How to disable LAN but enable WAN

How do credit card companies know what type of business I'm paying for?

How can this shape perfectly cover a cube?

How can a flywheel makes engine runs smoothly?

New Site Design!

How do I gain the trust of other PCs?

Why are British voters more likely to back the main parties in general elections than in European Parliament elections?

Is my research statement supposed to lead to papers in top journals?

Can you cover a cube with copies of this shape?

How to write a nice frame challenge?

XML Query Question

What is the context for Napoleon's quote "[the Austrians] did not know the value of five minutes"?

Why can't I craft scaffolding in Minecraft 1.14?

How do I run a script as sudo at boot time on Ubuntu 18.04 Server?

How did Avada Kedavra get its name?

Why is gun control associated with the socially liberal Democratic party?

On George Box, Galit Shmueli and the scientific method?

Have Steve Rogers (Captain America) and a young Erik Lehnsherr (Magneto) interacted during WWII?

How to ask if I can mow my neighbor's lawn

High-end PC graphics circa 1990?

How to comprehend this notation?

Should I email my professor to clear up a (possibly very irrelevant) awkward misunderstanding?

Are their examples of rowers who also fought?

Will users know a CardView is clickable?

Fill the maze with a wall-following Snake until it gets stuck



How to disable LAN but enable WAN







.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;








0















Why do I need that



I have a server on a large company network running new version of jenkins. I've migrated all the jobs (>600) over to a new server. Those jobs connect to different servers across our network. After starting jenkins some jobs will run overriding artifacts, pushing docker images to internal registries and so on. To prevent that without going into all 600 jobs and disabling then, I wish to disable local network access from the server. The network admins said that they don't want to mess with the firewall rules in fear they'll disable access to some important servers. So its on me to implement on the server side using iptables.



What do I need



What do I wish to do is to disable LAN access except one ip, and enable internet access. In more detail it goes like this.



Allow access to the server for ssh on port 22 and jenkins on port 8080 (I'm located on a different subnet than the server)



Allow access to the internet for plugin install and external build dependencies.



Drop anything going from the server to the local network 10.0.0.0/8. The server is located on 10.x.x.x/24 and it has access to different subnets over the router on 10.x.x.1



What have I tried



Final try before giving up. Didn't do anything.



#my ip 
iptables -j ACCEPT -s 10.x.x.x -i ens160 -A IN_public
iptables -j ACCEPT -d 10.x.x.x -o ens160 -A OUTPUT_direct

#subnet
iptables -j DROP -d 10.0.0.0/8 -o ens160 -A OUTPUT_direct





iptables







share|improve this question




























    0















    Why do I need that



    I have a server on a large company network running new version of jenkins. I've migrated all the jobs (>600) over to a new server. Those jobs connect to different servers across our network. After starting jenkins some jobs will run overriding artifacts, pushing docker images to internal registries and so on. To prevent that without going into all 600 jobs and disabling then, I wish to disable local network access from the server. The network admins said that they don't want to mess with the firewall rules in fear they'll disable access to some important servers. So its on me to implement on the server side using iptables.



    What do I need



    What do I wish to do is to disable LAN access except one ip, and enable internet access. In more detail it goes like this.



    Allow access to the server for ssh on port 22 and jenkins on port 8080 (I'm located on a different subnet than the server)



    Allow access to the internet for plugin install and external build dependencies.



    Drop anything going from the server to the local network 10.0.0.0/8. The server is located on 10.x.x.x/24 and it has access to different subnets over the router on 10.x.x.1



    What have I tried



    Final try before giving up. Didn't do anything.



    #my ip 
    iptables -j ACCEPT -s 10.x.x.x -i ens160 -A IN_public
    iptables -j ACCEPT -d 10.x.x.x -o ens160 -A OUTPUT_direct

    #subnet
    iptables -j DROP -d 10.0.0.0/8 -o ens160 -A OUTPUT_direct





    iptables







    share|improve this question
























      0












      0








      0








      Why do I need that



      I have a server on a large company network running new version of jenkins. I've migrated all the jobs (>600) over to a new server. Those jobs connect to different servers across our network. After starting jenkins some jobs will run overriding artifacts, pushing docker images to internal registries and so on. To prevent that without going into all 600 jobs and disabling then, I wish to disable local network access from the server. The network admins said that they don't want to mess with the firewall rules in fear they'll disable access to some important servers. So its on me to implement on the server side using iptables.



      What do I need



      What do I wish to do is to disable LAN access except one ip, and enable internet access. In more detail it goes like this.



      Allow access to the server for ssh on port 22 and jenkins on port 8080 (I'm located on a different subnet than the server)



      Allow access to the internet for plugin install and external build dependencies.



      Drop anything going from the server to the local network 10.0.0.0/8. The server is located on 10.x.x.x/24 and it has access to different subnets over the router on 10.x.x.1



      What have I tried



      Final try before giving up. Didn't do anything.



