Security – Block incoming traffic to specific computer

firewallnetworkingSecurity

I have a router that is connected to the internet.
To that router we connect via LAN and WAN.
WAN settings are up, router user/pass, router access is secured with WPA/WPA-2.
I want to make some computers, to be connected to the router (lan or wan) and will be protected from the outside world.

What is the best way doing so ?

the computers firewall must be turned off.
the router firewall is on, it is a cheap typical TP Link router – TL-WR741N / TL-WR741ND.
Are these setting enough ? to set the firewall On on router, or maybe i can block incoming traffic to certain ips – the ips of computers i want to use interally on network so computer from outside would not be able to hack them.

Best Answer

Your firewall/router by default will block incoming traffic and only allow traffic outbound that is initiated by the internal LAN side. Make sure the firewall is turned on, yes. Especially if this is the final route out to the internet.

So incoming connections initiated by the outside should be dropped by default but you can do a full port scan of your WAN public IP address(es) here: http://www.hackerwatch.org/probe/

That should help you gauge if anything is open or not open.

There are other steps such as ensuring your WAN IP for management purposes on your router isn't accessible (to prevent external access to it by hacking attempts), along with secure passwords instead of the defaults on it. Make sure it's on the latest firmware and ask TP Link if there's any known exploits against that router.

This isn't fullproof by any means, and you'll need to be thorough about your security if you ever change anything or do allow inbound port access for things like VPN, hosted apps (like websites/email), etc.

If you are super concerned or it is a big deal to management, consider hiring a small firm to do a penetration test and security assessment from time to time.

Finally, relax....you are probably a small shop, so don't go crazy trying to create all kinds of layers and customization. Put in place what makes you and management comfortable without being so draconian that people cannot work.

Related Solutions

Iptables – How to block all incoming request through one network interface

If you really want to block all incoming traffic from the WAN (or Internet), you can simply add a rule like the the following:

$ iptables -A INPUT -i eth0 -j DROP

assuming eth0 is the WAN interface. This is enough to block all incoming traffic. However, you need to allow all related/established connections to be able to request some service from the WAN/Internet. So, you need a rule like:

$ iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

Of course the ACCEPT rule should be added before the DROP rule. Doing so will prevent you from hosting any service within your network.

Firewall – pfSense router on a LAN with two gateways

If you setup your whole setup something like this:

New WAN |  
         --> pfSense --> LAN
ADSL    |

so the pfSense gets 2 internet connections.

The above setup should work without too many problems, as the servers will now only have one gateway to use.

Best Answer

Related Solutions

Iptables – How to block all incoming request through one network interface

Firewall – pfSense router on a LAN with two gateways

Related Topic