DD-WRT :: View topic - Iptable to block routing between interfaces

Iptable to block routing between interfaces

DD-WRT Forum Index -> Advanced Networking

View previous topic :: View next topic

Author

Message

Fedex03
DD-WRT User

Joined: 18 Nov 2010
Posts: 89
Location: Italy

Posted: Thu Sep 07, 2023 14:41 Post subject: Iptable to block routing between interfaces

Hi there,

I have 3 LANs:

br0: trusted network

br1: IoT network

br2: Guest network

Every network has its DHCP server and its WiFi network.

I added these rules:

Quote:

# Forward between br0 toward br1
iptables -I FORWARD -i br0 -o br1 -j ACCEPT

Quote:

#Restrict br2 from accessing the router's local sockets (software running on the router)
iptables -I INPUT -i br2 -m state --state NEW -j DROP

I did some test using the Guest WiFi:

I cannot access br0

I cannot access DD WRT Web GUI

I CAN access br1

It seems that the second rule doesn't work.

Any suggestion?

Thank you in advance!

Sponsor

ho1Aetoo
DD-WRT Guru

Joined: 19 Feb 2019
Posts: 2607
Location: Germany

Posted: Thu Sep 07, 2023 15:31 Post subject:

the input chain is needed because the router provides services like DHCP or DNS forwarding.

The INPUT rule does NOT isolate br2 against br1

if you want to isolate br1 and br2 from each other then you have to use other rules.

for example

Code:

iptables -I FORWARD -i br1 -o br2 -m state --state NEW -j REJECT
iptables -I FORWARD -i br2 -o br1 -m state --state NEW -j REJECT

_________________
use Pi-Hole as simple DNS-Server with DD-WRT https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=331414
VLAN configuration via GUI - 2 CPU ports (R7800, EA8500 etc) https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=334342

Wildlion
DD-WRT Guru

Joined: 24 May 2016
Posts: 1389

Posted: Thu Sep 07, 2023 21:31 Post subject:
You need to be careful of order of the rules... Did you check any of the boxes with isolate or bridged?

Fedex03
DD-WRT User

Joined: 18 Nov 2010
Posts: 89
Location: Italy

Posted: Fri Sep 08, 2023 6:26 Post subject:

Wildlion wrote:

You need to be careful of order of the rules... Did you check any of the boxes with isolate or bridged?

HI,

br2 has "Net Isolation" enabled, but from this bridge I can access br1.

ho1Aetoo
DD-WRT Guru

Joined: 19 Feb 2019
Posts: 2607
Location: Germany

Posted: Fri Sep 08, 2023 6:49 Post subject:
Network isolation only isolates against the main LAN i.e. br0 but not against other bridges with other subnets. _________________ use Pi-Hole as simple DNS-Server with DD-WRT https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=331414 VLAN configuration via GUI - 2 CPU ports (R7800, EA8500 etc) https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=334342

Fedex03
DD-WRT User

Joined: 18 Nov 2010
Posts: 89
Location: Italy

Posted: Fri Sep 08, 2023 6:52 Post subject:

ho1Aetoo wrote:

Network isolation only isolates against the main LAN i.e. br0 but not against other bridges with other subnets.

Oh thanks!

Now I can respond to me previous question: br1 cannot access br0 (main bridge) thanks to network isolation. This not work between br2 and br1.

Thank you very much.

ho1Aetoo
DD-WRT Guru

Joined: 19 Feb 2019
Posts: 2607
Location: Germany

Posted: Fri Sep 08, 2023 7:14 Post subject:

I have already answered your question.

You can isolate the bridges as follows:

Code:

iptables -I FORWARD -i br1 -o br2 -m state --state NEW -j REJECT
iptables -I FORWARD -i br2 -o br1 -m state --state NEW -j REJECT

Display posts from previous:

Page 1 of 1

DD-WRT Forum Index -> Advanced Networking

All times are GMT

Navigation

Jump to:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum

Log in

Iptable to block routing between interfaces

Quick Links

Log in