What's new

Open firewall hole from iPhone to guest IOT

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

rdy2

Regular Contributor
I want to allow iPhone on eth5, to access http server in IOT(ESP32) on isolated wl0.1. Testing with dedicated RT-AC86U(384.14_2), chained WAN to LAN to house router.
This is my first time with firewall rules, so not surprising that I have problems... I have searched and seen
https://www.snbforums.com/threads/ebtables-arp-and-wirleess-guest-network.29857/
https://www.snbforums.com/threads/limit-the-guest-network-ports-and-speed.13955/#post-92668
https://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg
https://ebtables.netfilter.org/examples/basic.html#ex_brouter

I tried to drop ARP at BROUTING, but did not seem to work for me, so I added two FORWARD rules and now it flows.
Next, I added BROUTING DROPs for the http, but the frame vanishes... From the above linked packet flow diagram, I expect the frame to traverse the iptables PREROUTING and FORWARD chains, but see nothing there...

Here are the key tables. (I have added selective logging rules)
Code:
Bridge chain: FORWARD, entries: 9, policy: ACCEPT
-p ARP -i eth5 --arp-ip-src 192.168.50.96 --arp-ip-dst 192.168.50.31 --log-level notice --log-prefix "ebf.FWD22" --log-ip --log-arp -j ACCEPT
-p ARP -i wl0.1 --arp-ip-src 192.168.50.31 --arp-ip-dst 192.168.50.96 --log-level notice --log-prefix "ebf.FWD21" --log-ip --log-arp -j ACCEPT
*** silent drop of annoying gratuitous self arping and IPv6 crap
-p ARP -s <IOT-MAC> -i wl0.1 --arp-ip-dst 192.168.50.31 -j DROP
-p IPv6 -o wl0.1 -j DROP
-p IPv6 -i wl0.1 -j DROP
*** original isolation with added logging
-i wl0.1 --log-level notice --log-prefix "-ebf.FWD11" --log-ip --log-arp -j DROP
-o wl0.1 --log-level notice --log-prefix "-ebf.FWD12" --log-ip --log-arp -j DROP
*** unhandled passer's by trace
-p ! IPv6 -s <IOT-MAC> --log-level notice --log-prefix "ebf.FWD1" --log-ip --log-arp -j CONTINUE
-p ! IPv6 -d <IOT-MAC> --log-level notice --log-prefix "ebf.FWD2" --log-ip --log-arp -j CONTINUE
Code:
Bridge chain: BROUTING, entries: 9, policy: ACCEPT
-p IPv4 -i eth5 --ip-src 192.168.50.96 --ip-dst 192.168.50.31 --ip-proto tcp --ip-dport 80 --log-level notice --log-prefix "-ebb.BRO21" --log-ip --log-arp -j DROP
-p IPv4 -i wl0.1 --ip-src 192.168.50.31 --ip-dst 192.168.50.96 --ip-proto tcp --ip-sport 80 --log-level notice --log-prefix "-ebb.BRO22" --log-ip --log-arp -j DROP
*** original isolation with added logging
-p IPv4 -i wl0.1 --ip-dst 192.168.50.1 --ip-proto icmp --log-level notice --log-prefix "+ebb.BRO11" --log-ip --log-arp -j ACCEPT
-p IPv4 -i wl0.1 --ip-dst 192.168.50.0/24 --ip-proto icmp --log-level notice --log-prefix "-ebb.BRO12" --log-ip --log-arp -j DROP
-p IPv4 -i wl0.1 --ip-dst 192.168.50.0/24 --ip-proto tcp --log-level notice --log-prefix "-ebb.BRO13" --log-ip --log-arp -j DROP
*** unhandled frames trace logging
-p ARP -i eth5 --arp-ip-src 192.168.50.96 --arp-ip-dst 192.168.50.31 --log-level notice --log-prefix "ebb.BRO1" --log-ip --log-arp -j CONTINUE
-p ARP -i wl0.1 --arp-ip-src 192.168.50.31 --arp-ip-dst 192.168.50.96 --log-level notice --log-prefix "ebb.BRO2" --log-ip --log-arp -j CONTINUE
-p IPv4 -i eth5 --ip-dst 192.168.50.31 --log-level notice --log-prefix "ebb.BRO3" --log-ip --log-arp -j CONTINUE
-p IPv4 -i wl0.1 --ip-dst 192.168.50.96 --log-level notice --log-prefix "ebb.BRO4" --log-ip --log-arp -j CONTINUE
Code:
iptables -t filter -S FORWARD

