Shorewall - Allow Client to Ping Internet but Not Use the Browser or Port 80












1















My network address is 192.168.5.0. My host machine is 192.168.5.1 and my client machine is 192.168.5.2. How will I enable my client to ping the internet through the terminal but restrict it from using port 80 or the browser? Below is my /etc/shorewall/policy file :



SOURCE    DEST    POLICY    LOGLEVEL   RATE    CONNLIMIT

loc net ACCEPT

net all DROP info


/etc/shorewall/rules file:



DROP    loc    fw    tcp   80


/etc/shorewall/interfaces file :



net   eth0
loc eth1


Host Interfaces:



eth0 - Connection to the internet
eth1 - Local Network Connection


Please tell me, if I still have to provide more details. Using the configuration above, my client is unable to ping any internet website and at the same time cant access any site from the browser.










share|improve this question

















This question has an open bounty worth +50
reputation from Eliyah ending tomorrow.


This question has not received enough attention.


Any help would be very much appreciated.





















    1















    My network address is 192.168.5.0. My host machine is 192.168.5.1 and my client machine is 192.168.5.2. How will I enable my client to ping the internet through the terminal but restrict it from using port 80 or the browser? Below is my /etc/shorewall/policy file :



    SOURCE    DEST    POLICY    LOGLEVEL   RATE    CONNLIMIT

    loc net ACCEPT

    net all DROP info


    /etc/shorewall/rules file:



    DROP    loc    fw    tcp   80


    /etc/shorewall/interfaces file :



    net   eth0
    loc eth1


    Host Interfaces:



    eth0 - Connection to the internet
    eth1 - Local Network Connection


    Please tell me, if I still have to provide more details. Using the configuration above, my client is unable to ping any internet website and at the same time cant access any site from the browser.










    share|improve this question

















    This question has an open bounty worth +50
    reputation from Eliyah ending tomorrow.


    This question has not received enough attention.


    Any help would be very much appreciated.



















      1












      1








      1








      My network address is 192.168.5.0. My host machine is 192.168.5.1 and my client machine is 192.168.5.2. How will I enable my client to ping the internet through the terminal but restrict it from using port 80 or the browser? Below is my /etc/shorewall/policy file :



      SOURCE    DEST    POLICY    LOGLEVEL   RATE    CONNLIMIT

      loc net ACCEPT

      net all DROP info


      /etc/shorewall/rules file:



      DROP    loc    fw    tcp   80


      /etc/shorewall/interfaces file :



      net   eth0
      loc eth1


      Host Interfaces:



      eth0 - Connection to the internet
      eth1 - Local Network Connection


      Please tell me, if I still have to provide more details. Using the configuration above, my client is unable to ping any internet website and at the same time cant access any site from the browser.










      share|improve this question
















      My network address is 192.168.5.0. My host machine is 192.168.5.1 and my client machine is 192.168.5.2. How will I enable my client to ping the internet through the terminal but restrict it from using port 80 or the browser? Below is my /etc/shorewall/policy file :



      SOURCE    DEST    POLICY    LOGLEVEL   RATE    CONNLIMIT

      loc net ACCEPT

      net all DROP info


      /etc/shorewall/rules file:



      DROP    loc    fw    tcp   80


      /etc/shorewall/interfaces file :



      net   eth0
      loc eth1


      Host Interfaces:



      eth0 - Connection to the internet
      eth1 - Local Network Connection


      Please tell me, if I still have to provide more details. Using the configuration above, my client is unable to ping any internet website and at the same time cant access any site from the browser.







      networking server firewall






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Mar 21 at 5:02







      Eliyah

















      asked Mar 16 at 13:34









      EliyahEliyah

      566




      566






      This question has an open bounty worth +50
      reputation from Eliyah ending tomorrow.


      This question has not received enough attention.


      Any help would be very much appreciated.








      This question has an open bounty worth +50
      reputation from Eliyah ending tomorrow.


      This question has not received enough attention.


      Any help would be very much appreciated.
























