Router lockdown, stuck

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Goto page 1, 2  Next
Author Message
RjG
DD-WRT User


Joined: 01 Jul 2007
Posts: 81

PostPosted: Mon Oct 07, 2019 6:10    Post subject: Router lockdown, stuck Reply with quote
I have a situation where I need to lock down internet access for everything, wired and wifi connections, except a small select list of MAC addresses.

I found a few references in the forum that seemed to make sense, but it doesn't seem to be working for me.

This is what I am trying:
Code:

iptables -I FORWARD -i vlan2 -j REJECT
iptables -I FORWARD -i vlan2 -m mac --mac-source 94:6A:B0:11:47:22 -j ACCEPT
iptables -I FORWARD -i vlan2 -m mac --mac-source 94:6A:B0:11:33:22 -j ACCEPT
iptables -I FORWARD -i vlan2 -m mac --mac-source 94:6A:B0:11:42:22 -j ACCEPT


The first line "iptables -I FORWARD -i vlan2 -j REJECT" definitely turns the internet off for everyone.

What I didn't expect is adding even one of the "ACCEPT" lines turns the internet back on for EVERYBODY. Not just the one MAC.

I have tried this from the firewall script, and then lots of variations on command line.

Got to admit, IPTables isn't something I have ever played with, I think I am missing something simple here... help?

_________________
Firmware: DD-WRT v3.0-r39345M kongac (04/03/19) Netgear R7000
Sponsor
AfterShock
DD-WRT User


Joined: 17 May 2010
Posts: 122

PostPosted: Mon Oct 07, 2019 12:22    Post subject: Reply with quote
why not just use the access restrictions tab or the wireless mac filtering?
tli
DD-WRT Novice


Joined: 06 Mar 2019
Posts: 12

PostPosted: Mon Oct 07, 2019 13:06    Post subject: MAC Filtering Reply with quote
No matter how it's implemented, what it's called, and/or how it's spun, it's still rudimentarily just MAC Filtering. FYI, article from 2005: https://www.zdnet.com/article/the-six-dumbest-ways-to-secure-a-wireless-lan/

Follow-up article from 2007: https://www.zdnet.com/article/wireless-lan-security-myths-that-wont-die/

Published and substantiated over a decade ago, yet today in 2019 still misconceptions...

Using, protecting and trusting one's WPA2/WPA3 key(s) would easily secure and block one's network from most unauthorized accesses beside state-sponsored and well-organized intrusions.

OT but still equally misunderstood to this day is SSID Hiding. Referenced 2003 white paper from the above 2005 article: http://medon.htt-consult.com/~rgm/icsalabs/Debunking%20the%20Myth%20of%20SSID%20Hiding.pdf

FYI.
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 3063
Location: UK, London, just across the river..

PostPosted: Mon Oct 07, 2019 15:12    Post subject: Re: Router lockdown, stuck Reply with quote
RjG wrote:
I have a situation where I need to lock down internet access for everything, wired and wifi connections, except a small select list of MAC addresses.

I found a few references in the forum that seemed to make sense, but it doesn't seem to be working for me.

This is what I am trying:
Code:

iptables -I FORWARD -i vlan2 -j REJECT
iptables -I FORWARD -i vlan2 -m mac --mac-source 94:6A:B0:11:47:22 -j ACCEPT
iptables -I FORWARD -i vlan2 -m mac --mac-source 94:6A:B0:11:33:22 -j ACCEPT
iptables -I FORWARD -i vlan2 -m mac --mac-source 94:6A:B0:11:42:22 -j ACCEPT


The first line "iptables -I FORWARD -i vlan2 -j REJECT" definitely turns the internet off for everyone.

What I didn't expect is adding even one of the "ACCEPT" lines turns the internet back on for EVERYBODY. Not just the one MAC.

I have tried this from the firewall script, and then lots of variations on command line.

Got to admit, IPTables isn't something I have ever played with, I think I am missing something simple here... help?


try this way...
iptables -I FORWARD 1 -i vlan2 -j REJECT
iptables -I FORWARD 2 -i vlan2 -m mac --mac-source 94:6A:B0:11:47:22 -j ACCEPT
iptables -I FORWARD 3 -i vlan2 -m mac --mac-source 94:6A:B0:11:33:22 -j ACCEPT
iptables -I FORWARD 4 -i vlan2 -m mac --mac-source 94:6A:B0:11:42:22 -j ACCEPT

