What's new

Open firewall hole from iPhone to guest IOT

rdy2

Occasional Visitor
I want to allow iPhone on eth5, to access http server in IOT(ESP32) on isolated wl0.1. Testing with dedicated RT-AC86U(384.14_2), chained WAN to LAN to house router.
This is my first time with firewall rules, so not surprising that I have problems... I have searched and seen
https://www.snbforums.com/threads/ebtables-arp-and-wirleess-guest-network.29857/
https://www.snbforums.com/threads/limit-the-guest-network-ports-and-speed.13955/#post-92668
https://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg
https://ebtables.netfilter.org/examples/basic.html#ex_brouter

I tried to drop ARP at BROUTING, but did not seem to work for me, so I added two FORWARD rules and now it flows.
Next, I added BROUTING DROPs for the http, but the frame vanishes... From the above linked packet flow diagram, I expect the frame to traverse the iptables PREROUTING and FORWARD chains, but see nothing there...

Here are the key tables. (I have added selective logging rules)
Code:
Bridge chain: FORWARD, entries: 9, policy: ACCEPT
-p ARP -i eth5 --arp-ip-src 192.168.50.96 --arp-ip-dst 192.168.50.31 --log-level notice --log-prefix "ebf.FWD22" --log-ip --log-arp -j ACCEPT
-p ARP -i wl0.1 --arp-ip-src 192.168.50.31 --arp-ip-dst 192.168.50.96 --log-level notice --log-prefix "ebf.FWD21" --log-ip --log-arp -j ACCEPT
*** silent drop of annoying gratuitous self arping and IPv6 crap
-p ARP -s <IOT-MAC> -i wl0.1 --arp-ip-dst 192.168.50.31 -j DROP
-p IPv6 -o wl0.1 -j DROP
-p IPv6 -i wl0.1 -j DROP
*** original isolation with added logging
-i wl0.1 --log-level notice --log-prefix "-ebf.FWD11" --log-ip --log-arp -j DROP
-o wl0.1 --log-level notice --log-prefix "-ebf.FWD12" --log-ip --log-arp -j DROP
*** unhandled passer's by trace
-p ! IPv6 -s <IOT-MAC> --log-level notice --log-prefix "ebf.FWD1" --log-ip --log-arp -j CONTINUE
-p ! IPv6 -d <IOT-MAC> --log-level notice --log-prefix "ebf.FWD2" --log-ip --log-arp -j CONTINUE
Code:
Bridge chain: BROUTING, entries: 9, policy: ACCEPT
-p IPv4 -i eth5 --ip-src 192.168.50.96 --ip-dst 192.168.50.31 --ip-proto tcp --ip-dport 80 --log-level notice --log-prefix "-ebb.BRO21" --log-ip --log-arp -j DROP
-p IPv4 -i wl0.1 --ip-src 192.168.50.31 --ip-dst 192.168.50.96 --ip-proto tcp --ip-sport 80 --log-level notice --log-prefix "-ebb.BRO22" --log-ip --log-arp -j DROP
*** original isolation with added logging
-p IPv4 -i wl0.1 --ip-dst 192.168.50.1 --ip-proto icmp --log-level notice --log-prefix "+ebb.BRO11" --log-ip --log-arp -j ACCEPT
-p IPv4 -i wl0.1 --ip-dst 192.168.50.0/24 --ip-proto icmp --log-level notice --log-prefix "-ebb.BRO12" --log-ip --log-arp -j DROP
-p IPv4 -i wl0.1 --ip-dst 192.168.50.0/24 --ip-proto tcp --log-level notice --log-prefix "-ebb.BRO13" --log-ip --log-arp -j DROP
*** unhandled frames trace logging
-p ARP -i eth5 --arp-ip-src 192.168.50.96 --arp-ip-dst 192.168.50.31 --log-level notice --log-prefix "ebb.BRO1" --log-ip --log-arp -j CONTINUE
-p ARP -i wl0.1 --arp-ip-src 192.168.50.31 --arp-ip-dst 192.168.50.96 --log-level notice --log-prefix "ebb.BRO2" --log-ip --log-arp -j CONTINUE
-p IPv4 -i eth5 --ip-dst 192.168.50.31 --log-level notice --log-prefix "ebb.BRO3" --log-ip --log-arp -j CONTINUE
-p IPv4 -i wl0.1 --ip-dst 192.168.50.96 --log-level notice --log-prefix "ebb.BRO4" --log-ip --log-arp -j CONTINUE
Code:
iptables -t filter -S FORWARD

