7

I want to update my firewall, so I want to create my own chain that block the access of the internet but keep accessing the LAN network.

How can I do that?

NotTheDr01ds
  • 17,888
Noux
  • 71
  • Mmmm.. I would say that this should be done with the firewall from your access point unless you use one computer as a local server to filter the traffic from the connected clients. Could you be more precise? Which firewall do you use? Basically in linux you have iptables that is the command used to create traffic rules. – kcdtv Jan 17 '17 at 10:22
  • @Noux Edit your question with ifconfig by issuing in the firewall (assuming you use linux pc for firewall) and let us know, which is WAN and which is LAN interface. – fugitive Jan 17 '17 at 10:27
  • @kcdtv am using a pc as a server and I want to make my own traffic rules – Noux Jan 18 '17 at 07:20

1 Answers1

5

Assuming doesn't matter how many interfaces do you have, you can block all except traffic to and from your LAN network address subnet by using:

iptables -A INPUT -s $NETWORK_ADDRESS/$MASK -j ACCEPT
iptables -A INPUT -s $ANOTHER_NETWORK_ADDRESS/$MASK -j ACCEPT
iptables -A INPUT -j DROP</code>
iptables -A OUTPUT -d $NETWORK_ADDRESS/$MASK -j ACCEPT
iptables -A OUTPUT -d $ANOTHER_NETWORK_ADDRESS/$MASK -j ACCEPT
iptables -A OUTPUT -j DROP

You can find the network addresses and the network mask directly connected to your interfaces by typing:

ip r l | grep -v "default" | grep "proto kernel" | awk '{print $1}'

Replace $NETWORK_ADDRESS/$MASK from the iptables commands with those provided by the ip r l command.

Assuming that you may have a DHCP Server on the LAN, you may want to allow this specific traffic in order to obtain an IP Address from the server.

In order to accomplish that you need to add more rules to IPTABLES:

iptables -I INPUT 1 -p udp --dport 67:68 --sport 67:68 -j ACCEPT

Explanation:

You need to accept incoming and outgoing traffic from your network address space and after that, you can DROP everything else.

The rule for DHCP Client will be inserted above all even if it is executed at the end because of the -I (insert) INPUT "1". In this way, you make sure that you will get an IP Address from your DHCP Server.

NotTheDr01ds
  • 17,888
Stancu Mihai
  • 455
  • can I use this but on the name of my users? and can I benefit from dns server? – Noux Jan 18 '17 at 07:32
  • The dns server isue is another question...yes you cand but first I think you should at least appreciate first answer to your first question, vote, and then add new detais about the initial topic anyway...what do you mean by use it on the name of your users? Did u wanted to say run not as root? – Stancu Mihai Jan 18 '17 at 08:53
  • I meant that can I do those rules to be applied on specific user? Am new here, I can't vote ! – Noux Jan 18 '17 at 09:27
  • After all why do you want to use a public dns server if u don't have Internet access? – Stancu Mihai Jan 18 '17 at 09:27
  • User of the PC? Yes , you can apply specific set of rules for each user when user it logs on. About the voting, I meant , If my answer was correct for your question, then u can chose it as the correct answer! And for the dns and specific firewall rules for specific users, please open another question and leave me here the link and I'll make a proper how to. It's that OK for you? – Stancu Mihai Jan 18 '17 at 09:39
  • How can I add and remove dns server to a specific user? should I put that in new question? – Noux Jan 18 '17 at 09:49
  • I think your approach should be more like : "what should I do to have different firewall and network configuration for each user of my Ubuntu sistem?" Because after all, a different dns for each user is a different network configuration and doesn't have anything to do with firewall ...aND yes, put it into a new question. :) – Stancu Mihai Jan 18 '17 at 09:55