_________________
Atheros
TP-Link WR740Nv1 ------DD-WRT 33772 BS WAP/Switch (wired)
TP-Link WR1043NDv2 ----DD-WRT 41659 BS (AP,PPPoE,NAT,AD Blocking,AP Isolation,Firewall,Local DNS,Forced DNS,DoT, VPN)
TP-Link WR1043NDv2 ----DD-WRT 41517 BS (AP,NAT,AD Blocking,Firewall,Wi-Fi OFF,Local DNS,Forced DNS,DoT)
TP-Link WR1043NDv2 ----Gargoyle OS 1.11.0 (AP,NAT,QoS,Quotas)
Qualcomm/IPQ8065
2x Netgear R7800 -------DD-WRT 40270M 4.9 Kong (AP,NAT,AD-Blocking,AP&Net Isolation,VLAN's,Firewall,Local DNS,DNSCrypt-proxy v2 x2)
Broadcom
Netgear R7000 -------DD-WRT 40270M Kong (AP,NAT,VLAN,AD-Blocking,Firewall,Local DNS,Forced DNS,DoT)
------------------------------------------------------------------------------------------------
Stubby for DNS over TLS I DNSCrypt v2 via Entware by mac913
RjG
DD-WRT User


Joined: 01 Jul 2007
Posts: 81

PostPosted: Mon Oct 07, 2019 15:42    Post subject: Reply with quote
I already used the Access restrictions, every legit IP is static , all the rest blocked. That doesn't do anything for somebody manually setting an IP (even though it's static assigned to a different MAC) from getting full access to LAN/WAN. That is what I have going on, trial and error IP until one works.

My problem is people plugging into LAN jacks, more than wifi right now.

I am aware it's not perfect, but I don't know any better way to lock it down, than choose the 1/2 dozen legal MACS and IPs both to grant access and reject the rest.


Alozaros, thank you, I will try that.

Doess numbering the rules work differently than insert?
Or is the syntax wrong?

_________________
Firmware: DD-WRT v3.0-r39345M kongac (04/03/19) Netgear R7000
RjG
DD-WRT User


Joined: 01 Jul 2007
Posts: 81

PostPosted: Mon Oct 07, 2019 16:03    Post subject: Re: Router lockdown, stuck Reply with quote
Alozaros wrote:

try this way...
iptables -I FORWARD 1 -i vlan2 -j REJECT
iptables -I FORWARD 2 -i vlan2 -m mac --mac-source 94:6A:B0:11:47:22 -j ACCEPT
iptables -I FORWARD 3 -i vlan2 -m mac --mac-source 94:6A:B0:11:33:22 -j ACCEPT
iptables -I FORWARD 4 -i vlan2 -m mac --mac-source 94:6A:B0:11:42:22 -j ACCEPT



It didn't work, the results from running these 3 rules, but numbered this time as suggested:
Code:

iptables -I FORWARD 1 -i vlan2 -j REJECT
iptables -I FORWARD 2 -i vlan2 -m mac --mac-source 14:DA:E9:11:23:EB -j ACCEPT
iptables -I FORWARD 3 -i vlan2 -m mac --mac-source 9C:AD:EF:21:88:02 -j ACCEPT


running those commands in GUI commands window, did nothing at all, nothing was blocked, ACCEPT or not.

Then I added them to the firewall script instead, reboot, and opposite occurred, there was NO internet access for anything, ACCEPT or not.

I attached iptables -vnL FORWARD of them applied as firewall script if that helps to tell me the errors of my ways, lol



iptables-vnL.txt
 Description:

Download
 Filename:  iptables-vnL.txt
 Filesize:  3.28 KB
 Downloaded:  33 Time(s)


_________________
Firmware: DD-WRT v3.0-r39345M kongac (04/03/19) Netgear R7000
tli
DD-WRT Novice


Joined: 06 Mar 2019
Posts: 12

PostPosted: Mon Oct 07, 2019 19:38    Post subject: Dot1x Authentication? Reply with quote
If unsuccessful via DD-WRT, I suspect something more robust like this may be needed to properly secure access. Don't know if this is viable but FYI:
https://howdoesinternetwork.com/2015/how-to-enable-dot1x-authentication-for-wired-clients
RjG
DD-WRT User


Joined: 01 Jul 2007
Posts: 81

PostPosted: Mon Oct 07, 2019 20:03    Post subject: Reply with quote
Authentication server would be nice, too complicated, thanks though:)

Learning as I go, I can answer my own last question now, the drop at the top matches all, so no internet. The drop can't be rule 1.

Still reading, I can't figure out a way to say
Default DROP unless "Match one of these"

Just inserting that drop anywhere else seems like it would conflict with existing port forwarding and stuff that I do use.

I wonder if I can put these on OUTPUT chain instead? There is no other rules to screw it up there.

_________________
Firmware: DD-WRT v3.0-r39345M kongac (04/03/19) Netgear R7000
jwh7
DD-WRT Guru


Joined: 25 Oct 2013
Posts: 2370
Location: Indy

PostPosted: Mon Oct 07, 2019 20:44    Post subject: Reply with quote
RjG wrote:
Still reading, I can't figure out a way to say
Default DROP unless "Match one of these"

Just inserting that drop anywhere else seems like it would conflict with existing port forwarding and stuff that I do use.
The order should be from most to least specific. You generally either need to:
1. DROP x, y, and z, then ACCEPT all others
or:
2. ACCEPT a, b, and c, then DROP all others

#1 is more family (and hacker) friendly, while #2 is more secure but things break much more easily.

