How to Block Internet Access While Keeping LAN Connectivity on Linux
Need to cut off internet access on your Linux system without losing local network functionality? Whether you’re working on sensitive tasks, testing network configurations, or simply want to ensure no data leaves your local environment, there are several effective methods to block internet egress while maintaining full access to your LAN resources.
In this guide, we’ll cover three proven approaches—from quick temporary solutions to more sophisticated firewall configurations—that let you control network access with precision.
Why Block Internet But Keep LAN Access?
Before diving into the technical solutions, you might need this configuration for several legitimate reasons:
- Security testing and penetration testing in isolated environments
- Preventing data exfiltration during malware analysis
- Offline development that requires local services but no external connectivity
- Network troubleshooting to isolate local vs. internet routing issues
- Compliance requirements for air-gapped workflows
Let’s explore three methods, ranked from fastest to most comprehensive.
Method 1: Quick Route Blackholing (Fastest Temporary Solution)
Best for: Temporary blocks that you can toggle on and off instantly
This method leverages Linux routing tables to blackhole your default route, effectively blocking all traffic destined for the internet while preserving any explicitly-routed LAN traffic (like 10.0.0.0/8, 192.168.0.0/16).
How It Works
When you blackhole the default route, Linux will only send traffic to destinations with specific routes defined. Since your LAN subnets have explicit routes, they remain accessible, but everything else (the internet) hits a dead end.
Implementation
# First, check your current routes
ip route
# Blackhole the default route
sudo ip route replace blackhole default
# To restore internet access (replace X.Y.Z.W with your actual gateway IP):
sudo ip route replace default via X.Y.Z.WImportant Considerations
- NetworkManager behavior: If you’re using Wi-Fi or Ethernet managed by NetworkManager, bringing the interface down and up may automatically restore the default route. Simply re-run the blackhole command if this happens.
- Persistence: This change is ephemeral and won’t survive a reboot, making it ideal for temporary isolation.
Method 2: UFW Firewall Rules (Simple and Readable)
Best for: Users who prefer a clean, rule-based approach with easy on/off toggling
Ubuntu’s Uncomplicated Firewall (UFW) provides a user-friendly interface for configuring firewall rules. This method denies all outbound traffic by default, then explicitly allows private LAN ranges.
Step-by-Step Configuration
# Optional: Start with a clean slate
sudo ufw --force reset
# Set default policies - deny all outbound, allow incoming
sudo ufw default deny outgoing
sudo ufw default allow incoming
# Always allow loopback traffic (critical for local services)
sudo ufw allow out on lo
# Allow common private LAN ranges (adjust based on your network)
sudo ufw allow out to 10.0.0.0/8
sudo ufw allow out to 172.16.0.0/12
sudo ufw allow out to 192.168.0.0/16
sudo ufw allow out to 169.254.0.0/16 # Link-local addresses
# Optional: Allow specific internal services
# sudo ufw allow out to 192.168.1.53 port 53 proto udp # Internal DNS
# sudo ufw allow out to 192.168.1.53 port 53 proto tcp
# sudo ufw allow out to 192.168.1.10 port 123 proto udp # Internal NTP
# Enable the firewall
sudo ufw enable
# When finished, disable to restore normal access
sudo ufw disableWhat Gets Blocked
- System updates and package downloads
- Internet pings and connectivity checks
- All outbound connections to public IP addresses
- DNS queries to public resolvers (unless specifically allowed)
What Stays Accessible
- All devices on your local network
- Network file shares and printers
- Local web interfaces and services
- Internal databases and application servers
Method 3: nftables Configuration (Most Precise and Powerful)
Best for: Advanced users who need fine-grained control and scriptable solutions
Modern Ubuntu systems use nftables as the underlying packet filtering framework. This method gives you maximum control with a minimal, explicit ruleset.
Creating the Ruleset
# Backup your current firewall rules
sudo nft list ruleset > ~/nft-backup.nft
# Apply the restrictive ruleset
sudo nft -f - <<'EOF'
flush ruleset
table inet filter {
chain output {
type filter hook output priority 0;
# Accept loopback traffic
ip daddr 127.0.0.0/8 accept
ip6 daddr ::1/128 accept
# Accept RFC1918 private IPv4 networks
ip daddr 10.0.0.0/8 accept
ip daddr 172.16.0.0/12 accept
ip daddr 192.168.0.0/16 accept
ip daddr 169.254.0.0/16 accept
# Optional: Allow specific internal services
# udp dport 53 ip daddr 192.168.1.53 accept # DNS
# udp dport 123 ip daddr 192.168.1.10 accept # NTP
# Drop all other traffic (internet-bound)
counter drop
}
}
EOF
# Restore your original rules when done
sudo nft -f ~/nft-backup.nft
Advantages of nftables
- Performance: nftables is more efficient than older iptables
- Atomic updates: All rules are applied or rolled back together
- Better syntax: More readable and maintainable rule definitions
- Non-persistent by default: Rules disappear on reboot unless explicitly saved
Critical Safety Warnings
Remote SSH Sessions
⚠️ If you’re connected via SSH over the internet, all three methods will immediately sever your connection. Always perform these operations locally or first create an allow rule for your management IP address.
# UFW example - allow your SSH connection first:
sudo ufw allow in from YOUR.IP.ADDRESS to any port 22DNS Resolution Issues
When blocking internet access, DNS queries to public resolvers (like 8.8.8.8 or 1.1.1.1) will fail. If your applications need DNS:
- Use an internal DNS server and add explicit allow rules for it
- Configure /etc/hosts for critical domain names you need to resolve
- Point /etc/resolv.conf to your LAN DNS server (e.g., 192.168.1.1)
Persistence Considerations
| Method | Persistence | Best Use Case |
|---|---|---|
| Route blackholing | Until reboot or manual restore | Quick temporary blocks |
| UFW | Until disabled | Scheduled work sessions |
| nftables | Until reboot (unless saved) | Scripted automation |
Verification and Testing
After applying any method, verify your configuration:
# This should fail (timeout or connection refused):
curl https://1.1.1.1 --max-time 3
# This should succeed (replace with your LAN host):
ping 192.168.1.1
# Check you can access LAN services:
curl http://192.168.1.50:8080Choosing the Right Method
Use Route Blackholing if you need the absolute fastest way to temporarily block internet access and don’t mind re-applying it after network changes.
Use UFW if you want a straightforward, well-documented solution that’s easy to enable, disable, and troubleshoot.
Use nftables if you need maximum control, want to script your firewall changes, or require the most efficient packet filtering.
Frequently Asked Questions
Will these methods affect VPN connections?
Yes, VPN traffic to external servers will be blocked. If you’re using a LAN-based VPN server, it will continue to work.
Can I whitelist specific websites?
Yes, but you’ll need to allow both the specific IP addresses and DNS resolution. It’s easier to allow entire subnets or services rather than individual domains.
What happens to already-established connections?
With UFW and nftables, existing connections may continue temporarily due to connection tracking. The route blackhole method kills new and existing traffic immediately.
Will this break Docker or virtual machines?
It depends on your network configuration. If Docker uses bridge networking with private IPs, it should work. NAT-based containers reaching the internet will be blocked.
Blocking internet access while preserving LAN connectivity is a powerful technique for security-conscious users, developers, and system administrators. Whether you choose the speed of route blackholing, the simplicity of UFW, or the precision of nftables, you now have the tools to control your system’s network behavior exactly as needed.
Remember to always test your configuration, verify that local services remain accessible, and document your setup for future reference. And most importantly, ensure you have local access to your system before applying these changes to avoid locking yourself out.
Need a customized solution? Drop your specific LAN range, connection type (Wi-Fi/Ethernet), and use case in the comments, and we can provide a tailored configuration for your exact setup.