I want to allow iPhone on eth5, to access http server in IOT(ESP32) on isolated wl0.1. Testing with dedicated RT-AC86U(384.14_2), chained WAN to LAN to house router.
This is my first time with firewall rules, so not surprising that I have problems... I have searched and seen
https://www.snbforums.com/threads/ebtables-arp-and-wirleess-guest-network.29857/
https://www.snbforums.com/threads/limit-the-guest-network-ports-and-speed.13955/#post-92668
https://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg
https://ebtables.netfilter.org/examples/basic.html#ex_brouter
I tried to drop ARP at BROUTING, but did not seem to work for me, so I added two FORWARD rules and now it flows.
Next, I added BROUTING DROPs for the http, but the frame vanishes... From the above linked packet flow diagram, I expect the frame to traverse the iptables PREROUTING and FORWARD chains, but see nothing there...
Here are the key tables. (I have added selective logging rules)
This is what I see in the log
As you can guess, I have put some time into this... I also tried BROUTING redirect/target DROP, which IIRC could see the frame traverse up to filter-INPUT and disappear.
I will appreciate some hints to make this work
This is my first time with firewall rules, so not surprising that I have problems... I have searched and seen
https://www.snbforums.com/threads/ebtables-arp-and-wirleess-guest-network.29857/
https://www.snbforums.com/threads/limit-the-guest-network-ports-and-speed.13955/#post-92668
https://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg
https://ebtables.netfilter.org/examples/basic.html#ex_brouter
I tried to drop ARP at BROUTING, but did not seem to work for me, so I added two FORWARD rules and now it flows.
Next, I added BROUTING DROPs for the http, but the frame vanishes... From the above linked packet flow diagram, I expect the frame to traverse the iptables PREROUTING and FORWARD chains, but see nothing there...
Here are the key tables. (I have added selective logging rules)
Code:
Bridge chain: FORWARD, entries: 9, policy: ACCEPT
-p ARP -i eth5 --arp-ip-src 192.168.50.96 --arp-ip-dst 192.168.50.31 --log-level notice --log-prefix "ebf.FWD22" --log-ip --log-arp -j ACCEPT
-p ARP -i wl0.1 --arp-ip-src 192.168.50.31 --arp-ip-dst 192.168.50.96 --log-level notice --log-prefix "ebf.FWD21" --log-ip --log-arp -j ACCEPT
*** silent drop of annoying gratuitous self arping and IPv6 crap
-p ARP -s <IOT-MAC> -i wl0.1 --arp-ip-dst 192.168.50.31 -j DROP
-p IPv6 -o wl0.1 -j DROP
-p IPv6 -i wl0.1 -j DROP
*** original isolation with added logging
-i wl0.1 --log-level notice --log-prefix "-ebf.FWD11" --log-ip --log-arp -j DROP
-o wl0.1 --log-level notice --log-prefix "-ebf.FWD12" --log-ip --log-arp -j DROP
*** unhandled passer's by trace
-p ! IPv6 -s <IOT-MAC> --log-level notice --log-prefix "ebf.FWD1" --log-ip --log-arp -j CONTINUE
-p ! IPv6 -d <IOT-MAC> --log-level notice --log-prefix "ebf.FWD2" --log-ip --log-arp -j CONTINUE
Code:
Bridge chain: BROUTING, entries: 9, policy: ACCEPT
-p IPv4 -i eth5 --ip-src 192.168.50.96 --ip-dst 192.168.50.31 --ip-proto tcp --ip-dport 80 --log-level notice --log-prefix "-ebb.BRO21" --log-ip --log-arp -j DROP
-p IPv4 -i wl0.1 --ip-src 192.168.50.31 --ip-dst 192.168.50.96 --ip-proto tcp --ip-sport 80 --log-level notice --log-prefix "-ebb.BRO22" --log-ip --log-arp -j DROP
*** original isolation with added logging
-p IPv4 -i wl0.1 --ip-dst 192.168.50.1 --ip-proto icmp --log-level notice --log-prefix "+ebb.BRO11" --log-ip --log-arp -j ACCEPT
-p IPv4 -i wl0.1 --ip-dst 192.168.50.0/24 --ip-proto icmp --log-level notice --log-prefix "-ebb.BRO12" --log-ip --log-arp -j DROP
-p IPv4 -i wl0.1 --ip-dst 192.168.50.0/24 --ip-proto tcp --log-level notice --log-prefix "-ebb.BRO13" --log-ip --log-arp -j DROP
*** unhandled frames trace logging
-p ARP -i eth5 --arp-ip-src 192.168.50.96 --arp-ip-dst 192.168.50.31 --log-level notice --log-prefix "ebb.BRO1" --log-ip --log-arp -j CONTINUE
-p ARP -i wl0.1 --arp-ip-src 192.168.50.31 --arp-ip-dst 192.168.50.96 --log-level notice --log-prefix "ebb.BRO2" --log-ip --log-arp -j CONTINUE