_________________
# NAT/SFE/CTF: limited speed w/ DD # Repeater issues # DD-WRT info: FAQ, Builds, Types, Modes, Changes, Demo #
x64 OPNsense 19.7.7|FT2019.3: EA6900v1.1@1GHz, F7D8302|DD 41596: WNDR4500v2, WNDR4000@533, R6300v1,
E2500, E1500@353, WRT54*@250: GLv1.1 nsg, GSv6 µ, RT-N66U@663
|OEM: WGR614v10@400 -> WNR1000v3 mod
Wildlion
DD-WRT Guru


Joined: 24 May 2016
Posts: 518

PostPosted: Tue Oct 08, 2019 1:57    Post subject: Reply with quote
Here is the format I have used before

Code:

#MAC Filter
insmod ipt_mac
iptables -N CMACFILTER
#drop link local without logging
iptables -A CMACFILTER -s 169.254.0.0/16 -j DROP
iptables -A CMACFILTER -m mac --mac-source (allowed mac) -j RETURN
iptables -A CMACFILTER -m limit --limit 2/min -j LOG --log-prefix " MAC DROP: "
iptables -A CMACFILTER -j DROP
iptables -I FORWARD 1 -i `nvram get lan_ifname` -j CMACFILTER
iptables -I INPUT 1 -i `nvram get lan_ifname` -j CMACFILTER


This goes by default deny and only allow the certain macs to access. Now this does not prevent the MACs from accessing other resources on the network (or if they set a static ip address)
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 4326
Location: Netherlands

PostPosted: Tue Oct 08, 2019 11:57    Post subject: Reply with quote
Do not use the GUI to set anything on the command line (you can but special characters have to be escaped)

You should telnet/Putty to your router do do these kind of things. If it works you can Save the commands as Firewall

You can try the following:
iptables -I FORWARD -o $(nvram get wan_ifname) -m mac --mac-source 94:6A:B0:11:47:22 -m state --state NEW -j REJECT

You should only need this rule.
As you want to block outgoing traffic from your WAN you should use the -o , you can not block incoming traffic from the WAN with a MAC address.

I use state new so that any port forwards to this address can still work, if you do not need this then you can skip using state new.

As you are only blocking outgoing traffic to the WAN/internet you can still see things on your network and router

I have not tested it so curious to see if it works Smile

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
RjG
DD-WRT User


Joined: 01 Jul 2007
Posts: 81

PostPosted: Tue Oct 08, 2019 21:18    Post subject: Reply with quote
Wildlion wrote:
Here is the format I have used before

Code:

#MAC Filter
insmod ipt_mac
iptables -N CMACFILTER
#drop link local without logging
iptables -A CMACFILTER -s 169.254.0.0/16 -j DROP
iptables -A CMACFILTER -m mac --mac-source (allowed mac) -j RETURN
iptables -A CMACFILTER -m limit --limit 2/min -j LOG --log-prefix " MAC DROP: "
iptables -A CMACFILTER -j DROP
iptables -I FORWARD 1 -i `nvram get lan_ifname` -j CMACFILTER
iptables -I INPUT 1 -i `nvram get lan_ifname` -j CMACFILTER


This goes by default deny and only allow the certain macs to access. Now this does not prevent the MACs from accessing other resources on the network (or if they set a static ip address)


Smile Thanks Smile

Code:
 BusyBox v1.30.1 (2019-04-03 20:01:01 CEST) built-in shell (ash)

root@Beast:~# insmod ipt_mac

insmod: ipt_mac.ko: module not found

root@Beast:~#


What does this mean, will it still work without it ?

_________________
Firmware: DD-WRT v3.0-r39345M kongac (04/03/19) Netgear R7000


Last edited by RjG on Tue Oct 08, 2019 21:32; edited 1 time in total
RjG
DD-WRT User


Joined: 01 Jul 2007
Posts: 81

PostPosted: Tue Oct 08, 2019 21:23    Post subject: Reply with quote
egc wrote:
..
You can try the following:
iptables -I FORWARD -o $(nvram get wan_ifname) -m mac --mac-source 94:6A:B0:11:47:22 -m state --state NEW -j REJECT
...
I have not tested it so curious to see if it works Smile


awesome, thank you Smile

_________________
Firmware: DD-WRT v3.0-r39345M kongac (04/03/19) Netgear R7000
RjG
DD-WRT User


Joined: 01 Jul 2007
Posts: 81

PostPosted: Tue Oct 08, 2019 21:27    Post subject: Reply with quote
I will try both these tonight and post back how it went. (without "insmod ipt_mac" ?)

Smile Smile Smile Smile Thank you Smile Smile Smile Smile

_________________
Firmware: DD-WRT v3.0-r39345M kongac (04/03/19) Netgear R7000
Wildlion
DD-WRT Guru


Joined: 24 May 2016
Posts: 518

PostPosted: Wed Oct 09, 2019 0:23    Post subject: Reply with quote
Yes it should still work without it, because I think it is built in and the kernel module is not needed. Probably need to update my notes.

P.S. Good luck and report back if you need help
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum