Return to Level1Techs.com

Block all network requests and use whitelist


#1

Ok, this seems like it should be super simple. The requirements are simple. But for some reason, figuring out how to do this seems convoluted.

Simply put, I want to use Windows 10 (Well, WANT is a strong word - I want to try it and I may NEED to use it). I have a Windows 10 VM set up and I want to block ALL network traffic except specific IP/ports and a few domains. There are only 4 programs I need Windows for - Fusion 360, one video game (Steam), Parsec (parsecgaming.com) and a file sync program (MegaSync) which I will use to share files with the system. Beyond this, ALL other network traffic should be BLOCKED. A few websites/domains should be accessible - steampowered.com, nvidia.com (to download drivers) and maybe a few others required to maintain the critical portions of the system.

There are a few ways I can block / control network traffic. Using my router (ClearOS); using the Hypervisor (Proxmox) or setting up a dedicated Linux server to act as a gateway for the windows box.

Here are my results so far:
ClearOS doesn’t seem to have very powerful filtering options from the GUI, otherwise they are not intuitive.

Setting up iptables on the Hypervisor completely ********** the system’s network configuration. Not sure what happened - may be a bug with Proxmox or something I did that I didn’t realize. I was able to get networking working again with the Host.

Currently setting up a Debian VM solely to route network traffic for the Windows VM. Setting up IPTables seems pretty straight forward, for the most part. But where I’m really getting stuck is the Domain name filtering. I THINK I need a proxy for this. Squid and Dansguardian are the most referenced examples. It seems like DG is geared towards blocking porn and content, not so much blocking entire domains. Maybe DNSMasq is what I need? The Debian VM will also act as the DNS server for the windows machine. I would think this would be easiest. Whitelist some domains: steampowered.com, google.com, nvidia.com, geforcegaming.com, parsecgaming.com, autodesk.com - etc. ALL ports for whitelisted domains should be trusted. I don’t want to just open up for e.g. port 80 for all internet IPs, but many (all?) of the domains above resolve to different IPs based on server load.

Other specialized ports I should be able to get from the software vendor, or maybe using logs on the gateway VM to open specific ports for specific IP addresses as needed.

The GOAL is to SPECIFICALLY block ALL Micro$oft network traffic. As far as Windows and any MicroSoft software is concerned, there is NO internet connection.

So… it seems like a simple request, right? So HOW do I DO this??

I think what I’m looking for is a configuration that already exists. Dansguardian, squid, iptables have complex options. The Config file for Squid is several thousand lines long. I don’t want to learn a whole new programming language just to accomplish my goal. IPTables, I think I can figure that one out. Everything else seems convoluted for what I’m trying to do.


#2

Maybe an app/client level firewall is for you, like little snitch (osx) /glassware (win)/zonealarm(win).

It’s probably easier than doing the same on a network level or maintaining a DNS/IP/domain whitelist/blacklist, messing with mitm certs and proxies and disabling cert pinning everywhere.


#3

I think you should be good to go with a combo of iptables and a pihole setup.
pi hole allows you to do wildcard blocking.


#4

Perhaps put W10 on a VLAN? It will be easier to effectively isolate it from your LAN and the Internet, unless you specifically add rules for specific services.