Posted: Fri Mar 31, 2023 14:36 Post subject: Secure a Client Machine on a vlan?
Dear Forum.
I want to secure a client device on its own port (vlan6, br4, port 4) and to be isolated from the rest of the network.
I also want to only allow this client device to communicate with a group of whitelisted urls.
Router Model - TP-Link Archer C9
Firmware Version - DD-WRT v3.0-r44715 std (11/03/20)
My set up.
vlan2 = (WAN Internet)
port 1 = br0 = vlan1 eth1 = for desktop and admin
port 2 = br4 = vlan4 = for e.g. CCTV
port 3 = br5 = vlan5 = for e.g. WiFi
port 4 = br6 = vlan6 = for client device
Interface br4 -: IP 192.168.4.1/255.255.255.0
Interface br5 -: IP 192.168.5.1/255.255.255.0
Interface br6 -: IP 192.168.6.1/255.255.255.0
I want all bridges to have access to internet, but to be isolated from each other. Thus my firewall rules are:
# block anything that falls through (just a precaution)
iptables -I FORWARD -i br+ -o br+ -m state --state NEW -j REJECT
# deny isolate networks access to any other networks
iptables -I FORWARD -i br4 -o br+ -m state --state NEW -j REJECT
iptables -I FORWARD -i br5 -o br+ -m state --state NEW -j REJECT
iptables -I FORWARD -i br6 -o br+ -m state --state NEW -j REJECT
# allow MAIN network access to any other networks for admin
iptables -I FORWARD -i br0 -o br0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I FORWARD -i br0 -o br4 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I FORWARD -i br0 -o br5 -m state --state ESTABLISHED,RELATED -j ACCEPT
Now to only allow br6 to talk to a group of whitelisted urls (bbc.co.uk) i have added to the firewall:
My iptables output looks like this:
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- br6 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
I have also tried:
iptables -I FORWARD -i br6 -s 192.168.6.101 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I FORWARD -i br6 -s 192.168.6.101 -d ! bbc.co.uk -j DROP
My iptables output is:
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- br6 * 192.168.6.101 0.0.0.0/0 state RELATED,ESTABLISHED
My output is:
pkts bytes target prot opt in out source destination
0 0 DROP all -- br6 * 192.168.6.101 151.101.192.81
0 0 DROP all -- br6 * 192.168.6.101 151.101.128.81
0 0 DROP all -- br6 * 192.168.6.101 151.101.64.81
0 0 DROP all -- br6 * 192.168.6.101 151.101.0.81
0 0 ACCEPT all -- br6 * 192.168.6.101 0.0.0.0/0 state RELATED,ESTABLISHED
The rules seem to be applied
Can anyone help with executing the ! rule?
Or is there an alternative method to achieve the same.
https://ftp.dd-wrt.com/dd-wrtv2/downloads/betas/2023/ _________________ "The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost
"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio
Joined: 18 Mar 2014 Posts: 12889 Location: Netherlands
Posted: Fri Mar 31, 2023 15:12 Post subject: Re: Secure a Client Machine on a vlan?
bongo1129 wrote:
Dear Forum.
I want to secure a client device on its own port (vlan6, br4, port 4) and to be isolated from the rest of the network.
I also want to only allow this client device to communicate with a group of whitelisted urls.
Router Model - TP-Link Archer C9
Firmware Version - DD-WRT v3.0-r44715 std (11/03/20)
My set up.
vlan2 = (WAN Internet)
port 1 = br0 = vlan1 eth1 = for desktop and admin
port 2 = br4 = vlan4 = for e.g. CCTV
port 3 = br5 = vlan5 = for e.g. WiFi
port 4 = br6 = vlan6 = for client device
Interface br4 -: IP 192.168.4.1/255.255.255.0
Interface br5 -: IP 192.168.5.1/255.255.255.0
Interface br6 -: IP 192.168.6.1/255.255.255.0
I want all bridges to have access to internet, but to be isolated from each other. Thus my firewall rules are:
# block anything that falls through (just a precaution)
iptables -I FORWARD -i br+ -o br+ -m state --state NEW -j REJECT
# deny isolate networks access to any other networks
iptables -I FORWARD -i br4 -o br+ -m state --state NEW -j REJECT
iptables -I FORWARD -i br5 -o br+ -m state --state NEW -j REJECT
iptables -I FORWARD -i br6 -o br+ -m state --state NEW -j REJECT
# allow MAIN network access to any other networks for admin
iptables -I FORWARD -i br0 -o br0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I FORWARD -i br0 -o br4 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I FORWARD -i br0 -o br5 -m state --state ESTABLISHED,RELATED -j ACCEPT
Now to only allow br6 to talk to a group of whitelisted urls (bbc.co.uk) i have added to the firewall:
My iptables output looks like this:
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- br6 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
I have also tried:
iptables -I FORWARD -i br6 -s 192.168.6.101 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I FORWARD -i br6 -s 192.168.6.101 -d ! bbc.co.uk -j DROP
My iptables output is:
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- br6 * 192.168.6.101 0.0.0.0/0 state RELATED,ESTABLISHED
My output is:
pkts bytes target prot opt in out source destination
0 0 DROP all -- br6 * 192.168.6.101 151.101.192.81
0 0 DROP all -- br6 * 192.168.6.101 151.101.128.81
0 0 DROP all -- br6 * 192.168.6.101 151.101.64.81
0 0 DROP all -- br6 * 192.168.6.101 151.101.0.81
0 0 ACCEPT all -- br6 * 192.168.6.101 0.0.0.0/0 state RELATED,ESTABLISHED
The rules seem to be applied
Can anyone help with executing the ! rule?
Or is there an alternative method to achieve the same.
Many thanks for your help in advance.
As the former speaker already noted you are running an old and outdated build.
First step is to upgrade to a current build.
Unfortunately coming from such an old build a reset *after* update and put settings in manually is highly recommended.
Luckily your iptables rules also can use some tweaking.
For the isolation of the VLANs/Bridges start with Enabling Net isolation on all interfaces e.g.:br1, br2 etc.
Now the bridges are isolated from the main network (br0) but not from each other.
You can simply do that with:
iptables -I FORWARD -i br+ -o br+ -m state --state NEW -j REJECT
However as a side effect this also isolates the bridge from itself which is used for WAN-NAT redirection, if that is no problem then you are good otherwise you have to specify it all (and do not use the br+ rule) e.g.:
iptables -I FORWARD -i br4 -o br5 -m state --state NEW -j REJECT
iptables -I FORWARD -i br4 -o br6 -m state --state NEW -j REJECT
iptables -I FORWARD -i br5 -o br4 -m state --state NEW -j REJECT
iptables -I FORWARD -i br5 -o br6 -m state --state NEW -j REJECT
iptables -I FORWARD -i br6 -o br4 -m state --state NEW -j REJECT
iptables -I FORWARD -i br6 -o br5 -m state --state NEW -j REJECT
Now enable access from br0:
iptables -I FORWARD -i br0 -o br+ -m state --state NEW -j ACCEPT