Categories

ID #1190

How do I stop nodes from accessing the internet?

How do I stop nodes from accessing the Internet?


By default all compute nodes use the head node as its default gateway, and the head node is configured to forward packets to the external networks, while performing SNAT. In this article we describe how the head node can be configured to prevent the compute nodes from reaching any of the external networks (and the Internet in particular)


The following methods should be analyzed carefully to decide which one is better for each particular setup.

Method 1 - Disable IP Forwarding


Edit the /etc/shorewall/shorewall.conf file in the head node and modify the IP_FORWARDING property like this:


IP_FORWARDING=Off


Then restart the shorewall service.


This will make Shorewall disable IP forwarding in the kernel, effectively preventing all traffic from the compute nodes from being forwarded by the head node.


Method 2 - Modify policy rules to block this traffic if it is not explicitly allowed.

Edit the /etc/shorewall/policy file in the head node, find the following rule:


nat         all         ACCEPT


Then replace it for the following two rules:


nat         fw          ACCEPT

nat         all         REJECT


Then restart the shorewall service.


This will configure the firewall rules to reject all traffic coming from the internal network which is not destined to the head node.

 

The network administrator may choose to use DROP instead of REJECT.

Tags: -

Related entries:

You cannot comment on this entry