-P FORWARD DROP
-A FORWARD -s 192.168.50.96/32 -d 192.168.50.31/32 -p tcp -m tcp --dport 80 -j LOG --log-prefix "+ipf.FWD21 " --log-level 5 --log-tcp-sequence --log-tcp-options --log-ip-options
-A FORWARD -s 192.168.50.96/32 -d 192.168.50.31/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -s 192.168.50.31/32 -d 192.168.50.96/32 -p tcp -m tcp --sport 80 -j LOG --log-prefix "+ipf.FWD22 " --log-level 5 --log-tcp-sequence --log-tcp-options --log-ip-options
-A FORWARD -s 192.168.50.31/32 -d 192.168.50.96/32 -p tcp -m tcp --sport 80 -j ACCEPT
*** trace passer's by
-A FORWARD -d 192.168.50.31/32 -j LOG --log-prefix " ipf.FWD " --log-level 5 --log-tcp-sequence --log-tcp-options --log-ip-options
-A FORWARD -s 192.168.50.31/32 -j LOG --log-prefix " ipf.FWD " --log-level 5 --log-tcp-sequence --log-tcp-options --log-ip-options
-A FORWARD -m mac --mac-source <IOT-MAC> -j LOG --log-prefix " ipf.FWD20 " --log-level 5 --log-tcp-sequence --log-tcp-options --log-ip-options
*** original rules
-A FORWARD -d 224.0.0.0/4 -i eth0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j logaccept
-A FORWARD ! -i br0 -o eth0 -j other2wan
-A FORWARD -i br0 -o br0 -j logaccept
-A FORWARD -m state --state INVALID -j logdrop
-A FORWARD -j NSFW
-A FORWARD -i br0 -j ACCEPT
-A FORWARD -m conntrack --ctstate DNAT -j logaccept
-A FORWARD -m state --state NEW -j OVPN
-A FORWARD -j logdrop
This is what I see in the log
Code:
*** ARP iPhone->IOT
kernel: ebb.BRO1  IN=eth5 OUT= MAC source = <iPhone-MAC> MAC dest = ff:ff:ff:ff:ff:ff proto = 0x0806 ARP HTYPE=1, PTYPE=0x0800, OPCODE=1 ARP MAC SRC=<iPhone-MAC> ARP IP SRC=192.168.50.96 ARP MAC DST=00:00:00:00:00:00 ARP IP DST=192.168.50.31
kernel: ebf.FWD22 IN=eth5 OUT=wl0.1 MAC source = <iPhone-MAC> MAC dest = ff:ff:ff:ff:ff:ff proto = 0x0806 ARP HTYPE=1, PTYPE=0x0800, OPCODE=1 ARP MAC SRC=<iPhone-MAC> ARP IP SRC=192.168.50.96 ARP MAC DST=00:00:00:00:00:00 ARP IP DST=192.168.50.31
kernel: ebf.FWD22 IN=eth5 OUT=eth6 MAC source = <iPhone-MAC> MAC dest = ff:ff:ff:ff:ff:ff proto = 0x0806 ARP HTYPE=1, PTYPE=0x0800, OPCODE=1 ARP MAC SRC=<iPhone-MAC> ARP IP SRC=192.168.50.96 ARP MAC DST=00:00:00:00:00:00 ARP IP DST=192.168.50.31
kernel: +ebf.INP  IN=eth5 OUT= MAC source = <iPhone-MAC> MAC dest = ff:ff:ff:ff:ff:ff proto = 0x0806 ARP HTYPE=1, PTYPE=0x0800, OPCODE=1 ARP MAC SRC=<iPhone-MAC> ARP IP SRC=192.168.50.96 ARP MAC DST=00:00:00:00:00:00 ARP IP DST=192.168.50.31
kernel: ebb.BRO2  IN=wl0.1 OUT= MAC source = <IOT-MAC> MAC dest = <iPhone-MAC> proto = 0x0806 ARP HTYPE=1, PTYPE=0x0800, OPCODE=2 ARP MAC SRC=<IOT-MAC> ARP IP SRC=192.168.50.31 ARP MAC DST=<iPhone-MAC> ARP IP DST=192.168.50.96
kernel: ebf.FWD21 IN=wl0.1 OUT=eth5 MAC source = <IOT-MAC> MAC dest = <iPhone-MAC> proto = 0x0806 ARP HTYPE=1, PTYPE=0x0800, OPCODE=2 ARP MAC SRC=<IOT-MAC> ARP IP SRC=192.168.50.31 ARP MAC DST=<iPhone-MAC> ARP IP DST=192.168.50.96
*** iPhone tcp:80 request (retried)
kernel: -ebb.BRO21 IN=eth5 OUT= MAC source = <iPhone-MAC> MAC dest = <IOT-MAC> proto = 0x0800 IP SRC=192.168.50.96 IP DST=192.168.50.31, IP tos=0x00, IP proto=6 SPT=59530 DPT=80
kernel: -ebb.BRO21 IN=eth5 OUT= MAC source = <iPhone-MAC> MAC dest = <IOT-MAC> proto = 0x0800 IP SRC=192.168.50.96 IP DST=192.168.50.31, IP tos=0x00, IP proto=6 SPT=59530 DPT=80
kernel: -ebb.BRO21 IN=eth5 OUT= MAC source = <iPhone-MAC> MAC dest = <IOT-MAC> proto = 0x0800 IP SRC=192.168.50.96 IP DST=192.168.50.31, IP tos=0x00, IP proto=6 SPT=59530 DPT=80
kernel: -ebb.BRO21 IN=eth5 OUT= MAC source = <iPhone-MAC> MAC dest = <IOT-MAC> proto = 0x0800 IP SRC=192.168.50.96 IP DST=192.168.50.31, IP tos=0x00, IP proto=6 SPT=59530 DPT=80
kernel: -ebb.BRO21 IN=eth5 OUT= MAC source = <iPhone-MAC> MAC dest = <IOT-MAC> proto = 0x0800 IP SRC=192.168.50.96 IP DST=192.168.50.31, IP tos=0x00, IP proto=6 SPT=59530 DPT=80
As you can guess, I have put some time into this... I also tried BROUTING redirect/target DROP, which IIRC could see the frame traverse up to filter-INPUT and disappear.

I will appreciate some hints to make this work
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top