Block internal IP Internet access except one site [SOLVED]


This might be a stupid question but I am not really sure how iptables work.

I have LEDE router with 192.168.0.x internal network. I would like to prevent internal IP from accessing internet except for one particular host name/port number. I figured out that all Internet access for can be disabled by creating a custom Firewall rule:
iptables -I FORWARD -j DROP -s

But I would still want for it to be able to communicate to www.acme.whatever on port 1234 and 5678.

How do I do that?


If you can settle with the IP address, this will work simply:

  • Make 2 ACCEPT rules for to reach Server_IP using ports 1234 and 5678
  • Under these rules, make a DROP all rule for the same IP
  • Done!

If DNS for www.acme.whatever is under your control and you know it has a "fixed", single IP and all communication required for the services are on those two ports, and no other servers, those ignore the rest of this.

Could be a challenge if the IP address is changing from time to time. Multiple addresses for the same host would require multiple rules. I don't know what you/they have on those ports, but HTTP in particular may redirect to another host and HTML pages often require resources from other hosts to render properly.

Thanks for the heads up. Basically, I only want this box to be able to send mail via external mail server using TLS, and nothing else. IP does not change so I can hard-code IP instead of host name.

Do you mind quoting the exact rules that would achieve this?

Basically, I want to be able to communicate to external on port 587 and block everything else...

These rules are pretty basic in OpenWrt. I'd advise reviewing the "Forwardings" section at:

config rule
	option enabled '1'
	option src 'lan'
	option dest 'wan'
	option name 'Allow_device'
	option family 'ipv4'
	option proto 'tcp'
	option src_ip ''
	option dest_ip ''
	option dest_port '587'
	option target 'ACCEPT'

config rule
	option enabled '1'
	option src 'lan'
	option dest 'wan'
	option name 'Drop_device'
	option family 'ipv4'
	option proto 'all'
	option src_ip ''
	option target 'DROP'

Thanks, this is what I initially tried through Luci but it didn't work.
After adding it manually into /etc/config/firewall and reloading (and blocking everything, not just TCP) it started working.

One additional question: can I somehow configure a host name instead of IP?
Thing is, this is a mail server and for resilience reason, it is load shared across two IP's. I got it working by manually adding both IP's to "ALLOW" but it would be much neater if it could take care of it by itself through DNS?

Basically, you ping acme.whatever and first time it is Next time you ping it it is Third time it is again etc.

Many thanks!

I generated the rules using LuCI...odd.

I forgot that, glad you figured out the DROP rule.

I'm not sure it would be much easier. You would have to make a script to do an nslookup then write the rules. Please recall, during the brief time that this script runs, your device in question will have Internet access.

No worries, this is perfectly good . IP's are not changing that often (I hope). Now I know the basics and can craft new rules :blush:

1 Like

If the rules worked, consider editing the title of the thread and appending "[SOLVED]" to the title.

@Gruntruck - Depending on the situation, you might want to run these rules against a specific MAC address as a more robust (although not entirely bulletproof) solution. This will avoid issues with changes of the IP address of the local device.

It is probably safe to go strictly with your local IP addresses if the device is under your control (for example, maybe you're trying to limit what an IoT device can do). Simply set a static IP on the device or a DHCP reservation to ensure that it always gets the same IP and you're done.

However, if the device in question is controlled by someone else that might want to circumvent the restriction, they could theoretically change the device IP address to something else (manual static IP on device) and would bypass your rules. MAC address cloning/spoofing would also achieve the same thing, but that is a bit less likely than someone simply changing the local IP address.

Agree. But in this case it is locking down "known" internal devices on "need to know" basis. DHCP knows their MAC's and serves reserved IP depending on the list. It is basically the same thing as blocking on MAC-level. Iphones get full access, security cameras none, alarms get mail only etc.

Chinese IoT stuff, everything running Android etc. is never touching the Internal network. It is connected to separate guest network/WiFi with client isolation turned on :slight_smile:

1 Like

This topic was automatically closed 6 days after the last reply. New replies are no longer allowed.