-P FORWARD DROP
-A FORWARD -s 192.168.50.96/32 -d 192.168.50.31/32 -p tcp -m tcp --dport 80 -j LOG --log-prefix "+ipf.FWD21 " --log-level 5 --log-tcp-sequence --log-tcp-options --log-ip-options
-A FORWARD -s 192.168.50.96/32 -d 192.168.50.31/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -s 192.168.50.31/32 -d 192.168.50.96/32 -p tcp -m tcp --sport 80 -j LOG --log-prefix "+ipf.FWD22 " --log-level 5 --log-tcp-sequence --log-tcp-options --log-ip-options
-A FORWARD -s 192.168.50.31/32 -d 192.168.50.96/32 -p tcp -m tcp --sport 80 -j ACCEPT
*** trace passer's by
-A FORWARD -d 192.168.50.31/32 -j LOG --log-prefix " ipf.FWD " --log-level 5 --log-tcp-sequence --log-tcp-options --log-ip-options
-A FORWARD -s 192.168.50.31/32 -j LOG --log-prefix " ipf.FWD " --log-level 5 --log-tcp-sequence --log-tcp-options --log-ip-options
-A FORWARD -m mac --mac-source <IOT-MAC> -j LOG --log-prefix " ipf.FWD20 " --log-level 5 --log-tcp-sequence --log-tcp-options --log-ip-options
*** original rules
-A FORWARD -d 224.0.0.0/4 -i eth0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j logaccept
-A FORWARD ! -i br0 -o eth0 -j other2wan
-A FORWARD -i br0 -o br0 -j logaccept
-A FORWARD -m state --state INVALID -j logdrop
-A FORWARD -j NSFW
-A FORWARD -i br0 -j ACCEPT
-A FORWARD -m conntrack --ctstate DNAT -j logaccept
-A FORWARD -m state --state NEW -j OVPN
-A FORWARD -j logdrop
This is what I see in the log
Code:
*** ARP iPhone->IOT
kernel: ebb.BRO1  IN=eth5 OUT= MAC source = <iPhone-MAC> MAC dest = ff:ff:ff:ff:ff:ff proto = 0x0806 ARP HTYPE=1, PTYPE=0x0800, OPCODE=1 ARP MAC SRC=<iPhone-MAC> ARP IP SRC=192.168.50.96 ARP MAC DST=00:00:00:00:00:00 ARP IP DST=192.168.50.31
kernel: ebf.FWD22 IN=eth5 OUT=wl0.1 MAC source = <iPhone-MAC> MAC dest = ff:ff:ff:ff:ff:ff proto = 0x0806 ARP HTYPE=1, PTYPE=0x0800, OPCODE=1 ARP MAC SRC=<iPhone-MAC> ARP IP SRC=192.168.50.96 ARP MAC DST=00:00:00:00:00:00 ARP IP DST=192.168.50.31
kernel: ebf.FWD22 IN=eth5 OUT=eth6 MAC source = <iPhone-MAC> MAC dest = ff:ff:ff:ff:ff:ff proto = 0x0806 ARP HTYPE=1, PTYPE=0x0800, OPCODE=1 ARP MAC SRC=<iPhone-MAC> ARP IP SRC=192.168.50.96 ARP MAC DST=00:00:00:00:00:00 ARP IP DST=192.168.50.31
kernel: +ebf.INP  IN=eth5 OUT= MAC source = <iPhone-MAC> MAC dest = ff:ff:ff:ff:ff:ff proto = 0x0806 ARP HTYPE=1, PTYPE=0x0800, OPCODE=1 ARP MAC SRC=<iPhone-MAC> ARP IP SRC=192.168.50.96 ARP MAC DST=00:00:00:00:00:00 ARP IP DST=192.168.50.31
kernel: ebb.BRO2  IN=wl0.1 OUT= MAC source = <IOT-MAC> MAC dest = <iPhone-MAC> proto = 0x0806 ARP HTYPE=1, PTYPE=0x0800, OPCODE=2 ARP MAC SRC=<IOT-MAC> ARP IP SRC=192.168.50.31 ARP MAC DST=<iPhone-MAC> ARP IP DST=192.168.50.96
kernel: ebf.FWD21 IN=wl0.1 OUT=eth5 MAC source = <IOT-MAC> MAC dest = <iPhone-MAC> proto = 0x0806 ARP HTYPE=1, PTYPE=0x0800, OPCODE=2 ARP MAC SRC=<IOT-MAC> ARP IP SRC=192.168.50.31 ARP MAC DST=<iPhone-MAC> ARP IP DST=192.168.50.96
*** iPhone tcp:80 request (retried)
kernel: -ebb.BRO21 IN=eth5 OUT= MAC source = <iPhone-MAC> MAC dest = <IOT-MAC> proto = 0x0800 IP SRC=192.168.50.96 IP DST=192.168.50.31, IP tos=0x00, IP proto=6 SPT=59530 DPT=80
kernel: -ebb.BRO21 IN=eth5 OUT= MAC source = <iPhone-MAC> MAC dest = <IOT-MAC> proto = 0x0800 IP SRC=192.168.50.96 IP DST=192.168.50.31, IP tos=0x00, IP proto=6 SPT=59530 DPT=80
kernel: -ebb.BRO21 IN=eth5 OUT= MAC source = <iPhone-MAC> MAC dest = <IOT-MAC> proto = 0x0800 IP SRC=192.168.50.96 IP DST=192.168.50.31, IP tos=0x00, IP proto=6 SPT=59530 DPT=80
kernel: -ebb.BRO21 IN=eth5 OUT= MAC source = <iPhone-MAC> MAC dest = <IOT-MAC> proto = 0x0800 IP SRC=192.168.50.96 IP DST=192.168.50.31, IP tos=0x00, IP proto=6 SPT=59530 DPT=80
kernel: -ebb.BRO21 IN=eth5 OUT= MAC source = <iPhone-MAC> MAC dest = <IOT-MAC> proto = 0x0800 IP SRC=192.168.50.96 IP DST=192.168.50.31, IP tos=0x00, IP proto=6 SPT=59530 DPT=80
As you can guess, I have put some time into this... I also tried BROUTING redirect/target DROP, which IIRC could see the frame traverse up to filter-INPUT and disappear.

I will appreciate some hints to make this work
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top