On my home network I am setting up a CentOS server that will be used by about a dozen or so for educational purposes - e.g. learn how to use the Linux shell and host websites, among other things. I have port 22 and port 80 on my router so they will be able to log in via SSH over the Internet.
As I cannot fully trust these users, I am currently trying to lock down the server as much as possible (checking permissions, blocking torrents, etc.) Since I don't want people probing the rest of the computers on my network though the server, I would like to block traffic to computers on the local LAN while still allowing traffic to the Internet.
I'm not super familiar with iptables, but I've tried setting a few iptables rules - it first allows traffic to 192.168.1.1 (router) and 192.168.1.2 (computer I'm using to configure the server), and then blocks traffic to 192.168.1.0/24 and logs such traffic. The remainder of the traffic should be allowed. However, the problem is that the server cannot make connections to the Internet.
Here is my current iptables config:
Chain OUTPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT all -- 0.0.0.0/0 192.168.1.2 2 ACCEPT all -- 0.0.0.0/0 192.168.1.1 3 LOGGING all -- 0.0.0.0/0 0.0.0.0/0 4 DROP all -- 0.0.0.0/0 192.168.1.0/24 5 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 Chain LOGGING (1 references) num target prot opt source destination 1 LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 5 LOG flags 0 level 7 prefix `DROP: ' 2 DROP all -- 0.0.0.0/0 0.0.0.0/0 Pinging the allowed IPs (192.168.1.1 and 192.168.1.2) works (good), but pinging Google does not (bad):
[root@server ~]# ping 8.8.8.8 PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. ping: sendmsg: Operation not permitted ping: sendmsg: Operation not permitted ^C --- 8.8.8.8 ping statistics --- 2 packets transmitted, 0 received, 100% packet loss, time 1950ms [root@server ~]# ping 192.168.1.2 PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data. 64 bytes from 192.168.1.2: icmp_seq=1 ttl=128 time=0.294 ms 64 bytes from 192.168.1.2: icmp_seq=2 ttl=128 time=0.270 ms Of course I understand that there's a certain level of trust involved in granting people access to a server on my network, but I still want to harden it as much as I can. If anyone can comment on other things I can do I'd appreciate that as well.
Thanks in advance!
2 Answers
OK I figured out the problem myself so I'll answer my own question for reference. The issue was that all traffic was going through the LOGGING chain, and the second rule of the LOGGING chain drops all traffic. I just removed rule 2 from the LOGGING chain and everything worked.
I'm having similar challenge, I have am IOT device with several vulnerabilities I want to segregate on my LAN, but its connected through a switch with other devices that I do NOT want to be segregated. I've tried creating a separate CHAIN and putting a reference to it at the beginning of the INPUT chain for anything with a source of the IOT device or destination of the IOT device, and then in the new chain, if the source is LAN and the destination is IoT then DROP or if the source is IoT and the Destination is LAN then DROP, but I can't get it to drop packets, can still ping and access the device. even tried adding my rules to the beginning of several other chains to see if it made a difference, but no luck - any ideas?
b1tphr34k@RT-AC87U-C598:/tmp/home/root# iptables --list Chain INPUT (policy ACCEPT) target prot opt source destination TIVOFILTER all -- 192.168.10.8 anywhere TIVOFILTER all -- anywhere 192.168.10.8 logdrop icmp -- anywhere anywhere icmp echo-request logaccept all -- anywhere anywhere state RELATED,ESTABLISHED logdrop all -- anywhere anywhere state INVALID PTCSRVWAN all -- anywhere anywhere PTCSRVLAN all -- anywhere anywhere ACCEPT all -- anywhere anywhere state NEW ACCEPT all -- anywhere anywhere state NEW logaccept udp -- anywhere anywhere udp spt:bootps dpt:bootpc INPUT_ICMP icmp -- anywhere anywhere logdrop all -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination DROP all -- 192.168.10.8 192.168.10.0/24 DROP all -- 192.168.10.0/24 192.168.10.8 logaccept all -- anywhere anywhere state RELATED,ESTABLISHED logdrop all -- anywhere anywhere logdrop all -- anywhere anywhere state INVALID logaccept all -- anywhere anywhere SECURITY all -- anywhere anywhere NSFW all -- anywhere anywhere logaccept all -- anywhere anywhere ctstate DNAT logaccept all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination DROP all -- 192.168.10.0/24 192.168.10.8 DROP all -- 192.168.10.8 192.168.10.0/24 Chain ACCESS_RESTRICTION (0 references) target prot opt source destination Chain FUPNP (0 references) target prot opt source destination ACCEPT udp -- anywhere 192.168.10.5 udp dpt:54927 ACCEPT tcp -- anywhere 192.168.10.7 tcp dpt:32400 Chain INPUT_ICMP (1 references) target prot opt source destination RETURN icmp -- anywhere anywhere icmp echo-request RETURN icmp -- anywhere anywhere icmp timestamp-request logaccept icmp -- anywhere anywhere Chain NSFW (1 references) target prot opt source destination logdrop udp -- anywhere anywhere udp spt:https logdrop udp -- anywhere anywhere udp dpt:https logdrop udp -- anywhere anywhere udp spt:www logdrop udp -- anywhere anywhere udp dpt:www logdrop icmp -- anywhere anywhere icmp timestamp-request logdrop icmp -- anywhere anywhere icmp timestamp-reply RETURN all -- anywhere anywhere Chain PControls (0 references) target prot opt source destination logaccept all -- anywhere anywhere Chain PTCSRVLAN (1 references) target prot opt source destination Chain PTCSRVWAN (1 references) target prot opt source destination Chain SECURITY (1 references) target prot opt source destination RETURN tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5 logdrop tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,ACK/SYN RETURN tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5 logdrop tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,ACK/RST RETURN icmp -- anywhere anywhere icmp echo-request limit: avg 1/sec burst 5 logdrop icmp -- anywhere anywhere icmp echo-request RETURN all -- anywhere anywhere Chain TIVOFILTER (2 references) target prot opt source destination DROP all -- 192.168.10.0/24 192.168.10.8 DROP all -- 192.168.10.8 192.168.10.0/24 Chain logaccept (8 references) target prot opt source destination LOG all -- anywhere anywhere state NEW LOG level warning tcp-sequence tcp-options ip-options prefix "ACCEPT " ACCEPT all -- anywhere anywhere Chain logdrop (14 references) target prot opt source destination LOG all -- anywhere anywhere state NEW LOG level warning tcp-sequence tcp-options ip-options prefix "DROP " DROP all -- anywhere anywhere 1