Network Without Internet
#1
Hi, I am looking for a way to cut Internet access from one of my computers while still making it accessible for other computers in my home network for file and print sharing.

I know, idiot Windows jargon, but I don't care if it's Windows or GNU/Linux, I just want to rid one of my computers of Internet access while still being able to make other computers in the LAN to access for file-sharing and gaming. No, I don't want to use a virtual machine for this purpose.

I'm open to suggestions.
Reply
#2
Weird, but OK.

Set up the networking on the computer in question to not have an address for a router. Without a router address, it won't know where to send packets addressed outside of its network.

You could also set up the router firewall to drop packets from that particular computer.
Reply
#3
Use iptables and block outside network access

Heres a script that you can modify for your needs using ip tables


#!/bin/sh
#
# A script for creating an iptables firewall
#

#
# Start by clearing iptables
#
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
iptables -t nat -X
iptables -t mangle -X

#
# Define our interfaces, Squid IP, and Squid port
#
WAN="p4p1"
LAN="p4p2"
SQUIDIP="192.168.10.10"
SQUIDPORT="3129"

#
# Create log files to help troubleshooting. (We can comment out when not needed)
#
# iptables -A OUTPUT -j LOG
# iptables -A INPUT -j LOG
# iptables -A FORWARD -j LOG

#
# Now to create the Routing Firewall
#

#
# (1) Create the default policies (DROP)
#
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

#
# (2) User-defined chain called "okay" for ACCEPTed TCP packets
#
iptables -N okay
iptables -A okay -p tcp --syn -j ACCEPT
iptables -A okay -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A okay -p tcp -j DROP

#
# (3) INPUT rules
#
###### (A) Rules for incoming packets from the LAN
iptables -A INPUT -p ALL -i $LAN -s 192.168.10.0/24 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 192.168.10.10 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 192.168.1.10 -j ACCEPT
iptables -A INPUT -p ALL -i $LAN -d 192.168.10.255 -j ACCEPT

##### (B) Rules for incoming packets from the Internet

###### (i) Packets for established connections
iptables -A INPUT -p ALL -d 192.168.1.10 -m state --state ESTABLISHED,RELATED -j ACCEPT

##### (ii) TCP rules ## Opens the server port to any TCP from the internet
iptables -A INPUT -p tcp -i $WAN -s 0/0 –dport 22 -j okay

##### (iii) UDP rules ## Opens the server port to any UDP from the internet
# iptables -A INPUT -p udp -i $WAN -s 0/0 –dport 53 -j okay

##### (iv) ICMP rules
iptables -A INPUT -p icmp -i $WAN -s 0/0 --icmp-tpe 8 -j ACCEPT
iptables -A INPUT -p icmp -i $WAN -s 0/0 --icmp-tpe 11 -j ACCEPT

#
# Creates the router between the 2 ethernet cards to accept the packets we want to forward
#
iptables -A FORWARD -i $LAN -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#
# (5) OUTPUT rules
# Only output packets with local addresses (no spoofing)
#
iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -p ALL -s 192.168.10.10 -j ACCEPT
iptables -A OUTPUT -p ALL -s 192.168.1.10 -j ACCEPT

#
# (6) OUTPUT rule to allow a client LAN access, but DROP internet access
# I use this to prevent various home appliances from accessing the internet
#
iptables -A OUTPUT -s 192.168.10.110 -j DROP

#
# (7) PREROUTING rules to allow a client to bypass our Squid proxy
# (NetFlix works better when it bypasses the proxy)
iptables -t nat -A PREROUTING -s 192.168.10.204 -j ACCEPT # BluRay player
iptables -t nat -A PREROUTING -s 192.168.10.205 -j ACCEPT # Sony TV

#
# (8) PREROUTING rules for transparent Squid proxy (also requires changes in the squid configuration file)
# (from: http://wiki.squidcache.org/ConfigExample...uxRedirect)
#
iptables -t nat -A PREROUTING -s $SQUIDIP -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port $SQUIDPORT
iptables -t mangle -A PREROUTING -p tcp --dport $SQUIDPORT -j DROP

#
# (9) POSTROUTING chain rules. SNAT is for static IP, MASQUERADE is for dynamic IP
#
iptables -t nat -A POSTROUTING -o $WAN -j SNAT --to-source 192.168.1.10
# iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE

#
# Last, but not least, save the new configuration in /etc/sysconfig/iptables
#
service iptables save

#
# EOF
#
Reply
#4
Thanks for the reply, guys.

Now Moe, my router doesn't have a NAT firewall. Should I get one that has?
Reply
#5
If your router didn't do NAT, none of the devices on your network could connect to the internet. I'd poke it a little harder. I find it highly unlikely that a consumer router didn't have some kind of configurable firewall. It may not be labeled clearly, but if you can configure port forwards and the like, it is also performing NAT behind the scenes.

Before messing with your firewall, I would try my first suggestion: configure the computer in question WITHOUT a router address. No router address - no way to talk outside the network.
Reply
#6
OK, apologies for the stupidity; I will try to figure it all out.

It's not urgent, I was considering a possibility that I would have to do this for one of my computers because it's got Windows 7 and I cannot upgrade it to something else, and as its expiry date is nearby, I thought this would be the best alternative for the Windows 7 box.

Thanks for the help.
Reply
#7
I don't mean to resurrect a long-dead thread, but I found the information I was looking for.

To disconnect a computer from Internet, yet keep it on the network, simply leave the DNS address blank when setting a static IP address.

That would do the trick.
Reply
#8
(May 02, 2021, 17:15 pm)RobertX Wrote: I don't mean to resurrect a long-dead thread, but I found the information I was looking for.

To disconnect a computer from Internet, yet keep it on the network, simply leave the DNS address blank.

That would do the trick.

Technically it is still connected - DNS is just the domain name lookup. If you do a ping 8.8.8.8 from commandline it will succesfully ping google
Reply
#9
(May 02, 2021, 17:15 pm)RobertX Wrote: I don't mean to resurrect a long-dead thread, but I found the information I was looking for.

To disconnect a computer from Internet, yet keep it on the network, simply leave the DNS address blank.

That would do the trick.


No, that doesn't work at all. As eagle said, DNS is simply for name resolution. It has nothing to do with whether or not you can reach another network.

Besides, I already answered your question in the second post.
Reply
#10
I read it, but can't seem to fathom the answer.

Should I disable the DHCP server?
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Windows 11 computer cannot access other computers in the network, giving a 0x80004005 RobertX 2 2,874 Oct 03, 2024, 21:02 pm
Last Post: RobertX
  Two network cards in one PC: is it possible? RobertX 18 53,231 Apr 20, 2022, 08:47 am
Last Post: stts2
  How would I connect Mint machine to a Wi-Fi network RobertX 0 17,027 Aug 16, 2021, 10:28 am
Last Post: RobertX
  Samba-less LMDE 4 doesn't detect network RobertX 5 28,801 May 18, 2021, 23:14 pm
Last Post: waregim
  xsane and simple-scane: how do they detect scanners on the network? RobertX 1 26,081 Mar 02, 2021, 14:57 pm
Last Post: BoxerLara



Users browsing this thread: 1 Guest(s)