Home / ubuntu / Questions / 1126160
In Process
alyssaeliyah
Asked: 2019-03-17 05:34:15 +0800 CST

Shorewall - Allow Client to Ping Internet but Not Use the Browser or Port 80

  • 772

My network address is 192.168.5.0. My host machine is 192.168.5.1 and my client machine is 192.168.5.2. How will I enable my client to ping the internet through the terminal but restrict it from using port 80 or the browser? Below is my /etc/shorewall/policy file :

SOURCE    DEST    POLICY    LOGLEVEL   RATE    CONNLIMIT

loc       net     ACCEPT

net       all     DROP      info

/etc/shorewall/rules file:

DROP    loc    fw    tcp   80

/etc/shorewall/interfaces file :

net   eth0
loc   eth1

Host Interfaces:

eth0 - Connection to the internet
eth1 - Local Network Connection

Please tell me, if I still have to provide more details. Using the configuration above, my client is unable to ping any internet website and at the same time cant access any site from the browser.

networking server firewall

1 Answers

  1. On rules, when you use:

    DROP    loc    fw    tcp   80

    Your're saying: disallow local network zone (loc) from access port TCP/80 on zone fw. But your conf shows no zone called fw (probably you meant $FW, but that would represent the firewall machine itself). You could try something like this:

    Ping(ACCEPT)    loc    net
HTTP(DROP)      loc    net
HTTPS(DROP)     loc    net

    AFAICR, shorewall adds a DROP ALL rule at the end of each chain*, so the two rules for dropping HTTP and HTTPS could be removed (because everything that isn't explicitly allowed is blocked by the final DROP ALL rule).

    *This behaviour is defined at the policy file.

    • 3