How to Isolate computer from internet but keep it with LAN access on a Linux system?

[sudopo]

I have a network attached storage (NAS) implemented with a Raspberry Pi computer that connects to two different Wi-Fi networks, depending on its location (it is not anchored always in the same place). Normally, these Wi-Fi networks provide internet access to the computers connected to them. I cannot modify the settings of the Wi-Fi networks. For security reasons, I would like to configure the NAS such that

1. it completely rejects any internet connection in both directions, no matter which Wi-Fi network it connects to, and
2. it remains accessible from the Wi-Fi LAN.

The idea is that only computers directly connected to the Wi-Fi can access the NAS. Anything else should be blocked.

Is this possible? What is the best way to do it? I am not very knowledgeable about networks, so sorry if this is something that may be trivial.

I am trying with iptables:

iptables -A INPUT -s $NETWORK_ADDRESS/$MASK -j ACCEPT
iptables -A INPUT -j DROP
iptables -A OUTPUT -d $NETWORK_ADDRESS/$MASK -j ACCEPT
iptables -A OUTPUT -j DROP

However, it blocks not only the internet access but also the LAN access.

 

[Aristarchus]

What about blocking by enterface or by MAC address?

 

[dos2unix]

People never put what distro they use. Sometimes it doesn't matter. In this case it does.
I will assume you are using a distro that uses ufw firewall.

sudo ufw allow from 192.168.1.0/24

sudo ufw default deny outgoing

Check your rules with...

sudo ufw status

If you do it this way, it doesn't matter if you're using dhcp, or dns. Only your local subnet can access it.

 

[APTI]

I do this on computers. it is quite simple. manual IPv4 entry. Give it a static IP address and subnet. If you have multiple routers you will want the gateway address manual also.
DO NOT put in DNS, give dns entries 0.0.0.0 and you will have full network access and no internet access. You can't leave DHCP on or automatic ip configuration. Those are off in favor of manual entry.

If you only have the one router you can blank out the gateway address too but not necessary.

does not matter your flavor of linux or anything. this trick works in windows also and will stop windows updates.

 

[APTI]

People never put what distro they use. Sometimes it doesn't matter. In this case it does.
I will assume you are using a distro that uses ufw firewall.

sudo ufw allow from 192.168.1.0/24

sudo ufw default deny outgoing

Check your rules with...

sudo ufw status

If you do it this way, it doesn't matter if you're using dhcp, or dns. Only your local subnet can access it.

Have to totally disagree with you. Check my post. I believe you are overthinking this. My solution works on any linux mac or windows system. We configure the IP correctly.

 

[theLegionWithin]

Have to totally disagree with you. Check my post. I believe you are overthinking this. My solution works on any linux mac or windows system. We configure the IP correctly.

problem with that is @sudopo said they cant modify the wifi network settings (presumably on the routers) - and a static IP would require a reservation (else dhcp will potentially try to assign that IP)

I agree with you though - changing the network settings is the most expedient way to effect the change

 

[dos2unix]

My solution works on any linux mac or windows system. We configure the IP correctly.

My solution doesn't require any change to any of those. Only the NAS server. You only have to do it once.

 

[sudopo]

@dos2unix I am on a Raspberry Pi running Raspberry Pi OS. ufw can be installed, however it seems to be a front end for iptables. Do you know how to achieve this using only iptables? I have been experimenting a bit with ufw but it does not seem to do what I want to do. In particular, if I run

$ sudo ufw default deny outgoing
$ sudo ufw default deny incoming
$ sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
SSH                        ALLOW       Anywhere                  
224.0.0.251 mDNS           ALLOW       Anywhere                  
SSH (v6)                   ALLOW       Anywhere (v6)             
ff02::fb mDNS              ALLOW       Anywhere (v6)

I am still able to SSH into the machine. What I want to achieve is basically to block ANYTHING from/to outside the local network.

 

[APTI]

problem with that is @sudopo said they cant modify the wifi network settings (presumably on the routers) - and a static IP would require a reservation (else dhcp will potentially try to assign that IP)

I agree with you though - changing the network settings is the most expedient way to effect the change

actually most dhcp will detect the assignment, but I have noted that commercial routers that have dhcp already set tend to leave the address under 50 or above 200 alone for just such reasons. It varies by router but they all seem to have that from what I have seen. so an address of 192.168.1.6 would usually be outside the dhcp pool.

 

[APTI]

@dos2unix I am on a Raspberry Pi running Raspberry Pi OS. ufw can be installed, however it seems to be a front end for iptables. Do you know how to achieve this using only iptables? I have been experimenting a bit with ufw but it does not seem to do what I want to do. In particular, if I run

$ sudo ufw default deny outgoing
$ sudo ufw default deny incoming
$ sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
SSH                        ALLOW       Anywhere                 
224.0.0.251 mDNS           ALLOW       Anywhere                 
SSH (v6)                   ALLOW       Anywhere (v6)            
ff02::fb mDNS              ALLOW       Anywhere (v6)

I am still able to SSH into the machine. What I want to achieve is basically to block ANYTHING from/to outside the local network.

the incoming packets will not get to the system unless you route them specifically to that system and to do that you will need a static IP for that system. Otherwise incoming traffic will be dropped automatically. Outgoing as I said earlier can be done with manual IP configuration and set the DNS to 0.0.0.0 which will stop all name resolution therefore internet communication unless you know the IP of the site. dos2unix's solution will work also but is not as easy to implement. So flip a coin and pick one. More than one way to do most things.

 

[f33dm3bits]

Easiest place to do it would probably be your router, some routers have functionality to select a host to deny internet access, here is example of how to do it with an ASUS router.

 

[sudopo]

What about blocking by enterface or by MAC address?

How can this be done? By MAC address I understand that it will block connection from any device except from the ones I specify?