      #my ip 
      iptables -j ACCEPT -s 10.x.x.x -i ens160 -A IN_public
      iptables -j ACCEPT -d 10.x.x.x -o ens160 -A OUTPUT_direct

      #subnet
      iptables -j DROP -d 10.0.0.0/8 -o ens160 -A OUTPUT_direct





      iptables







      share|improve this question














      Why do I need that



      I have a server on a large company network running new version of jenkins. I've migrated all the jobs (>600) over to a new server. Those jobs connect to different servers across our network. After starting jenkins some jobs will run overriding artifacts, pushing docker images to internal registries and so on. To prevent that without going into all 600 jobs and disabling then, I wish to disable local network access from the server. The network admins said that they don't want to mess with the firewall rules in fear they'll disable access to some important servers. So its on me to implement on the server side using iptables.



      What do I need



      What do I wish to do is to disable LAN access except one ip, and enable internet access. In more detail it goes like this.



      Allow access to the server for ssh on port 22 and jenkins on port 8080 (I'm located on a different subnet than the server)



      Allow access to the internet for plugin install and external build dependencies.



      Drop anything going from the server to the local network 10.0.0.0/8. The server is located on 10.x.x.x/24 and it has access to different subnets over the router on 10.x.x.1



      What have I tried



      Final try before giving up. Didn't do anything.



      #my ip 
      iptables -j ACCEPT -s 10.x.x.x -i ens160 -A IN_public
      iptables -j ACCEPT -d 10.x.x.x -o ens160 -A OUTPUT_direct

      #subnet
      iptables -j DROP -d 10.0.0.0/8 -o ens160 -A OUTPUT_direct





      iptables




      iptables






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked May 31 at 9:25









      CodeBreakerCodeBreaker

      274




      274




















          1 Answer
          1






          active

          oldest

          votes


















          3














          Some important notes before I'll provide the ruleset:




          • Avoid the modification firewall by scripts. Best flow:



            1. Save the current rule set with command iptables-save > fwrules.v4

            2. Edit the rules

            3. Test the rules with command iptables-restore -t fwrules.v4

            4. Safety apply the rules with command iptables-apply -t <timeout> fwrules.v4. Where <timeout> is timeout of confirmation in seconds. If you don't confirm the new rule set, it will rollback to the previous set.


          • I guess the server has single network interface.


          • Rule set itself:

          *filter
          :INPUT DROP [0:0]
          :FORWARD DROP [0:0]
          :OUTPUT ACCEPT [0:0]

          # allow reply packets
          -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

          # allow incoming ICMP like ping and other
          -A INPUT -p icmp -j ACCEPT

          # allow to ssh and to jenkins from anywhere
          -A INPUT -m conntrack --ctstate NEW -p tcp -m multiport --dports 22,8080 -j ACCEPT

          # allow localhost connections
          -A INPUT -i lo -j ACCEPT

          # allow output packets to trust host
          -A OUTPUT --dst 10.0.0.12 -j ACCEPT

          # block output packets to other lan hosts
          -A OUTPUT --dst 10.0.0.0/8 -j REJECT

          COMMIT


          • What's about DNS servers addresses? You should allow it too if they are in the local subnet.

          • The order of rules is very important.





          share|improve this answer























          • That did the trick. Now I have a better understanding of iptables. Thank you!

            – CodeBreaker
            May 31 at 12:41











          Your Answer








          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "2"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader:
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          ,
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );













          draft saved

          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f969623%2fhow-to-disable-lan-but-enable-wan%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          3














          Some important notes before I'll provide the ruleset:




          • Avoid the modification firewall by scripts. Best flow:



            1. Save the current rule set with command iptables-save > fwrules.v4

            2. Edit the rules

            3. Test the rules with command iptables-restore -t fwrules.v4

            4. Safety apply the rules with command iptables-apply -t <timeout> fwrules.v4. Where <timeout> is timeout of confirmation in seconds. If you don't confirm the new rule set, it will rollback to the previous set.


          • I guess the server has single network interface.


          • Rule set itself:

          *filter
          :INPUT DROP [0:0]
          :FORWARD DROP [0:0]
          :OUTPUT ACCEPT [0:0]

          # allow reply packets
          -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

          # allow incoming ICMP like ping and other
          -A INPUT -p icmp -j ACCEPT

          # allow to ssh and to jenkins from anywhere
          -A INPUT -m conntrack --ctstate NEW -p tcp -m multiport --dports 22,8080 -j ACCEPT

          # allow localhost connections
          -A INPUT -i lo -j ACCEPT

          # allow output packets to trust host
          -A OUTPUT --dst 10.0.0.12 -j ACCEPT

          # block output packets to other lan hosts
          -A OUTPUT --dst 10.0.0.0/8 -j REJECT

          COMMIT


          • What's about DNS servers addresses? You should allow it too if they are in the local subnet.

