Networking – Block WAN Access, Allow LAN Access on Linux Hosts

iptablesnetworking

What I am looking to do is block access to WAN and only allow these hosts to talk to each other on the 192.168.1.0/24 LAN. This configuration should be done on the hosts in question.

There are some similar posts to this, but tend to be too specific use case, or overly complicated. I now pay for internet per/GB. I have certain VM's that don't really need WAN Access after being setup, but seem to be using large amounts of data. (LDAP Server for some reason?)

I'm looking into DD-WRT Filtering, but I wondered how to do this host side.

I will also be looking into enabling WAN Access for 1 hour daily. This could be done via "iptables script" with CRON, or just via DD-WRT.

I'm guessing IPTables is the way to go. I think all of my servers use IPTables, some have UFW and some have FirewallD.

I figure this can be a "generic question" with mostly answers that should work across many/all distros. But just to add, I'm mostly using Ubuntu 14/16 and CentOS 6/7.

Best Answer

Filtering with IPTABLES

This can be accomplished by creating a set of rules for allowed traffic and dropping the rest.

For the OUTPUT chain, create rules to accept loopback traffic and traffic to 192.168.1.0/24 network. Default action is applied when no rules are matched, set it to REJECT.

iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -d 192.168.1.0/24 -j ACCEPT
iptables -P OUTPUT REJECT

For INPUT chain, you can create similar rules. Allow traffic from loopback and local network, drop the rest.

You can match established traffic (reply traffic to connections initiated by your host) with a single rule using -m conntrack --ctstate ESTABLISHED. This way you do not need to alter the chain when you want to enable Internet access. This works when you do not run any programs/daemons expecting connections from outside of your local network.

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -P INPUT DROP

If you need to allow connections initiated outside of your local network, you need to configure the INPUT chain in the same way as the OUTPUT chain and use similar mechanism to apply

To allow unrestricted (WAN access) network access, change the default action to ACCEPT. To put the limits back, change the default action back to REJECT. Same effect is achieved by adding/removing -j ACCEPT as last rule.

iptables -P OUTPUT ACCEPT

You can also use iptables time module to accept the traffic at specific time of a day, in which case you do not need to use cron. For example, to allow any outgoing traffic between 12:00 and 13:00 with following rule:

iptables -A OUTPUT -m time --timestart 12:00 --timestop 13:00 -j ACCEPT

Related Solutions

NAT Reflection – How NAT Loopback Works

For a NAT to work properly both the packets from client to server and the packets from server to client must pass through the NAT.

Note that the NAT table in iptables is only used for the first packet of a connection. Later packets related to the connection are processed using the internal mapping tables established when the first packet was translated.

iptables -t nat -A PREROUTING -i br-lan -s 192.168.1.0/24 -d 82.120.11.22/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.200

With just this rule in place the following happens.

The client creates the initial packet (tcp syn) and addresses it to the public IP. The client expects to get a response to this packet with the source ip/port and destination ip/port swapped.
Since the client has no specific entries in its routing table it sends it to its default gateway. The default gateway is the NAT box.
The NAT box receives the intial packet, modifies the destination IP, establishes a mapping table entry, looks up the new destination in its routing table and sends the packets to the server. The source address remains unchanged.
The Server receives the initial packet and crafts a response (syn-ack). In the response the source IP/port is swapped with the destination IP/port. Since the source IP of the incoming packet was unchanged the destination IP of the reply is the IP of the client.
The Server looks up the IP in its routing table and sends the packet back to the client.
The client rejects the packet because the source address doesn't match what it expects.

iptables -t nat -A POSTROUTING -o br-lan -s 192.168.1.0/24 -d 192.168.1.200/32 -p tcp -m tcp --dport 80 -j SNAT --to-source 192.168.1.1

Once we add this rule the sequence of events changes.

