By default all compute nodes use the head node as its default gateway, and the head node is configured to forward packets to the external networks, while performing SNAT. In this article we describe how the head node can be configured to prevent the compute nodes from reaching any of the external networks (and the Internet in particular)
The following methods should be analyzed carefully to decide which one is better for each particular setup.
Method 1 – Disable IP Forwarding
Edit the /etc/shorewall/shorewall.conf file in the head node and modify the IP_FORWARDING property like this:IP_FORWARDING=Off
Then restart the shorewall service.
This will make Shorewall disable IP forwarding in the kernel, effectively preventing all traffic from the compute nodes from being forwarded by the head node.
Method 2 – Modify policy rules to block this traffic if it is not explicitly allowed.
Edit the /etc/shorewall/policy file in the head node, find the following rule:
nat all ACCEPT
Then replace it for the following two rules:nat fw ACCEPT
nat all REJECT
Then restart the shorewall service.
This will configure the firewall rules to reject all traffic coming from the internal network which is not destined to the head node.
The network administrator may choose to use DROP instead of REJECT.