          • The order of rules is very important.





          share|improve this answer























          • That did the trick. Now I have a better understanding of iptables. Thank you!

            – CodeBreaker
            May 31 at 12:41















          3














          Some important notes before I'll provide the ruleset:




          • Avoid the modification firewall by scripts. Best flow:



            1. Save the current rule set with command iptables-save > fwrules.v4

            2. Edit the rules

            3. Test the rules with command iptables-restore -t fwrules.v4

            4. Safety apply the rules with command iptables-apply -t <timeout> fwrules.v4. Where <timeout> is timeout of confirmation in seconds. If you don't confirm the new rule set, it will rollback to the previous set.


          • I guess the server has single network interface.


          • Rule set itself:

          *filter
          :INPUT DROP [0:0]
          :FORWARD DROP [0:0]
          :OUTPUT ACCEPT [0:0]

          # allow reply packets
          -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

          # allow incoming ICMP like ping and other
          -A INPUT -p icmp -j ACCEPT

          # allow to ssh and to jenkins from anywhere
          -A INPUT -m conntrack --ctstate NEW -p tcp -m multiport --dports 22,8080 -j ACCEPT

          # allow localhost connections
          -A INPUT -i lo -j ACCEPT

          # allow output packets to trust host
          -A OUTPUT --dst 10.0.0.12 -j ACCEPT

          # block output packets to other lan hosts
          -A OUTPUT --dst 10.0.0.0/8 -j REJECT

          COMMIT


          • What's about DNS servers addresses? You should allow it too if they are in the local subnet.

          • The order of rules is very important.





          share|improve this answer























          • That did the trick. Now I have a better understanding of iptables. Thank you!

            – CodeBreaker
            May 31 at 12:41













          3












          3








          3







          Some important notes before I'll provide the ruleset:




          • Avoid the modification firewall by scripts. Best flow:



            1. Save the current rule set with command iptables-save > fwrules.v4

            2. Edit the rules

            3. Test the rules with command iptables-restore -t fwrules.v4

            4. Safety apply the rules with command iptables-apply -t <timeout> fwrules.v4. Where <timeout> is timeout of confirmation in seconds. If you don't confirm the new rule set, it will rollback to the previous set.


          • I guess the server has single network interface.


          • Rule set itself:

          *filter
          :INPUT DROP [0:0]
          :FORWARD DROP [0:0]
          :OUTPUT ACCEPT [0:0]

          # allow reply packets
          -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

          # allow incoming ICMP like ping and other
          -A INPUT -p icmp -j ACCEPT

          # allow to ssh and to jenkins from anywhere
          -A INPUT -m conntrack --ctstate NEW -p tcp -m multiport --dports 22,8080 -j ACCEPT

          # allow localhost connections
          -A INPUT -i lo -j ACCEPT

          # allow output packets to trust host
          -A OUTPUT --dst 10.0.0.12 -j ACCEPT

          # block output packets to other lan hosts
          -A OUTPUT --dst 10.0.0.0/8 -j REJECT

          COMMIT


          • What's about DNS servers addresses? You should allow it too if they are in the local subnet.

          • The order of rules is very important.





          share|improve this answer













          Some important notes before I'll provide the ruleset:




          • Avoid the modification firewall by scripts. Best flow:



            1. Save the current rule set with command iptables-save > fwrules.v4

            2. Edit the rules

            3. Test the rules with command iptables-restore -t fwrules.v4

            4. Safety apply the rules with command iptables-apply -t <timeout> fwrules.v4. Where <timeout> is timeout of confirmation in seconds. If you don't confirm the new rule set, it will rollback to the previous set.


          • I guess the server has single network interface.


          • Rule set itself:

          *filter
          :INPUT DROP [0:0]
          :FORWARD DROP [0:0]
          :OUTPUT ACCEPT [0:0]

          # allow reply packets
          -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

          # allow incoming ICMP like ping and other
          -A INPUT -p icmp -j ACCEPT

          # allow to ssh and to jenkins from anywhere
          -A INPUT -m conntrack --ctstate NEW -p tcp -m multiport --dports 22,8080 -j ACCEPT

          # allow localhost connections
          -A INPUT -i lo -j ACCEPT

          # allow output packets to trust host
          -A OUTPUT --dst 10.0.0.12 -j ACCEPT

          # block output packets to other lan hosts
          -A OUTPUT --dst 10.0.0.0/8 -j REJECT

          COMMIT


          • What's about DNS servers addresses? You should allow it too if they are in the local subnet.

          • The order of rules is very important.






          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered May 31 at 10:19









          Anton DanilovAnton Danilov

          1,6531712




          1,6531712












          • That did the trick. Now I have a better understanding of iptables. Thank you!

