Restricting the network to ping only to the Google Search Engine

When we work in the real world, we may come across some use cases where we want to disable the user from accessing the websites other than we allowed. One of the great ways to achieve this is to use the firewall but if we want to know the internals of how the network works, we have to do some experiments to achieve this using pure networking concepts. So, in this article, I will show you how to allow the user to access only the websites that we had allowed using pure networking concepts.

At the end of this article, we will achieve something like that we are able to ping to the Google Search Engine but we can’t ping to other sites like facebook.com.

Let's begin…

Prerequisites:

The only prerequisite is the internet-enabled computer with a Linux operating system.

Step 1: Check if the internet is working fine

First of all, we will check that if our internet is working fine and we are able to ping to other sites.

Step 2: Check the routing table

The routing table is the one that will decide to which network we can connect.

You can see that the default rule in this routing table shows that we can connect to any of the IPs available in the world. That is we can connect to any of the websites in the world.

0.0.0.0 10.0.2.2 0.0.0.0 UG 100 0 0 enp0s3

So, if we want to restrict the user first of all we have to remove this routing rule so that the routing table won’t allow going to any IP. The other two rules don’t allow to connect to the public because for going to the internet we required the gateway. And the 0.0.0.0 in the gateway field of the other two rules means the gateway is absent.

Step 3: Remove the routing rules that allows going to the internet

Now, as we had deleted all of the routing rules if we tried to ping any of the websites we will get the message that the network is unreachable.

Step 4: Add the routing rule to allow connecting to the Google Search Engine

Now, we have to allow the users to connect to the Google Search Engine that is www.google.com. But for allowing connection to www.google.com, we first required to know the IP address where the Google Search Engine is running.

To find the IP address of the Google Search Engine, we will use the nslookup command.

$ nslookup www.google.com

As we can see in the above image, the IP of the Google Search Engine is 142.250.76.164.

For creating the rule that will allow connecting to the ww.google.com, we will be required to know the network name within which 142.250.76.164 comes.
Let’s assume that the network name is 142.250.0.0.

Now, we have to give the netmask that will include the IP 142.250.76.164 in the network. So, the netmask will be 255.255.0.0.

Now, we will add the routing rule that can allow connection to the IP 142.250.76.164.

$ route add -net 142.250.0.0 netmask 255.255.0.0 gw 10.0.2.2 enp0s3

Step 5: Check if we can connect only to the Google Search Engine

Now, let's check if we can connect only to www.google.com and all other sites are disabled.

You can see on the above image that I’m able to connect to www.google.com.

Let’s check the Facebook site www.facebook.com from the browser.

No Internet!
We can’t connect to Facebook. If you tried any other sites then also you won’t connect to those sites.

Finally, we had successfully achieved the network setup that can only connect to the Google Search Engine and all other sites are not allowed to connect with the pure networking concepts.

That's it for this article!

For any help or suggestions connect with me on Twitter at @TheNameIsAnkush or find me on LinkedIn.