You are not logged in.

#1 2021-06-23 03:38:09

Mizho
Member
Registered: 2021-06-23
Posts: 14

[solved] - block internet access and keep LAN access - ufw

Hi,

I want to block my internet access in/out with exception to LAN which I sync/backup some content through it. I prefer it to be one command solution which I issue and internet will be blocked and later the day I want to unblock it. So far, I've found some IPTABLES rules online but since I am a newbie I couldn't wrap my head around it! Likewise, I tried UFW which seems to be the easiest solution but couldn't figure it out. Is it possible to have such functionality with UFW?

Using gUFW, I could drop all traffic, but adding a subsequent rule to allow LAN (192.168.0.0/24) didn't work, and I lost all connections including LAN. Also, I had the problem that to unblock the internet, I had to remove the rules (and later add them back) manually each time. Hence, I am asking here if it's possible and hopefully help me to write a command/script for blocks/unblock WAN internet.



Later I might consider to make Google/Wikipedia an exception and add them, but at this point only dropping all in/out traffic to WAN is enough.

Last edited by Mizho (2021-06-23 16:36:38)

Offline

#2 2021-06-23 06:27:10

seth
Member
Registered: 2012-09-03
Posts: 49,980

Re: [solved] - block internet access and keep LAN access - ufw

I could drop all traffic, but adding a subsequent rule to allow LAN (192.168.0.0/24)

This will be how it's generally done, easiest by wrapping it in a script, see
https://askubuntu.com/questions/872852/ … s-firewall

To undo that you either remove the rules or reset the filter, https://wiki.archlinux.org/title/Iptabl … ting_rules

If it "didn't work", please provide details on what exactly you issued and how it "didn't work" - nb. that your LAN isn't necessarily 192.168.0.0/24

Offline

#3 2021-06-23 13:50:33

Mizho
Member
Registered: 2021-06-23
Posts: 14

Re: [solved] - block internet access and keep LAN access - ufw

Thanks Seth,

Actually I've seen that thread and my problem with that is: I'm using ufw and already have some rules (e.g. on ssh) for it and messing with iptables (including enable it) and then flushing might conflict with my ufw rules. It's also written in archwiki/ufw, if I get it right?

Hence, I've been trying to do it with ufw for example I try these commands:

sudo ufw default deny incoming
sudo ufw default deny outgoing

And then trying to add subsequent allow for LAN such as:

sudo ufw allow to 192.168.0.0/24
sudo ufw allow from 192.168.0.0/24

I also have even tried deny/reject 0.0.0.0/0 as well but since I think I don't have the basic understanding of networking this might be not right. However, I kind of understand ufw and it's easier to use so I'm asking if there is any solution with this firewal?

please feel free if you want any more detail.

Offline

#4 2021-06-23 14:14:23

seth
Member
Registered: 2012-09-03
Posts: 49,980

Re: [solved] - block internet access and keep LAN access - ufw

I'm using ufw and already have some rules

Yeah, that's kind of an important piece of information.
UFW operates on the same backend, so mixing them is indeed no good idea.

sudo ufw default deny incoming
sudo ufw default deny outgoing
sudo ufw allow to 192.168.0.0/24
sudo ufw allow from 192.168.0.0/24

So *how* does this not work™?

ip a
ufw status

Edit: ok, this doesn't work indeed - despite "ufw status" suggesting it would. "Uncomplicated"…

Edit #2: It's a syntax error

# sudo ufw default deny incoming # default anyway
sudo ufw default deny outgoing
sudo ufw allow out to 192.168.0.0/24
sudo ufw allow in from 192.168.0.0/24 # in is default, this is why the above doesn't work

Last edited by seth (2021-06-23 15:12:24)

Offline

#5 2021-06-23 15:25:45

Slithery
Administrator
From: Norfolk, UK
Registered: 2013-12-01
Posts: 5,776

Re: [solved] - block internet access and keep LAN access - ufw

Or you could remove/add the gateway instead.


No, it didn't "fix" anything. It just shifted the brokeness one space to the right. - jasonwryan
Closing -- for deletion; Banning -- for muppetry. - jasonwryan

aur - dotfiles

Offline

#6 2021-06-23 15:29:43

Mizho
Member
Registered: 2021-06-23
Posts: 14

Re: [solved] - block internet access and keep LAN access - ufw

Dear Seth, that's is awesome. I just test it and now it works! I had a bad mistakes. Many Thanks! I will change the topic to solved.

Offline

#7 2021-06-23 15:30:33

Mizho
Member
Registered: 2021-06-23
Posts: 14

Re: [solved] - block internet access and keep LAN access - ufw

Slithery wrote:

Or you could remove/add the gateway instead.


Thanks for the nice suggestion, I did it via this:

sudo ip route replace default via <fake_gateway>

and restore to it to correct one. This is neat.

Last edited by Mizho (2021-06-23 15:45:16)

Offline

#8 2021-06-24 12:28:25

herOldMan
Member
Registered: 2013-10-11
Posts: 151

Re: [solved] - block internet access and keep LAN access - ufw

Hi,

I use two scripts, The first is toggleInternet which changes the block state (if it's blocked, then unblock it and if it's unblocked then block it.

The second, mesageBan, is a front end for toggleInternet which notifies the user when the state is changed in my WM notification area.

toggleInternet:

#!/bin/bash

state=$(sudo iptables -S | grep 'INPUT -j DROP')
if [ -z "$state" ]
then
	sudo iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
	sudo iptables -A INPUT -i lo -j ACCEPT
	sudo iptables -A INPUT -j DROP
	sudo iptables -A OUTPUT -d 192.168.1.0/24 -j ACCEPT
	sudo iptables -A OUTPUT -o lo -j ACCEPT
	sudo iptables -A OUTPUT -j DROP	
echo "Internet Banned"
else
	sudo iptables -D INPUT -j DROP
	sudo iptables -D OUTPUT -j DROP
echo "Internet Open"
fi

messageBan:

#!/bin/bash
cd ~/
state=$(sudo /home/max/bashScripts/toggleInternet)
notify-send -t 2500 $state --icon=dialog-information

messageBan is associated with a panel icon that performs the toggle with a click.

Offline

Board footer

Powered by FluxBB