Block traffic to LAN but allow traffic to Internet (iptables)
Mia Lopez 
On my home network I am setting up a CentOS server that will be used by about a dozen or so for educational purposes - e.g. learn how to use the Linux shell and host websites, among other things. I have port 22 and port 80 on my router so they will be able to log in via SSH over the Internet.
As I cannot fully trust these users, I am currently trying to lock down the server as much as possible (checking permissions, blocking torrents, etc.) Since I don't want people probing the rest of the computers on my network though the server, I would like to block traffic to computers on the local LAN while still allowing traffic to the Internet.
I'm not super familiar with iptables, but I've tried setting a few iptables rules - it first allows traffic to 192.168.1.1 (router) and 192.168.1.2 (computer I'm using to configure the server), and then blocks traffic to 192.168.1.0/24 and logs such traffic. The remainder of the traffic should be allowed. However, the problem is that the server cannot make connections to the Internet.
Here is my current iptables config:
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 192.168.1.2
2 ACCEPT all -- 0.0.0.0/0 192.168.1.1
3 LOGGING all -- 0.0.0.0/0 0.0.0.0/0
4 DROP all -- 0.0.0.0/0 192.168.1.0/24
5 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain LOGGING (1 references)
num target prot opt source destination
1 LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 5 LOG flags 0 level 7 prefix `DROP: '
2 DROP all -- 0.0.0.0/0 0.0.0.0/0Pinging the allowed IPs (192.168.1.1 and 192.168.1.2) works (good), but pinging Google does not (bad):
[root@server ~]# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
^C
--- 8.8.8.8 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1950ms
[root@server ~]# ping 192.168.1.2
PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data.
64 bytes from 192.168.1.2: icmp_seq=1 ttl=128 time=0.294 ms
64 bytes from 192.168.1.2: icmp_seq=2 ttl=128 time=0.270 msOf course I understand that there's a certain level of trust involved in granting people access to a server on my network, but I still want to harden it as much as I can. If anyone can comment on other things I can do I'd appreciate that as well.
Thanks in advance!
2 Answers
OK I figured out the problem myself so I'll answer my own question for reference. The issue was that all traffic was going through the LOGGING chain, and the second rule of the LOGGING chain drops all traffic. I just removed rule 2 from the LOGGING chain and everything worked.
I'm having similar challenge, I have am IOT device with several vulnerabilities I want to segregate on my LAN, but its connected through a switch with other devices that I do NOT want to be segregated. I've tried creating a separate CHAIN and putting a reference to it at the beginning of the INPUT chain for anything with a source of the IOT device or destination of the IOT device, and then in the new chain, if the source is LAN and the destination is IoT then DROP or if the source is IoT and the Destination is LAN then DROP, but I can't get it to drop packets, can still ping and access the device. even tried adding my rules to the beginning of several other chains to see if it made a difference, but no luck - any ideas?
b1tphr34k@RT-AC87U-C598:/tmp/home/root# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
TIVOFILTER all -- 192.168.10.8 anywhere
TIVOFILTER all -- anywhere 192.168.10.8
logdrop icmp -- anywhere anywhere icmp echo-request
logaccept all -- anywhere anywhere state RELATED,ESTABLISHED
logdrop all -- anywhere anywhere state INVALID
PTCSRVWAN all -- anywhere anywhere
PTCSRVLAN all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state NEW
ACCEPT all -- anywhere anywhere state NEW
logaccept udp -- anywhere anywhere udp spt:bootps dpt:bootpc
INPUT_ICMP icmp -- anywhere anywhere
logdrop all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
DROP all -- 192.168.10.8 192.168.10.0/24
DROP all -- 192.168.10.0/24 192.168.10.8
logaccept all -- anywhere anywhere state RELATED,ESTABLISHED
logdrop all -- anywhere anywhere
logdrop all -- anywhere anywhere state INVALID
logaccept all -- anywhere anywhere
SECURITY all -- anywhere anywhere
NSFW all -- anywhere anywhere
logaccept all -- anywhere anywhere ctstate DNAT
logaccept all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP all -- 192.168.10.0/24 192.168.10.8
DROP all -- 192.168.10.8 192.168.10.0/24
Chain ACCESS_RESTRICTION (0 references)
target prot opt source destination
Chain FUPNP (0 references)
target prot opt source destination
ACCEPT udp -- anywhere 192.168.10.5 udp dpt:54927
ACCEPT tcp -- anywhere 192.168.10.7 tcp dpt:32400
Chain INPUT_ICMP (1 references)
target prot opt source destination
RETURN icmp -- anywhere anywhere icmp echo-request
RETURN icmp -- anywhere anywhere icmp timestamp-request
logaccept icmp -- anywhere anywhere
Chain NSFW (1 references)
target prot opt source destination
logdrop udp -- anywhere anywhere udp spt:https
logdrop udp -- anywhere anywhere udp dpt:https
logdrop udp -- anywhere anywhere udp spt:www
logdrop udp -- anywhere anywhere udp dpt:www
logdrop icmp -- anywhere anywhere icmp timestamp-request
logdrop icmp -- anywhere anywhere icmp timestamp-reply
RETURN all -- anywhere anywhere
Chain PControls (0 references)
target prot opt source destination
logaccept all -- anywhere anywhere
Chain PTCSRVLAN (1 references)
target prot opt source destination
Chain PTCSRVWAN (1 references)
target prot opt source destination
Chain SECURITY (1 references)
target prot opt source destination
RETURN tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5
logdrop tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,ACK/SYN
RETURN tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
logdrop tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,ACK/RST
RETURN icmp -- anywhere anywhere icmp echo-request limit: avg 1/sec burst 5
logdrop icmp -- anywhere anywhere icmp echo-request
RETURN all -- anywhere anywhere
Chain TIVOFILTER (2 references)
target prot opt source destination
DROP all -- 192.168.10.0/24 192.168.10.8
DROP all -- 192.168.10.8 192.168.10.0/24
Chain logaccept (8 references)
target prot opt source destination
LOG all -- anywhere anywhere state NEW LOG level warning tcp-sequence tcp-options ip-options prefix "ACCEPT "
ACCEPT all -- anywhere anywhere
Chain logdrop (14 references)
target prot opt source destination
LOG all -- anywhere anywhere state NEW LOG level warning tcp-sequence tcp-options ip-options prefix "DROP "
DROP all -- anywhere anywhere
