Shorewall - Allow Client to Ping Internet but Not Use the Browser or Port 80
My network address is 192.168.5.0
. My host machine is 192.168.5.1
and my client machine is 192.168.5.2
. How will I enable my client to ping the internet through the terminal but restrict it from using port 80
or the browser? Below is my /etc/shorewall/policy
file :
SOURCE DEST POLICY LOGLEVEL RATE CONNLIMIT
loc net ACCEPT
net all DROP info
/etc/shorewall/rules
file:
DROP loc fw tcp 80
/etc/shorewall/interfaces
file :
net eth0
loc eth1
Host Interfaces:
eth0 - Connection to the internet
eth1 - Local Network Connection
Please tell me, if I still have to provide more details. Using the configuration above, my client is unable to ping any internet website and at the same time cant access any site from the browser.
networking server firewall
This question has an open bounty worth +50
reputation from Eliyah ending tomorrow.
This question has not received enough attention.
Any help would be very much appreciated.
add a comment |
My network address is 192.168.5.0
. My host machine is 192.168.5.1
and my client machine is 192.168.5.2
. How will I enable my client to ping the internet through the terminal but restrict it from using port 80
or the browser? Below is my /etc/shorewall/policy
file :
SOURCE DEST POLICY LOGLEVEL RATE CONNLIMIT
loc net ACCEPT
net all DROP info
/etc/shorewall/rules
file:
DROP loc fw tcp 80
/etc/shorewall/interfaces
file :
net eth0
loc eth1
Host Interfaces:
eth0 - Connection to the internet
eth1 - Local Network Connection
Please tell me, if I still have to provide more details. Using the configuration above, my client is unable to ping any internet website and at the same time cant access any site from the browser.
networking server firewall
This question has an open bounty worth +50
reputation from Eliyah ending tomorrow.
This question has not received enough attention.
Any help would be very much appreciated.
add a comment |
My network address is 192.168.5.0
. My host machine is 192.168.5.1
and my client machine is 192.168.5.2
. How will I enable my client to ping the internet through the terminal but restrict it from using port 80
or the browser? Below is my /etc/shorewall/policy
file :
SOURCE DEST POLICY LOGLEVEL RATE CONNLIMIT
loc net ACCEPT
net all DROP info
/etc/shorewall/rules
file:
DROP loc fw tcp 80
/etc/shorewall/interfaces
file :
net eth0
loc eth1
Host Interfaces:
eth0 - Connection to the internet
eth1 - Local Network Connection
Please tell me, if I still have to provide more details. Using the configuration above, my client is unable to ping any internet website and at the same time cant access any site from the browser.
networking server firewall
My network address is 192.168.5.0
. My host machine is 192.168.5.1
and my client machine is 192.168.5.2
. How will I enable my client to ping the internet through the terminal but restrict it from using port 80
or the browser? Below is my /etc/shorewall/policy
file :
SOURCE DEST POLICY LOGLEVEL RATE CONNLIMIT
loc net ACCEPT
net all DROP info
/etc/shorewall/rules
file:
DROP loc fw tcp 80
/etc/shorewall/interfaces
file :
net eth0
loc eth1
Host Interfaces:
eth0 - Connection to the internet
eth1 - Local Network Connection
Please tell me, if I still have to provide more details. Using the configuration above, my client is unable to ping any internet website and at the same time cant access any site from the browser.
networking server firewall
networking server firewall
edited Mar 21 at 5:02
Eliyah
asked Mar 16 at 13:34
EliyahEliyah
566
566
This question has an open bounty worth +50
reputation from Eliyah ending tomorrow.
This question has not received enough attention.
Any help would be very much appreciated.
This question has an open bounty worth +50
reputation from Eliyah ending tomorrow.
This question has not received enough attention.
Any help would be very much appreciated.
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
On rules, when you use:
DROP loc fw tcp 80
Your're saying: disallow local network zone (loc) from access port TCP/80 on zone fw. But your conf shows no zone called fw (probably you meant $FW, but that would represent the firewall machine itself). You could try something like this:
Ping(ACCEPT) loc net
HTTP(DROP) loc net
HTTPS(DROP) loc net
AFAICR, shorewall adds a DROP ALL rule at the end of each chain*, so the two rules for dropping HTTP and HTTPS could be removed (because everything that isn't explicitly allowed is blocked by the final DROP ALL rule).
*This behaviour is defined at the policy file.
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "89"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1126160%2fshorewall-allow-client-to-ping-internet-but-not-use-the-browser-or-port-80%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
On rules, when you use:
DROP loc fw tcp 80
Your're saying: disallow local network zone (loc) from access port TCP/80 on zone fw. But your conf shows no zone called fw (probably you meant $FW, but that would represent the firewall machine itself). You could try something like this:
Ping(ACCEPT) loc net
HTTP(DROP) loc net
HTTPS(DROP) loc net
AFAICR, shorewall adds a DROP ALL rule at the end of each chain*, so the two rules for dropping HTTP and HTTPS could be removed (because everything that isn't explicitly allowed is blocked by the final DROP ALL rule).
*This behaviour is defined at the policy file.
add a comment |
On rules, when you use:
DROP loc fw tcp 80
Your're saying: disallow local network zone (loc) from access port TCP/80 on zone fw. But your conf shows no zone called fw (probably you meant $FW, but that would represent the firewall machine itself). You could try something like this:
Ping(ACCEPT) loc net
HTTP(DROP) loc net
HTTPS(DROP) loc net
AFAICR, shorewall adds a DROP ALL rule at the end of each chain*, so the two rules for dropping HTTP and HTTPS could be removed (because everything that isn't explicitly allowed is blocked by the final DROP ALL rule).
*This behaviour is defined at the policy file.
add a comment |
On rules, when you use:
DROP loc fw tcp 80
Your're saying: disallow local network zone (loc) from access port TCP/80 on zone fw. But your conf shows no zone called fw (probably you meant $FW, but that would represent the firewall machine itself). You could try something like this:
Ping(ACCEPT) loc net
HTTP(DROP) loc net
HTTPS(DROP) loc net
AFAICR, shorewall adds a DROP ALL rule at the end of each chain*, so the two rules for dropping HTTP and HTTPS could be removed (because everything that isn't explicitly allowed is blocked by the final DROP ALL rule).
*This behaviour is defined at the policy file.
On rules, when you use:
DROP loc fw tcp 80
Your're saying: disallow local network zone (loc) from access port TCP/80 on zone fw. But your conf shows no zone called fw (probably you meant $FW, but that would represent the firewall machine itself). You could try something like this:
Ping(ACCEPT) loc net
HTTP(DROP) loc net
HTTPS(DROP) loc net
AFAICR, shorewall adds a DROP ALL rule at the end of each chain*, so the two rules for dropping HTTP and HTTPS could be removed (because everything that isn't explicitly allowed is blocked by the final DROP ALL rule).
*This behaviour is defined at the policy file.
edited Mar 22 at 12:04
answered Mar 21 at 13:03
JucaPiramaJucaPirama
3396
3396
add a comment |
add a comment |
Thanks for contributing an answer to Ask Ubuntu!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1126160%2fshorewall-allow-client-to-ping-internet-but-not-use-the-browser-or-port-80%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown