Enabling Virtual Server/Port Forwarding for guest LANs. (Or re-implementing guest lan intranet blocking with ebtables)

[robca]

I have a RT-AC68U, with Merlin 386.7.2.

I need to put a couple of crappy cameras on the network while traveling, and I need to open two port forwarding for each one, for web access and RTSP. I don't trust those cameras, so I want to put them on a guest network and block intranet access. If they get hacked, won't compromise the rest of the network. Problem is, when I block intranet access for the guest network from the WEB UI, port forwarding stops working.

I tried to look at iptables to understand if blocking local access changes something, but there is nothing obvious

I see that the Guest network 3 I'm using is wl0.3, and I'm thinking of deleting the bridge between br0 and wl10.3, set up a new bridge and then in firewall-start use iptables to route traffic as appropriate... but I'm sure it will be a long trial and error, so I'm hoping for suggestions

 

[robca]

Please disregard for now, it looks as if I might have found a solution using ebtables... more tomorrow. Will post here, as this is a question that was asked a few times in the past but never answered

 

[robca]

I think I got it.

When guest network intranet access is disabled, entries are added to ebtables like this

admin@RT-AC68U-7BA8:/tmp/home/root# ebtables -t broute -L BROUTING
Bridge table: broute

Bridge chain: BROUTING, entries: 3, policy: ACCEPT
-p IPv4 -i wl0.3 --ip-dst 192.168.1.1 --ip-proto icmp -j ACCEPT
-p IPv4 -i wl0.3 --ip-dst 192.168.1.0/24 --ip-proto icmp -j DROP
-p IPv4 -i wl0.3 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP

Since my cameras IP addresses are 192.168.1.152 and 153, I leave intranet access enabled in the UI, then run

ebtables -t broute -I BROUTING -p IPv4 -i wl0.3 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP
ebtables -t broute -I BROUTING -p IPv4 -i wl0.3 --ip-dst 192.168.1.0/24 --ip-proto icmp -j DROP
ebtables -t broute -I BROUTING -p IPv4 -i wl0.3 --ip-src 192.168.1.153 --ip-proto tcp -j ACCEPT
ebtables -t broute -I BROUTING -p IPv4 -i wl0.3 --ip-dst 192.168.1.153 --ip-proto tcp -j ACCEPT
ebtables -t broute -I BROUTING -p IPv4 -i wl0.3 --ip-src 192.168.1.152 --ip-proto tcp -j ACCEPT
ebtables -t broute -I BROUTING -p IPv4 -i wl0.3 --ip-dst 192.168.1.152 --ip-proto tcp -j ACCEPT
ebtables -t broute -I BROUTING -p IPv4 -i wl0.3 --ip-dst 192.168.1.1 --ip-proto TCP --ip-dport 80 -j DROP
ebtables -t broute -I BROUTING -p IPv4 -i wl0.3 --ip-dst 192.168.1.1 --ip-proto TCP --ip-dport 443 -j DROP
ebtables -t broute -I BROUTING -p IPv4 -i wl0.3 --ip-dst 192.168.1.1 --ip-proto TCP --ip-dport 22 -j DROP
ebtables -t broute -I BROUTING -p IPv4 -i wl0.3 --ip-dst 192.168.1.1 --ip-proto icmp -j ACCEPT

That allows communication with the two cameras, while blocking the cameras from accessing the router administration ports. If an hacker tried to change the IP address of the cameras, nothing would work. I might use the MAC address for the cameras anyway, since it's harder to spoof from the camera UI at least. I also might want to limit traffic to the cameras only to the Web UI and RTSP

Of course to persist the setting this needs to be added to a script, probably firewall-start or services-start, not sure what's best

 

[robca]

Updated version of the script, now in firewall-start (in jffs). I'm also using -A to add rules instead of -I (which required inserting rules in reverse order)

# Delete built in rules to start with a known situation
ebtables -t broute -D BROUTING -p IPv4 -i wl0.3 --ip-dst 192.168.1.1 --ip-proto icmp -j ACCEPT
ebtables -t broute -D BROUTING -p IPv4 -i wl0.3 --ip-dst 192.168.1.0/24 --ip-proto icmp -j DROP
ebtables -t broute -D BROUTING -p IPv4 -i wl0.3 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP

# Prevent access to management ports on the router from devices on guest network
ebtables -t broute -A BROUTING -p IPv4 -i wl0.3 --ip-dst 192.168.1.1 --ip-proto icmp -j ACCEPT
ebtables -t broute -A BROUTING -p IPv4 -i wl0.3 --ip-dst 192.168.1.1 --ip-proto TCP --ip-dport 22 -j DROP
ebtables -t broute -A BROUTING -p IPv4 -i wl0.3 --ip-dst 192.168.1.1 --ip-proto TCP --ip-dport 443 -j DROP
ebtables -t broute -A BROUTING -p IPv4 -i wl0.3 --ip-dst 192.168.1.1 --ip-proto TCP --ip-dport 80 -j DROP

# Add rules for IP cameras, only ports 80 and 554
ebtables -t broute -A BROUTING -p IPv4 -i wl0.3 --ip-src 192.168.1.152 --ip-sport 80 --ip-proto tcp -j ACCEPT
ebtables -t broute -A BROUTING -p IPv4 -i wl0.3 --ip-dst 192.168.1.152 --ip-dport 80 --ip-proto tcp -j ACCEPT
ebtables -t broute -A BROUTING -p IPv4 -i wl0.3 --ip-src 192.168.1.152 --ip-sport 554 --ip-proto tcp -j ACCEPT
ebtables -t broute -A BROUTING -p IPv4 -i wl0.3 --ip-dst 192.168.1.152 --ip-dport 554 --ip-proto tcp -j ACCEPT
ebtables -t broute -A BROUTING -p IPv4 -i wl0.3 --ip-src 192.168.1.153 --ip-sport 80 --ip-proto tcp -j ACCEPT
ebtables -t broute -A BROUTING -p IPv4 -i wl0.3 --ip-dst 192.168.1.153 --ip-dport 80 --ip-proto tcp -j ACCEPT
ebtables -t broute -A BROUTING -p IPv4 -i wl0.3 --ip-src 192.168.1.153 --ip-sport 554 --ip-proto tcp -j ACCEPT
ebtables -t broute -A BROUTING -p IPv4 -i wl0.3 --ip-dst 192.168.1.153 --ip-dport 554 --ip-proto tcp -j ACCEPT

# Drop everything else
ebtables -t broute -A BROUTING -p IPv4 -i wl0.3 --ip-dst 192.168.1.0/24 --ip-proto icmp -j DROP
ebtables -t broute -A BROUTING -p IPv4 -i wl0.3 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP