What's new

Enabling Virtual Server/Port Forwarding for guest LANs. (Or re-implementing guest lan intranet blocking with ebtables)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

robca

Regular Contributor
I have a RT-AC68U, with Merlin 386.7.2.

I need to put a couple of crappy cameras on the network while traveling, and I need to open two port forwarding for each one, for web access and RTSP. I don't trust those cameras, so I want to put them on a guest network and block intranet access. If they get hacked, won't compromise the rest of the network. Problem is, when I block intranet access for the guest network from the WEB UI, port forwarding stops working.

I tried to look at iptables to understand if blocking local access changes something, but there is nothing obvious

I see that the Guest network 3 I'm using is wl0.3, and I'm thinking of deleting the bridge between br0 and wl10.3, set up a new bridge and then in firewall-start use iptables to route traffic as appropriate... but I'm sure it will be a long trial and error, so I'm hoping for suggestions
 
Please disregard for now, it looks as if I might have found a solution using ebtables... more tomorrow. Will post here, as this is a question that was asked a few times in the past but never answered
 
I think I got it.

When guest network intranet access is disabled, entries are added to ebtables like this

Code:
admin@RT-AC68U-7BA8:/tmp/home/root# ebtables -t broute -L BROUTING
Bridge table: broute

Bridge chain: BROUTING, entries: 3, policy: ACCEPT
-p IPv4 -i wl0.3 --ip-dst 192.168.1.1 --ip-proto icmp -j ACCEPT
-p IPv4 -i wl0.3 --ip-dst 192.168.1.0/24 --ip-proto icmp -j DROP
-p IPv4 -i wl0.3 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP

Since my cameras IP addresses are 192.168.1.152 and 153, I leave intranet access enabled in the UI, then run

Code:
ebtables -t broute -I BROUTING -p IPv4 -i wl0.3 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP
ebtables -t broute -I BROUTING -p IPv4 -i wl0.3 --ip-dst 192.168.1.0/24 --ip-proto icmp -j DROP
ebtables -t broute -I BROUTING -p IPv4 -i wl0.3 --ip-src 192.168.1.153 --ip-proto tcp -j ACCEPT
ebtables -t broute -I BROUTING -p IPv4 -i wl0.3 --ip-dst 192.168.1.153 --ip-proto tcp -j ACCEPT
ebtables -t broute -I BROUTING -p IPv4 -i wl0.3 --ip-src 192.168.1.152 --ip-proto tcp -j ACCEPT
ebtables -t broute -I BROUTING -p IPv4 -i wl0.3 --ip-dst 192.168.1.152 --ip-proto tcp -j ACCEPT
ebtables -t broute -I BROUTING -p IPv4 -i wl0.3 --ip-dst 192.168.1.1 --ip-proto TCP --ip-dport 80 -j DROP
ebtables -t broute -I BROUTING -p IPv4 -i wl0.3 --ip-dst 192.168.1.1 --ip-proto TCP --ip-dport 443 -j DROP
ebtables -t broute -I BROUTING -p IPv4 -i wl0.3 --ip-dst 192.168.1.1 --ip-proto TCP --ip-dport 22 -j DROP
ebtables -t broute -I BROUTING -p IPv4 -i wl0.3 --ip-dst 192.168.1.1 --ip-proto icmp -j ACCEPT

That allows communication with the two cameras, while blocking the cameras from accessing the router administration ports. If an hacker tried to change the IP address of the cameras, nothing would work. I might use the MAC address for the cameras anyway, since it's harder to spoof from the camera UI at least. I also might want to limit traffic to the cameras only to the Web UI and RTSP

Of course to persist the setting this needs to be added to a script, probably firewall-start or services-start, not sure what's best
 
Updated version of the script, now in firewall-start (in jffs). I'm also using -A to add rules instead of -I (which required inserting rules in reverse order)

Code:
# Delete built in rules to start with a known situation
ebtables -t broute -D BROUTING -p IPv4 -i wl0.3 --ip-dst 192.168.1.1 --ip-proto icmp -j ACCEPT
ebtables -t broute -D BROUTING -p IPv4 -i wl0.3 --ip-dst 192.168.1.0/24 --ip-proto icmp -j DROP
ebtables -t broute -D BROUTING -p IPv4 -i wl0.3 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP

# Prevent access to management ports on the router from devices on guest network
ebtables -t broute -A BROUTING -p IPv4 -i wl0.3 --ip-dst 192.168.1.1 --ip-proto icmp -j ACCEPT
ebtables -t broute -A BROUTING -p IPv4 -i wl0.3 --ip-dst 192.168.1.1 --ip-proto TCP --ip-dport 22 -j DROP
ebtables -t broute -A BROUTING -p IPv4 -i wl0.3 --ip-dst 192.168.1.1 --ip-proto TCP --ip-dport 443 -j DROP
ebtables -t broute -A BROUTING -p IPv4 -i wl0.3 --ip-dst 192.168.1.1 --ip-proto TCP --ip-dport 80 -j DROP

# Add rules for IP cameras, only ports 80 and 554
ebtables -t broute -A BROUTING -p IPv4 -i wl0.3 --ip-src 192.168.1.152 --ip-sport 80 --ip-proto tcp -j ACCEPT
ebtables -t broute -A BROUTING -p IPv4 -i wl0.3 --ip-dst 192.168.1.152 --ip-dport 80 --ip-proto tcp -j ACCEPT
ebtables -t broute -A BROUTING -p IPv4 -i wl0.3 --ip-src 192.168.1.152 --ip-sport 554 --ip-proto tcp -j ACCEPT
ebtables -t broute -A BROUTING -p IPv4 -i wl0.3 --ip-dst 192.168.1.152 --ip-dport 554 --ip-proto tcp -j ACCEPT
ebtables -t broute -A BROUTING -p IPv4 -i wl0.3 --ip-src 192.168.1.153 --ip-sport 80 --ip-proto tcp -j ACCEPT
ebtables -t broute -A BROUTING -p IPv4 -i wl0.3 --ip-dst 192.168.1.153 --ip-dport 80 --ip-proto tcp -j ACCEPT
ebtables -t broute -A BROUTING -p IPv4 -i wl0.3 --ip-src 192.168.1.153 --ip-sport 554 --ip-proto tcp -j ACCEPT
ebtables -t broute -A BROUTING -p IPv4 -i wl0.3 --ip-dst 192.168.1.153 --ip-dport 554 --ip-proto tcp -j ACCEPT

# Drop everything else
ebtables -t broute -A BROUTING -p IPv4 -i wl0.3 --ip-dst 192.168.1.0/24 --ip-proto icmp -j DROP
ebtables -t broute -A BROUTING -p IPv4 -i wl0.3 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP
 
Last edited:

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top