iptables rules for blocking internet but allow local network for devices

Posted on

iptables rules for blocking internet but allow local network for devices – A server stack is the collection of software that forms the operational infrastructure on a given machine. In a computing context, a stack is an ordered pile. A server stack is one type of solution stack — an ordered selection of software that makes it possible to complete a particular task. Like in this post about iptables rules for blocking internet but allow local network for devices was one problem in server stack that need for a solution. Below are some tips in manage your linux server when you find problem about linux, iptables, firewall, , .

I’m trying to block access to the internet for certain devices on my network. DD-WRT has a way to do it but only those that are on WAN. The device is connected on LAN. What would be the iptables rules for blocking internet but allow local network. Somewhere along these lines?

iptables FORWARD ????? -j DROP

Answering the question in the title, you can block forwarding by interface. If your internal interface is eth1, and your external is eth0, try

iptables -A FORWARD -i eth1 -o eth0 -j REJECT

Getting the rule in the right place in your FORWARD chain is up to you. And I tend to prefer REJECT to DROP, for internal clients, as it gives them an actual response, and one that makes it clear that they’re not going to succeed.

Dealing with the issue in the question body (which says certain devices, instead of just devices), as Ron Maupin points out there is no simple way to do this, as reliably identifying devices on a network requires an intermediate step.

Assuming your switchgear doesn’t support 802.1x, running an internal VPN allows you to give qualified devices credentials which they can use to secure their egress from the network. I use OpenVPN for this. The issue is addressed in detail in my technote, though in the context of traffic shaping and exemption therefrom, rather than traffic banning and exemption, but the latter is simpler. In broad outline you set up an OpenVPN server on the firewall device, issue keys and certificates to the qualified devices, then allow traffic on the router between the OpenVPN plaintext interface, and the internet, with eg

iptables -A FORWARD -i tun+ -o eth0 -j ACCEPT

Don’t forget to permit the return-half traffic as well.

Leave a Reply

Your email address will not be published. Required fields are marked *