The client creates the initial packet (tcp syn) and addresses it to the public IP. The client expects to get a response to this packet with the source ip/port and destination ip/port swapped.
Since the client has no specific entries in its routing tables it sends it to its default gateway. The default gateway is the NAT box.
The NAT box receives the intial packet, following the entries in the NAT table it modifies the destination IP, source IP and possiblly source port (source port is only modified if needed to disambiguate), establishes a mapping table entry, looks up the new destination in its routing table and sends the packets to the server.
The Server receives the initial packet and crafts a response (syn-ack). In the response the source IP/port is swapped with the destination IP/port. Since the source IP of the incoming packet was modified by the NAT box the destination IP of the packet is the IP of the NAT box.
The Server looks up the IP in its routing table and sends the packet back to the NAT box.
The NAT box looks up the packet's details (source IP, source port, destination IP, destination port) in its NAT mapping tables and performs a reverse translation. This changes the source IP to the public IP, the source port to 80, the destination IP to the client's IP and the destination port back to whatever source port the client used.
The NAT box looks up the new destination IP in its routing table and sends the packet back to the client.
The client accepts the packet.
Communication continues with the NAT translating packets back and forth.

How to forward traffic across two Ethernet cards

Your issue is mainly the route configuration of the hosts. I assume your current setup is as follow:

enp1s0 interface has ip address 192.168.1.1/24
enp3s0 interface has ip address 192.168.176.1/24

For hosts between the two IP network to communicate, they need a dedicated entry in their routing table.

The hosts on 192.168.1.0/24 that need to access the IP camera need to know that 192.168.1.1 is the router for 192.168.176.0/24.
The hosts on 192.168.176.0/24 need a route to 192.168.1.0/24.

Now I assume that the static/DHCP configuration for the IP cameras is to route default traffic through 192.168.176.1, so they know where to send packets for the PCs. But the PCs on 192.168.1.0/24 have only one default entry the internet router. So any packet to 192.168.176.0/24 get sent there and lost.

You can either

configure your DHCP router on 192.168.1.0/24 to advertise a static route to 192.168.176.0/24 via 192.168.1.1 with the "classless static route" option
add manually 192.168.1.1 as a gateway to 192.168.176.0/24 on the PCs

You will also need to flush your iptables rules. The POSTROUTING rule will mess up the routing and the FORWARD rule is useless (unless you have a DROP policy).

iptables -t nat -F POSTROUTING
iptables -F FORWARD

Your cameras could see the PCs because they were configured with a default gateway of 192.168.176.1 and the nat POSTROUTING entry. For example if IP camera 192.168.176.10 sends a packet to PC 192.168.1.20, the packet will first be sent to 192.168.176.1 (enp3s0) the default gateway. The Ubuntu PC will forward the packet to enp1s0, rewriting the sender's address as its own, 192.168.1.1. When 192.168.1.20 replies the packet, it sends it back to the substituted address, 192.168.1.1. When the Ubuntu PC receives it, it knows it is a reply to the IP camera 192.168.176.10. So it rewrites the destination address to 192.168.176.10 and fowards it through enp3s0.

Now you don't want to mess packets with NAT, you just need IP routing. In the preceding example, the PC sees the camera IP address as 192.168.1.1, as it was substituted by the Ubuntu PC. Once you have set correct routes,

in a connection initiated by the PC to the camera, the PC will see the camera IP address as 192.168.176.10.
in a connection initiated by the camera to the PC, the PC will still see the camera IP address as 192.168.1.1 (NAT'ed address)

For simple IP devices, the second is unlikely to matter. But that could lead to buggy behaviour. As an example, if you had a managed switch and you wanted to use SNMP traps. You should delete the iptables -t nat -A POSTROUTING -j MASQUERADE rule.

One issue that will arise: Do you want your IP cameras to access the internet? If not, I would include an iptables FORWARD route to deny packets from 192.168.176.0/24 going anywhere except 192.168.1.0/24. If you wish to grant access, you will need to configure your router with a static route to 192.168.176.0/24.

Best Answer

Filtering with IPTABLES

Related Solutions

NAT Reflection – How NAT Loopback Works

How to forward traffic across two Ethernet cards

Related Question