Block internal IP Internet access except one site [SOLVED]

Gruntruck · June 5, 2018, 10:08pm

Hi,

This might be a stupid question but I am not really sure how iptables work.

I have LEDE router with 192.168.0.x internal network. I would like to prevent internal IP 192.168.0.100 from accessing internet except for one particular host name/port number. I figured out that all Internet access for 192.168.0.100 can be disabled by creating a custom Firewall rule:
iptables -I FORWARD -j DROP -s 192.168.0.100

But I would still want for it to be able to communicate to www.acme.whatever on port 1234 and 5678.

How do I do that?

Thanks!

lleachii · June 5, 2018, 10:53pm

If you can settle with the IP address, this will work simply:

Make 2 ACCEPT rules for 192.168.0.100 to reach Server_IP using ports 1234 and 5678
Under these rules, make a DROP all rule for the same IP
Done!

jeff · June 5, 2018, 11:08pm

If DNS for www.acme.whatever is under your control and you know it has a "fixed", single IP and all communication required for the services are on those two ports, and no other servers, those ignore the rest of this.

Could be a challenge if the IP address is changing from time to time. Multiple addresses for the same host would require multiple rules. I don't know what you/they have on those ports, but HTTP in particular may redirect to another host and HTML pages often require resources from other hosts to render properly.

Gruntruck · June 6, 2018, 6:32am

Thanks for the heads up. Basically, I only want this box to be able to send mail via external mail server using TLS, and nothing else. IP does not change so I can hard-code IP instead of host name.

Gruntruck · June 6, 2018, 6:34am

Do you mind quoting the exact rules that would achieve this?

Basically, I want 192.168.0.100 to be able to communicate to external 123.123.123.123 on port 587 and block everything else...

lleachii · June 6, 2018, 2:17pm

These rules are pretty basic in OpenWrt. I'd advise reviewing the "Forwardings" section at: https://openwrt.org/docs/guide-user/firewall/firewall_configuration

config rule
	option enabled '1'
	option src 'lan'
	option dest 'wan'
	option name 'Allow_device'
	option family 'ipv4'
	option proto 'tcp'
	option src_ip '192.168.0.100'
	option dest_ip '123.123.123.123'
	option dest_port '587'
	option target 'ACCEPT'

config rule
	option enabled '1'
	option src 'lan'
	option dest 'wan'
	option name 'Drop_device'
	option family 'ipv4'
	option proto 'all'
	option src_ip '192.168.0.100'
	option target 'DROP'

Gruntruck · June 6, 2018, 3:23pm

Thanks, this is what I initially tried through Luci but it didn't work.
After adding it manually into /etc/config/firewall and reloading (and blocking everything, not just TCP) it started working.

One additional question: can I somehow configure a host name instead of IP?
Thing is, this is a mail server and for resilience reason, it is load shared across two IP's. I got it working by manually adding both IP's to "ALLOW" but it would be much neater if it could take care of it by itself through DNS?

Basically, you ping acme.whatever and first time it is 123.123.123.123. Next time you ping it it is 123.123.123.124. Third time it is 123.123.123.123 again etc.

Many thanks!

lleachii · June 6, 2018, 3:36pm

I generated the rules using LuCI...odd.

I forgot that, glad you figured out the DROP rule.

I'm not sure it would be much easier. You would have to make a script to do an nslookup then write the rules. Please recall, during the brief time that this script runs, your device in question will have Internet access.

Gruntruck · June 6, 2018, 5:46pm

No worries, this is perfectly good . IP's are not changing that often (I hope). Now I know the basics and can craft new rules

lleachii · June 6, 2018, 5:49pm

If the rules worked, consider editing the title of the thread and appending "[SOLVED]" to the title.

psherman · June 6, 2018, 6:29pm

@Gruntruck - Depending on the situation, you might want to run these rules against a specific MAC address as a more robust (although not entirely bulletproof) solution. This will avoid issues with changes of the IP address of the local device.

It is probably safe to go strictly with your local IP addresses if the device is under your control (for example, maybe you're trying to limit what an IoT device can do). Simply set a static IP on the device or a DHCP reservation to ensure that it always gets the same IP and you're done.

However, if the device in question is controlled by someone else that might want to circumvent the restriction, they could theoretically change the device IP address to something else (manual static IP on device) and would bypass your rules. MAC address cloning/spoofing would also achieve the same thing, but that is a bit less likely than someone simply changing the local IP address.

Gruntruck · June 6, 2018, 6:39pm

Agree. But in this case it is locking down "known" internal devices on "need to know" basis. DHCP knows their MAC's and serves reserved IP depending on the list. It is basically the same thing as blocking on MAC-level. Iphones get full access, security cameras none, alarms get mail only etc.

Chinese IoT stuff, everything running Android etc. is never touching the Internal network. It is connected to separate guest network/WiFi with client isolation turned on

tmomas · June 12, 2018, 6:39pm

This topic was automatically closed 6 days after the last reply. New replies are no longer allowed.