            – CodeBreaker
            May 31 at 12:41

















          • That did the trick. Now I have a better understanding of iptables. Thank you!

            – CodeBreaker
            May 31 at 12:41
















          That did the trick. Now I have a better understanding of iptables. Thank you!

          – CodeBreaker
          May 31 at 12:41





          That did the trick. Now I have a better understanding of iptables. Thank you!

          – CodeBreaker
          May 31 at 12:41

















          draft saved

          draft discarded
















































          Thanks for contributing an answer to Server Fault!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid


          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.

          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f969623%2fhow-to-disable-lan-but-enable-wan%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          -

          Popular posts from this blog

          RemoteApp sporadic failureWindows 2008 RemoteAPP client disconnects within a matter of minutesWhat is the minimum version of RDP supported by Server 2012 RDS?How to configure a Remoteapp server to increase stabilityMicrosoft RemoteApp Active SessionRDWeb TS connection broken for some users post RemoteApp certificate changeRemote Desktop Licensing, RemoteAPPRDS 2012 R2 some users are not able to logon after changed date and time on Connection BrokersWhat happens during Remote Desktop logon, and is there any logging?After installing RDS on WinServer 2016 I still can only connect with two users?RD Connection via RDGW to Session host is not connecting

          Image
          Can I use my laptop, which says 100-240V, in the USA? Definition of Newton's first law Why did the ICC decide not to probe alleged US atrocities in Afghanistan? Is there ever any indication in the MCU as to how Spider-Man got his powers? Should pressure only be applied at the top of a pastry bag? How did Thanos not realise this had happened at the end of Endgame? On studying Computer Science vs. Software Engineering to become a proficient coder Why does the Earth follow an elliptical trajectory rather than a parabolic one? What's the word for the soldier salute? Why not just directly invest in the holdings of an ETF? Can a tourist shoot a gun in the USA? Why in a Ethernet LAN, a packet sniffer can obtain all packets sent over the LAN? What is Plautus’s pun about frustum and frustrum? Extrude the faces of a cube symmetrically along XYZ Why does my circuit work on a breadboard, but not on a perfboard? I am new to soldering How do I tell my supervisor...
          Read more

          How to write a 12-bar blues melodyI-IV-V blues progressionHow to play the bridges in a standard blues progressionHow does Gdim7 fit in C# minor?question on a certain chord progressionMusicology of Melody12 bar blues, spread rhythm: alternative to 6th chord to avoid finger stretchChord progressions/ Root key/ MelodiesHow to put chords (POP-EDM) under a given lead vocal melody (starting from a good knowledge in music theory)Are there “rules” for improvising with the minor pentatonic scale over 12-bar shuffle?Confusion about blues scale and chords

          Image
          Why is a set not a partition of itself? Would an 8% reduction in drag outweigh the weight addition from this custom CFD-tested winglet? Labeling matrices/rectangles and drawing Sigma inside rectangle Unexpected Netflix account registered to my Gmail address - any way it could be a hack attempt? 51% attack - apparently very easy? refering to CZ's "rollback btc chain" - How to make sure such corruptible scenario can never happen so easily? Missouri raptors have wild hairdos Can someone explain homicide-related death rates? Why is tomato paste so cheap? What are the implications of the new alleged key recovery attack preprint on SIMON? Effects of ~10atm pressure on engine design Is taking modulus on both sides of an equation valid? Jumping frame contents with beamer and pgfplots Are there any established rules for splitting books into parts, chapters, sections etc? Anatomically Correct Carnivorous Tree Why do I get two different answers when solvi...
          Read more

          Esgonzo ibérico Índice Descrición Distribución Hábitat Ameazas Notas Véxase tamén "Acerca dos nomes dos anfibios e réptiles galegos""Chalcides bedriagai"Chalcides bedriagai en Carrascal, L. M. Salvador, A. (Eds). Enciclopedia virtual de los vertebrados españoles. Museo Nacional de Ciencias Naturales, Madrid. España.Fotos

          Image
          escíncidospenínsula Ibéricaesgonzo comúnJacques von Bedriagaesgonzo comúndimorfismo sexualovovivíparaendémicaPenínsula IbéricaCordilleira CantábricaAsturiasPaís VascoGaliciaRías BaixasMurosCarnotaillas CíesOnsAtlánticoIllas CíesIlla de Onsilla do PesegueiroIlla de Sancti PetriMediterráneoMar MenorIlla de TabarcaGaliciaCantabriaBurgossolosdestrución do hábitatIUCN Abrir o menú principal Procurar Esgonzo ibérico Ler noutra lingua Vixiar esta páxina Editar function mfTempOpenSection(id)var block=document.getElementById("mf-section-"+id);block.className+=" open-block";block.previousSibling.className+=" open-block"; Esgonzo ibérico Estado de conservación Case ameazada Clasificaci...
          Read more