Prevent a machine from making outbound connections, but allow incoming (v027)

Problem:

One of the Linux boxes on our LAN was being used as a teaching tool a few months ago. A group of newbies had permission to login via SSH, and tinker with GCC and various other Linux tools.

We wanted to make sure they couldn't use the box to make outgoing connections to the Internet (because we didn't want them surfing for pr0n with Lynx, or portscanning people, or launching DOS attacks from our machine).

Solution:

Our first thought was to simply drop all outgoing packets sent from the Linux box. Unfortunately, that would prevent the newbies from logging in at all (since all server responses would be dropped at the router).

Instead, we needed to block outgoing connection attempts (SYN packets), while still allowing established connections to transmit data out to the Internet.

Login to your Freesco box as root (via telnet). Type:

cd /mnt/router/rc
edit rc_masq

Find the line that says “ban() {”, and on the line just after it, type the following:

ipfwadm -F -a reject -S <ipaddress> -y -o

Replace <ipaddress> with the IP address of the machine you want to prevent from connecting to the Internet. Next, restart your firewall :

/mnt/router/rc/rc_masq restart

And you're done. At this point, the blocked machine can't make outgoing connections, but it can still accept incoming connections just fine.

Warning: Do not rely on this if you're working with advanced users. There are many ways to circumvent this form of connection blocking (eg: sending packets without the SYN bit set). Our users were fairly clueless, so we felt that we were safe enough with this level of protection. If you're opening your machine to the public, you're going to need far better protection than this.

But if you just want to prevent your kid from surfing for pr0n from his Windows machine, then this should suffice. :)

made by Steve Blinch


Note by — dingetje 2004/12/10 23:56

I'm suprised by the last step 'restart your nameserver' because a change was made in the firewall script, so I would find it much more logical (captain) when it would say 'restart your firewall', so rc_masq restart

Mathieu CATTIN 2004/12/11 01:33 Sorry about that…it's fixed now.

 
freesco/howtos/prevent_a_machine_from_making_outbound_connections_but_allow_incoming.txt (51916 views) · Last modified: 2005/09/14 00:49 (external edit)
 
Recent changes RSS feed Creative Commons License Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki