0

I'm trying to block access to the internet for certain devices on my network. DD-WRT has a way to do it but only those that are on WAN. The device is connected on LAN. What would be the iptables rules for blocking internet but allow local network. Somewhere along these lines?

iptables FORWARD ????? -j DROP
PH.
  • 131
  • 1
  • 6
  • 3
    Trying to do security by MAC address is something that simply gives you a false confidence that can get you into trouble. It is far too easy to change a MAC address on a device. – Ron Maupin Jun 25 '18 at 05:55
  • That's true Ron. Will set up the devices with static ip addresses. My question still remains, how can i block access internet while allowing local network access using iptables. – PH. Jun 26 '18 at 03:13
  • This seems like a valid question for blocking chatty IOT devices from phoning home. I don't expect them to spoof their MAC just yet. Not sure whence the downvotes, this has merit. – hraban Feb 02 '22 at 05:58

2 Answers2

4

Answering the question in the title, you can block forwarding by interface. If your internal interface is eth1, and your external is eth0, try

iptables -A FORWARD -i eth1 -o eth0 -j REJECT

Getting the rule in the right place in your FORWARD chain is up to you. And I tend to prefer REJECT to DROP, for internal clients, as it gives them an actual response, and one that makes it clear that they're not going to succeed.

Dealing with the issue in the question body (which says certain devices, instead of just devices), as Ron Maupin points out there is no simple way to do this, as reliably identifying devices on a network requires an intermediate step.

Assuming your switchgear doesn't support 802.1x, running an internal VPN allows you to give qualified devices credentials which they can use to secure their egress from the network. I use OpenVPN for this. The issue is addressed in detail in my technote, though in the context of traffic shaping and exemption therefrom, rather than traffic banning and exemption, but the latter is simpler. In broad outline you set up an OpenVPN server on the firewall device, issue keys and certificates to the qualified devices, then allow traffic on the router between the OpenVPN plaintext interface, and the internet, with eg

iptables -A FORWARD -i tun+ -o eth0 -j ACCEPT

Don't forget to permit the return-half traffic as well.

MadHatter
  • 79,770
  • 20
  • 184
  • 232
  • Thanks MadHatter. I appreciate your response. My setup is a simpler one that involves a dd-wrt based router. There is an IP camera that is connected through LAN that I wish to block internet access.I will give the IP Cam a fixed IP like 172.16.101.101. That I assumed should force the IP to that device. The router does have openvpn server support, but the client like IP Cam does not have openvpn client support. – PH. Jun 26 '18 at 10:35
  • As Ron Maupin has already pointed out, and I have tried to emphasise, absent an authentication phase there is no reliable way to ensure the camera always gets that IP address, if something on the camera decides it would rather have a different one. – MadHatter Jun 26 '18 at 13:16
  • substituting `-s ` with `-m --mac-source ` isn't working (though it works with the -s arg)... – nmz787 Jan 20 '19 at 23:45
  • oh, apparently you need to specify `-m mac --mac-source AD:DR:ES:SS:00:00` I didn't have `mac` after `-m` and didn't think the colons mattered, but they seem to for me – nmz787 Jan 20 '19 at 23:53
0

To answer the specific question: "How do I block a specific MAC address on my LAN from accessing the internet, but still keep it accessible over the LAN itself":

iptables -I FORWARD 1 -m mac --mac-source be:be:fe:fe:ca:12 -o eth0 -j REJECT

(assuming eth0 is your internet)

This inserts the rule at the top of the FORWARD chain, which worked for me.

I use this to keep my printer from phoning home without sacrificing wifi printingp.

Source: iptables, allow access from certain MAC addresses

Important caveat:

But this only works on the same network, as MAC addressing is link-layer specific and won't get forwarded when using routing. So, as long as the devices are on different networks that need routing, this won't work.

hraban
  • 101
  • 2