          1 Answer
          1






          active

          oldest

          votes


















          3














          On rules, when you use:



          DROP    loc    fw    tcp   80


          Your're saying: disallow local network zone (loc) from access port TCP/80 on zone fw. But your conf shows no zone called fw (probably you meant $FW, but that would represent the firewall machine itself). You could try something like this:



          Ping(ACCEPT)    loc    net
          HTTP(DROP) loc net
          HTTPS(DROP) loc net


          AFAICR, shorewall adds a DROP ALL rule at the end of each chain*, so the two rules for dropping HTTP and HTTPS could be removed (because everything that isn't explicitly allowed is blocked by the final DROP ALL rule).



          *This behaviour is defined at the policy file.






          share|improve this answer

























            Your Answer








            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "89"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1126160%2fshorewall-allow-client-to-ping-internet-but-not-use-the-browser-or-port-80%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            3














            On rules, when you use:



            DROP    loc    fw    tcp   80


            Your're saying: disallow local network zone (loc) from access port TCP/80 on zone fw. But your conf shows no zone called fw (probably you meant $FW, but that would represent the firewall machine itself). You could try something like this:



            Ping(ACCEPT)    loc    net
            HTTP(DROP) loc net
            HTTPS(DROP) loc net


            AFAICR, shorewall adds a DROP ALL rule at the end of each chain*, so the two rules for dropping HTTP and HTTPS could be removed (because everything that isn't explicitly allowed is blocked by the final DROP ALL rule).



            *This behaviour is defined at the policy file.






            share|improve this answer






























              3














              On rules, when you use:



              DROP    loc    fw    tcp   80


              Your're saying: disallow local network zone (loc) from access port TCP/80 on zone fw. But your conf shows no zone called fw (probably you meant $FW, but that would represent the firewall machine itself). You could try something like this:



              Ping(ACCEPT)    loc    net
              HTTP(DROP) loc net
              HTTPS(DROP) loc net


              AFAICR, shorewall adds a DROP ALL rule at the end of each chain*, so the two rules for dropping HTTP and HTTPS could be removed (because everything that isn't explicitly allowed is blocked by the final DROP ALL rule).



              *This behaviour is defined at the policy file.






              share|improve this answer




























                3












                3








                3







                On rules, when you use:



                DROP    loc    fw    tcp   80


                Your're saying: disallow local network zone (loc) from access port TCP/80 on zone fw. But your conf shows no zone called fw (probably you meant $FW, but that would represent the firewall machine itself). You could try something like this:



                Ping(ACCEPT)    loc    net
                HTTP(DROP) loc net
                HTTPS(DROP) loc net


                AFAICR, shorewall adds a DROP ALL rule at the end of each chain*, so the two rules for dropping HTTP and HTTPS could be removed (because everything that isn't explicitly allowed is blocked by the final DROP ALL rule).



                *This behaviour is defined at the policy file.






                share|improve this answer















                On rules, when you use:



                DROP    loc    fw    tcp   80


                Your're saying: disallow local network zone (loc) from access port TCP/80 on zone fw. But your conf shows no zone called fw (probably you meant $FW, but that would represent the firewall machine itself). You could try something like this:



                Ping(ACCEPT)    loc    net
                HTTP(DROP) loc net
                HTTPS(DROP) loc net


                AFAICR, shorewall adds a DROP ALL rule at the end of each chain*, so the two rules for dropping HTTP and HTTPS could be removed (because everything that isn't explicitly allowed is blocked by the final DROP ALL rule).



                *This behaviour is defined at the policy file.







                share|improve this answer














                share|improve this answer



                share|improve this answer








                edited Mar 22 at 12:04

























                answered Mar 21 at 13:03









                JucaPiramaJucaPirama

                3396




                3396






























                    draft saved

                    draft discarded




















































                    Thanks for contributing an answer to Ask Ubuntu!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1126160%2fshorewall-allow-client-to-ping-internet-but-not-use-the-browser-or-port-80%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    Popular posts from this blog

                    數位音樂下載

                    When can things happen in Etherscan, such as the picture below?

                    格利澤436b