0

I currently have a router attached to the main network (192.168.0.x). On this router, I want the ethernet-ports to link to the main network, and the vlan's (wireless) to be set up via a separate DHCP server on its own subnet (192.168.1.x). This works just fine right now.

The problem I'm having is that I want to block access from the vlans to other clients on the same subnet (so block 192.168.0.x traffic to 192.168.0.x) and also block all traffic to the main network subnet (albeit allowing DNS queries).

I figured I would need some iptables rules:

# allow DNS
iptables -I INPUT -i br0 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br0 -p tcp --dport 53 -j ACCEPT
iptables -I OUTPUT -p udp --dport 53 -j ACCEPT
iptables -I OUTPUT -p tcp --dport 53 -j ACCEPT

# deny access to the 192.168.x.x hosts from internal vlan-users
iptables -A OUTPUT -s 192.168.1.0/255.255.255.0 -d 192.168.0.0/255.255.255.0 -j DROP
iptables -A FORWARD -d 192.168.0.0/255.255.255.0 -m state --state NEW -j DROP
iptables -I INPUT -d 192.168.0.0/255.255.255.0 -m state --state NEW -j DROP

However, when testing this, I was still able to connect to clients on 192.168.0.x and 192.168.1.x

What am I missing? Am I perhaps trying it on the wrong chains (or perhaps table)?

sysadmin1138
  • 133,124
  • 18
  • 176
  • 300
Tularis
  • 101
  • 1
  • 3
  • 2
    Typically traffic within the same subnet does not need routing so blocking it at the router won't be effective. But maybe I don't understand your question correctly. – HBruijn Jun 15 '16 at 08:26
  • Could you please further specify, which interface is connected to which subnet and which interfaces are on the bridge. Could you also please confirm for me so I understand your question correct, that with vlan you mean virtual-lan or you want to block wireless clients? From my experience a sketch of the network layout helps a lot setting up a firewall and could certainly help for this question. – rda Jun 15 '16 at 09:04
  • Hi, I've made a network layout sketch. ![Network layout sketch](https://s32.postimg.org/ohjqidkyt/eth_shot.jpg) By vlan I do indeed mean virtual lan. I want to block my wireless clients from interacting with eachother, and from being able to connect to any of my other clients (on any subnet). I currently have 1 bridge, via which both the virtual lan and ethernet are sent. – Tularis Jun 15 '16 at 11:46
  • Thank you for the sketch. While you can't block wireless clients from interacting with eachother you should be able to restrict traffic on the bridge between the interfaces. You can match on enslaved bridge port input and output devices with `-m physdev --physdev-in ` or `-m physdev --physdev-out `. – rda Jun 15 '16 at 19:17
  • I was afraid that would be the case :( Still, I'll try to at least secure access restrictions between the subnets (since all traffic going between subnets should pass via iptables, right?) – Tularis Jun 17 '16 at 12:58

0 Answers0