-p IPv4 -i eth5 --ip-dst 192.168.50.31 --log-level notice --log-prefix "ebb.BRO3" --log-ip --log-arp -j CONTINUE
-p IPv4 -i wl0.1 --ip-dst 192.168.50.96 --log-level notice --log-prefix "ebb.BRO4" --log-ip --log-arp -j CONTINUE
Code:
iptables -t filter -S FORWARD
-P FORWARD DROP
-A FORWARD -s 192.168.50.96/32 -d 192.168.50.31/32 -p tcp -m tcp --dport 80 -j LOG --log-prefix "+ipf.FWD21 " --log-level 5 --log-tcp-sequence --log-tcp-options --log-ip-options
-A FORWARD -s 192.168.50.96/32 -d 192.168.50.31/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -s 192.168.50.31/32 -d 192.168.50.96/32 -p tcp -m tcp --sport 80 -j LOG --log-prefix "+ipf.FWD22 " --log-level 5 --log-tcp-sequence --log-tcp-options --log-ip-options
-A FORWARD -s 192.168.50.31/32 -d 192.168.50.96/32 -p tcp -m tcp --sport 80 -j ACCEPT
*** trace passer's by
-A FORWARD -d 192.168.50.31/32 -j LOG --log-prefix " ipf.FWD " --log-level 5 --log-tcp-sequence --log-tcp-options --log-ip-options
-A FORWARD -s 192.168.50.31/32 -j LOG --log-prefix " ipf.FWD " --log-level 5 --log-tcp-sequence --log-tcp-options --log-ip-options
-A FORWARD -m mac --mac-source <IOT-MAC> -j LOG --log-prefix " ipf.FWD20 " --log-level 5 --log-tcp-sequence --log-tcp-options --log-ip-options
*** original rules
-A FORWARD -d 224.0.0.0/4 -i eth0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j logaccept
-A FORWARD ! -i br0 -o eth0 -j other2wan
-A FORWARD -i br0 -o br0 -j logaccept
-A FORWARD -m state --state INVALID -j logdrop
-A FORWARD -j NSFW
-A FORWARD -i br0 -j ACCEPT
-A FORWARD -m conntrack --ctstate DNAT -j logaccept
-A FORWARD -m state --state NEW -j OVPN
-A FORWARD -j logdrop
Code:
*** ARP iPhone->IOT
kernel: ebb.BRO1 IN=eth5 OUT= MAC source = <iPhone-MAC> MAC dest = ff:ff:ff:ff:ff:ff proto = 0x0806 ARP HTYPE=1, PTYPE=0x0800, OPCODE=1 ARP MAC SRC=<iPhone-MAC> ARP IP SRC=192.168.50.96 ARP MAC DST=00:00:00:00:00:00 ARP IP DST=192.168.50.31
kernel: ebf.FWD22 IN=eth5 OUT=wl0.1 MAC source = <iPhone-MAC> MAC dest = ff:ff:ff:ff:ff:ff proto = 0x0806 ARP HTYPE=1, PTYPE=0x0800, OPCODE=1 ARP MAC SRC=<iPhone-MAC> ARP IP SRC=192.168.50.96 ARP MAC DST=00:00:00:00:00:00 ARP IP DST=192.168.50.31
kernel: ebf.FWD22 IN=eth5 OUT=eth6 MAC source = <iPhone-MAC> MAC dest = ff:ff:ff:ff:ff:ff proto = 0x0806 ARP HTYPE=1, PTYPE=0x0800, OPCODE=1 ARP MAC SRC=<iPhone-MAC> ARP IP SRC=192.168.50.96 ARP MAC DST=00:00:00:00:00:00 ARP IP DST=192.168.50.31
kernel: +ebf.INP IN=eth5 OUT= MAC source = <iPhone-MAC> MAC dest = ff:ff:ff:ff:ff:ff proto = 0x0806 ARP HTYPE=1, PTYPE=0x0800, OPCODE=1 ARP MAC SRC=<iPhone-MAC> ARP IP SRC=192.168.50.96 ARP MAC DST=00:00:00:00:00:00 ARP IP DST=192.168.50.31
kernel: ebb.BRO2 IN=wl0.1 OUT= MAC source = <IOT-MAC> MAC dest = <iPhone-MAC> proto = 0x0806 ARP HTYPE=1, PTYPE=0x0800, OPCODE=2 ARP MAC SRC=<IOT-MAC> ARP IP SRC=192.168.50.31 ARP MAC DST=<iPhone-MAC> ARP IP DST=192.168.50.96
kernel: ebf.FWD21 IN=wl0.1 OUT=eth5 MAC source = <IOT-MAC> MAC dest = <iPhone-MAC> proto = 0x0806 ARP HTYPE=1, PTYPE=0x0800, OPCODE=2 ARP MAC SRC=<IOT-MAC> ARP IP SRC=192.168.50.31 ARP MAC DST=<iPhone-MAC> ARP IP DST=192.168.50.96
*** iPhone tcp:80 request (retried)
kernel: -ebb.BRO21 IN=eth5 OUT= MAC source = <iPhone-MAC> MAC dest = <IOT-MAC> proto = 0x0800 IP SRC=192.168.50.96 IP DST=192.168.50.31, IP tos=0x00, IP proto=6 SPT=59530 DPT=80
kernel: -ebb.BRO21 IN=eth5 OUT= MAC source = <iPhone-MAC> MAC dest = <IOT-MAC> proto = 0x0800 IP SRC=192.168.50.96 IP DST=192.168.50.31, IP tos=0x00, IP proto=6 SPT=59530 DPT=80
kernel: -ebb.BRO21 IN=eth5 OUT= MAC source = <iPhone-MAC> MAC dest = <IOT-MAC> proto = 0x0800 IP SRC=192.168.50.96 IP DST=192.168.50.31, IP tos=0x00, IP proto=6 SPT=59530 DPT=80
kernel: -ebb.BRO21 IN=eth5 OUT= MAC source = <iPhone-MAC> MAC dest = <IOT-MAC> proto = 0x0800 IP SRC=192.168.50.96 IP DST=192.168.50.31, IP tos=0x00, IP proto=6 SPT=59530 DPT=80
kernel: -ebb.BRO21 IN=eth5 OUT= MAC source = <iPhone-MAC> MAC dest = <IOT-MAC> proto = 0x0800 IP SRC=192.168.50.96 IP DST=192.168.50.31, IP tos=0x00, IP proto=6 SPT=59530 DPT=80
I will appreciate some hints to make this work