Skip to main content
Ask Question
Configuring
Asked a question 2 years ago

How do I stop nodes from accessing the internet?

Where am I?

In Bright Computing, Inc. you can ask and answer questions and share your experience with others!

How do I stop nodes from accessing the Internet?

By default all compute nodes use the head node as its default gateway, and the head node is configured to forward packets to the external networks, while performing SNAT. In this article we describe how the head node can be configured to prevent the compute nodes from reaching any of the external networks (and the Internet in particular)

The following methods should be analyzed carefully to decide which one is better for each particular setup.

Method 1 - Disable IP Forwarding

Edit the /etc/shorewall/shorewall.conf file in the head node and modify the IP_FORWARDING property like this:

IP_FORWARDING=Off

Then restart the shorewall service.

This will make Shorewall disable IP forwarding in the kernel, effectively preventing all traffic from the compute nodes from being forwarded by the head node.

Method 2 - Modify policy rules to block this traffic if it is not explicitly allowed.

Edit the /etc/shorewall/policy file in the head node, find the following rule:

nat         all         ACCEPT

Then replace it for the following two rules:

nat         fw          ACCEPT

nat         all         REJECT

Then restart the shorewall service.

This will configure the firewall rules to reject all traffic coming from the internal network which is not destined to the head node.

The network administrator may choose to use DROP instead of REJECT.