Funny -- right after I posted that, I couldn't access the net. SO I took it line by line until I figured out that I don't want to block vlan1 :)
So I removed the lines that were blocking access to vlan1 and everything works now. I just wasn't sure if allowing access to the vlan1, if that would allow other vlans to talk to each other but my experiments show that they are still isolated.
If I don't have anything associated with vlan0, what does vlan0 do? Right now my iptables blocks everything from vlan0 and doesnt seem to be creating any bad side effects.
Posted: Sun Feb 08, 2009 23:05 Post subject: Re: isolate vlans / ports / iptables question
john_es wrote:
My VLAN config:
VLAN0 - no ports
VLAN1 - W
VLAN2 - Port 2
VLAN3 - Port 3
VLAN4 - Port 4
VLAN5 - Port 1
So if I want to separate wireless, all vlans, all ports, I am guessing I want to do something like this:
iptables -I FORWARD -i Y -o X -j DROP
Where X and Y are all possible combinations of:
br0
eth1
vlan0
vlan1
vlan2
vlan3
vlan4
vlan5
Does that sound right?
all you need at startup send value "0" to ip_forvarding on ALL interfaces like this:
echo "0"> /proc/sys/net/ipv4/ip_forward
and set Routing on Administration->Managment page to Disable
Posted: Mon Feb 09, 2009 0:38 Post subject: Re: isolate vlans / ports / iptables question
AndreyPopov wrote:
all you need at startup send value "0" to ip_forvarding on ALL interfaces like this:
echo "0"> /proc/sys/net/ipv4/ip_forward
and set Routing on Administration->Managment page to Disable
! Can you explain what your suggestion does? If it saves me from having 80 rules in iptables, this is awesome.
it disables IP forwarding. but if the router can't forward packets it isn't a router anymore. I don't think you want to disable IP forwarding but maybe I'm wrong.
Is there a way to shorten this with a bit different logic, perhaps denying everything and then adding lines to allow vlan1 and all combinations of the various vlans1?
You can set a policy that rejects all packets if there are no matching rules. I think right now dd-wrt has an iptables policy that accepts all packets if there is no match.
If I understand this correctly you want to block every local host from communicating with each other but still allow them all internet access? If that is correct then you can use the following rules adjusted with a netmask that encompasses your entire local network depending on how you have addresses set up.
let me clear up what I am trying to do - I appreciate your help.
Basically, I have each of the 4 ports set to their own vlans. I also have a couple of wireless networks.
What I want to do is:
- allow all clients access to the internet
- prevent all communication between the vlans.
- so that means vlan2 cant talk to vlan3, 4, 5
- vlan 3 cant talk to vlan 2, 4, 5
- etc.
But if I go through all of these combos, I run out of space.
I am coming back to this after a few months away from using my router... is there a way to isolate all vlans from ewach other without having a billion iptables rules?
Split all the ports into vlans, bridge them all in br0, and use this in your firewall.
insmod ebtables
iptables -I FORWARD -i br0 -o br0 -j DROP _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
! Can you explain what your suggestion does? If it saves me from having 80 rules in iptables, this is awesome.