internet can access your Ubuntu computer, then the internet is blocked by the default ufw rule to deny any incoming.

Use this command to enable ufw:

sudo ufw enable

That is all you need to do to stop internet (and your home network) accessing your computer.

Setup ufw to allow RDP only from the LAN

This command will allow Windows RDP to reach your computer from within your home WiFi:

sudo ufw allow from 192.168.x.0/24 to any port 3389

Note: Check your home router's setting and verify the IP address range it uses and change the command above accordingly. The x in the IP address in the command above may be a 0 or a 1.

If you want more... (Don't)

If you mean you don't want this computer to make any outgoing connections, then you may want:

sudo ufw default deny outgoing

Note: This will stop the computer from getting automatic security updates and any access to the internet from this computer.

Warning: This command may also stop this computer from communicating with your local network. I have not tested this rule.

You will need a rule to allow the Ubuntu computer send information to Windows if you have the default to deny all outgoing packages. This command may work:

sudo ufw allow out to 192.168.0.0/24 port 3389

I have not tested this rule. You may need more rules like this for RDP to work if you use the rule to deny all outgoing packages.

If above rule does not work and/or you want to allow all outgoing traffic to your home network you may use a more general rule like:

sudo ufw allow out to 192.168.0.0/24

Hope this helps

user68186
  • 33,360
  • Thanks a lot! It does help, but I have some UFW rules allowing incoming traffic in a few ports. Unfortunately, I don't think there's a simple enable/disable option for rules in UFW? I think I'd have to write a script to add all rules back again every time (the problem is that adding a rule via the CLI doesn't allow me to give the rule a name and modify it using UFW GUI). Or maybe if I switch UFW profiles? – flen May 19 '22 at 19:27
  • I don't know if such a thing exists (apart from iptables and UFW), but I wanted to stop all traffic via internet (ip protocol) and only allow WLAN traffic. But my WLAN is the internet's router... If this is possible at all, it'd probably involve delving into the router's config which is more trouble than it's worth. Anyway, I think I'm paranoid, as you correctly said, if I "want more... (don't)", blocking random incoming traffic is already enough – flen May 19 '22 at 19:32
  • You are welcome. What you are asking in this comment is beyond the scope of the original question. You can enable/disable ufw as a whole but not a set of rules. I have not used profiles with ufw. – user68186 May 19 '22 at 19:32
  • 1
    @flen I have added one more ufw rule to my answer. The first and the last ufw rules under the section If you want more... (Don't) should block all outgoing traffic to the internet but allow all outgoing traffic to your home network. – user68186 May 19 '22 at 19:48