iptables to allow intranet but block all internet

Issues related to configuring your network
Post Reply
Rocketrrt
Posts: 51
Joined: 2016/09/15 16:51:31

iptables to allow intranet but block all internet

Post by Rocketrrt » 2018/10/03 20:59:04

Hi,

I am trying to allow intranet (any 10.1.???.??) traffic but block internet. I have created a new chain (chk_nointernet_user) for a group called nointernet

iptables --new-chain chk_nointernet_user
iptables -A OUTPUT -m owner --gid-owner nointernet -j chk_nointernet_user

and I have added these entries:

iptables -A chk_nointernet_user -p tcp --syn -d 10.1.0.0/16 -j RETURN
iptables -A chk_nointernet_user -o lo -j REJECT

This is blocking everything. I want intranet but block internet. I must not be using the right rules. Any help on this would would be appreciated.

Ron

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: iptables to allow intranet but block all internet

Post by TrevorH » 2018/10/03 21:27:46

And when you return from chk_nointernet_user does your OUTPUT chain allow the access or does it drop through and take a REJECT or DROP from that or the OUTPUT policy?
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Rocketrrt
Posts: 51
Joined: 2016/09/15 16:51:31

Re: iptables to allow intranet but block all internet

Post by Rocketrrt » 2018/10/03 22:17:15

Return allows internet and intranet (full access). The new chain is the last part of the iptables. If the user group is not nointernet then everything works fine (full access). Does the chain need to go first?

Thanks,
Ron

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: iptables to allow intranet but block all internet

Post by TrevorH » 2018/10/03 22:27:36

You misunderstood the question. It'll be easier if you just post the complete output from iptables-save
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Rocketrrt
Posts: 51
Joined: 2016/09/15 16:51:31

Re: iptables to allow intranet but block all internet

Post by Rocketrrt » 2018/10/03 22:33:27

Hi Trevor,

Here is the output from iptables-save;

# Generated by iptables-save v1.4.21 on Wed Oct 3 15:30:25 2018
*filter
:INPUT ACCEPT [107:15386]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [5:283]
:chk_nointernet_user - [0:0]
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
-A OUTPUT -m owner --gid-owner 1001 -j chk_nointernet_user
-A chk_nointernet_user -d 10.1.0.0/24 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j RETURN
-A chk_nointernet_user -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Wed Oct 3 15:30:25 2018
# Generated by iptables-save v1.4.21 on Wed Oct 3 15:30:25 2018
*nat
:PREROUTING ACCEPT [23823:3963103]
:INPUT ACCEPT [15686:2932377]
:OUTPUT ACCEPT [2230:144602]
:POSTROUTING ACCEPT [2228:144281]
-A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
COMMIT
# Completed on Wed Oct 3 15:30:25 2018
# Generated by iptables-save v1.4.21 on Wed Oct 3 15:30:25 2018
*mangle
:PREROUTING ACCEPT [5455332:768774259]
:INPUT ACCEPT [5447195:767743533]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [5610505:15476793205]
:POSTROUTING ACCEPT [5378126:754001018]
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Wed Oct 3 15:30:25 2018

Thanks,
Ron

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: iptables to allow intranet but block all internet

Post by jlehtone » 2018/10/04 08:21:28

Rocketrrt wrote:
2018/10/03 20:59:04
I am trying to allow intranet (any 10.1.???.??) traffic but block internet.
In or out?

As is, everything can connect to your machine. (That is not the default.)
You only (try to) block one group in your machine from connecting to some outside devices.

Rocketrrt
Posts: 51
Joined: 2016/09/15 16:51:31

Re: iptables to allow intranet but block all internet

Post by Rocketrrt » 2018/10/04 13:01:21

HI,

Only the new chain (chk_nointernet_user) is the only thing I have created (the rest is default). We have some users that have no internet access. It is correct that only 1 group should be blocked to outside devices(group nointernet).

We are using this as a terminal server that supports about 150 users using XRDP. Each user has their own desktop. Some users are not allowed to use the internet but must have access to everything on 10.1.?.?.
This includes internal web sites, printers, etc....

If I remove iptables -A chk_nointernet_user -j REJECT (using -D instead -A) , then they have access to everything including the internet. With that line in there they are also losing connections to the 10.1.?.? including the XRDP Login. I can login as them on the machine and with that line they can not connect to 10.1.?.?.

Ron

Post Reply