As a router I use Ubuntu 16.04 with 2 network cards. The current configuration is very simple - white IPv4 on the external interface and NAT by ufw on the internal one. As a DHCP and caching DNS server, I use dnsmasq . My ethernet switch supports VLAN , but now this feature is disabled.

I often connect new devices (new virtual machines) to the local network and by default they all immediately access the Internet, which I don’t really like.

I want to change the configuration so that NAT works only for the hosts from the white list, and everyone else has access to local resources, but not to the Internet.

How is this best / easiest to do? It is advisable without changing the ufw and dnsmasq on their counterparts (since I have already partially dealt with these programs)

While I have the following ideas:

  1. configure different dhcp ranges and by default assign the wrong gateway
  2. assign an internal network interface card several IP addresses from different subnets and do NAT for only one subnet
  3. enable VLAN support on the switch and use this functionality in some way (I don’t know how, I’ve just been going to deal with VLAN long time)
  • 3
    It is better to learn iptables It will be enough traffic filtering rules + DHCP work consistent. If you want more sophisticated methods, you can associate iptables rules with any authorization module, for example, through scripts. - sergw
  • Method-1 incorrect gateway will lead to an increase in parasitic traffic and possibly inhibition of some applications on clients. Method-2 makes it difficult to communicate between the machines in the same physical network segment, the internetwork traffic will go through the router. You can configure VLAN + traffic tagging with Spob-3, you can get several network connections from one network, but the complexity of configuration and maintenance is not in my opinion justified. - sergw
  • For ufw I ufw not say, I can say for shorewall . I am using it and the old company collective farm distribution of the Internet for several small firms in the same building. If it were not for the killed iron - it would still plow (although it worked for 5 years). - don Rumata
  • Method 2, why from different subnets? From one, but nat to do only for the packets coming to one of addresses. The truth is not reliable, the user can change the routing table on his computer. - sercxjo

1 answer 1

set up nat ("masquerading") you are probably following this instruction.

then the line in /etc/ufw/before.rules :

 -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE

must be replaced by two:

 -A POSTROUTING -s список -o eth0 -j MASQUERADE -A POSTROUTING -j DROP

where the список is a comma-separated list of “white” ip-addresses of the form:

 192.168.0.100,192.168.0.101,192.168.0.103

etc. etc.