Bloodred217
New Around Here
Hello!
I'm trying to configure my AC68U (running Merlin 380.57) in such a way that LAN port 4 is only allowed to initiate connections to a few specific services on my network, a few local IP : port combinations basically. In addition to this I'd like the device on port 4 to be able to respond to other LAN devices if the connection is initiated by some other machine, so device #4 can only initiate connections to a few specific services but it can reply freely if any other client establishes a connection first. Internet access should also be disabled.
After reading about ebtables, VLANs and how to configure the switch, I thought I could figure it out myself, and I've arrived at multiple different configurations that all get everything working except that I can't get replies from device #4 even if it does not initiate the connection, so for instance a web server running on it cannot respond to requests from my LAN, I assume because the router drops the response even though the request should reach it.
It's my first time working with VLANs and ebtables, so I'm a beginner and don't know if I'm doing anything fundamentally wrong. I've been using the diagram from the ebtables site in order to try to understand the frame/packet flow through ebtables and iptables rules.
This is what I've tried to do:
This configuration works in the sense that device #4 correctly receives a DHCP IP address, can access 10.23.45.2:80 and cannot access anything else. The problem is that I cannot connect to a service running on device #4 itself, I was hoping state tracking in iptables would help, but it doesn't and the rule that accepts RELATED,ESTABLISHED packets does nothing in this case. I believe I also know why, it's because the connection is established through the bridge and switch and is not routed, as such iptables does not know about it. Any response however DOES get routed, but the connection is unknown and as such gets dropped. Is there any proper solution to this?
I could route ALL the traffic moving through the bridge, then iptables would know about the connection, but I expect this would be horrendous for performance (I have a Gbit connection which seems to push the router to its limit by itself). I could also allow arbitrary traffic from the port device #4 is listening on, but this wouldn't be ideal since I'd have to allow any traffic, not just responses to connections initiated somewhere else.
Any help and input is appreciated, and thanks to anyone who bothers to read through the entire wall of text I've posted.
I'm trying to configure my AC68U (running Merlin 380.57) in such a way that LAN port 4 is only allowed to initiate connections to a few specific services on my network, a few local IP : port combinations basically. In addition to this I'd like the device on port 4 to be able to respond to other LAN devices if the connection is initiated by some other machine, so device #4 can only initiate connections to a few specific services but it can reply freely if any other client establishes a connection first. Internet access should also be disabled.
After reading about ebtables, VLANs and how to configure the switch, I thought I could figure it out myself, and I've arrived at multiple different configurations that all get everything working except that I can't get replies from device #4 even if it does not initiate the connection, so for instance a web server running on it cannot respond to requests from my LAN, I assume because the router drops the response even though the request should reach it.
It's my first time working with VLANs and ebtables, so I'm a beginner and don't know if I'm doing anything fundamentally wrong. I've been using the diagram from the ebtables site in order to try to understand the frame/packet flow through ebtables and iptables rules.
This is what I've tried to do:
- Move port 4 to its own vlan (vlan10) and add it to br0 - this works
- I've added the following rules to ebtables nat/PREROUTING (I suppose I should move a few rules to filter/INPUT, but this is what I have now):
Code:Bridge chain: PREROUTING, entries: 6, policy: ACCEPT #drop everything if the MAC is different than what it should be -s ! 0:1c:f0:e9:fa:2 -i vlan10 -j DROP #drop traffic going to the router itself -p IPv4 -i vlan10 --ip-dst 10.23.45.1 -j DROP #redirect LAN TCP traffic that would be forwarded, in order to filter it with iptables -p IPv4 -i vlan10 --ip-dst 10.23.45.0/24 --ip-proto tcp -j redirect #allow DHCP -p IPv4 -i vlan10 --ip-proto udp --ip-sport 68 --ip-dport 67 -j ACCEPT #allow ARP -p ARP -j ACCEPT #drop everything else -i vlan10 -j DROP - Since all traffic going to the router itself is already filtered, I have added some rules to iptables filter/FORWARD:
Code:-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD ! -i br0 -o vlan2 -j DROP -A FORWARD -i vlan2 -m state --state INVALID -j DROP #####my rules#### #allow device #4 access to a web server on 10.23.45.2:80 - this works -A FORWARD -d 10.23.45.2/32 -i br0 -p tcp -m mac --mac-source 00:1C:F0:E9:FA:02 -m tcp --dport 80 -j ACCEPT #drop everything else coming from device #4 -A FORWARD -i br0 -m mac --mac-source 00:1C:F0:E9:FA:02 -j DROP ####the rest of the original rules#### -A FORWARD -i br0 -o br0 -j ACCEPT -A FORWARD -m conntrack --ctstate DNAT -j ACCEPT -A FORWARD -i br0 -j ACCEPT
This configuration works in the sense that device #4 correctly receives a DHCP IP address, can access 10.23.45.2:80 and cannot access anything else. The problem is that I cannot connect to a service running on device #4 itself, I was hoping state tracking in iptables would help, but it doesn't and the rule that accepts RELATED,ESTABLISHED packets does nothing in this case. I believe I also know why, it's because the connection is established through the bridge and switch and is not routed, as such iptables does not know about it. Any response however DOES get routed, but the connection is unknown and as such gets dropped. Is there any proper solution to this?
I could route ALL the traffic moving through the bridge, then iptables would know about the connection, but I expect this would be horrendous for performance (I have a Gbit connection which seems to push the router to its limit by itself). I could also allow arbitrary traffic from the port device #4 is listening on, but this wouldn't be ideal since I'd have to allow any traffic, not just responses to connections initiated somewhere else.
Any help and input is appreciated, and thanks to anyone who bothers to read through the entire wall of text I've posted.
