RT-AC68U - Block IP Range from Accessing Another IP Range

[cauddy]

I am running the following:
Merlin WRT (384.7).

I have noticed that the 'Network Services Filter' doesn't work. I tried to block 10.0.0.52 from accessing 10.0.0.4 on all ports, but still connections got through.

I have tried to use jffs folder /jffs/scripts with the script name: run_firewall_rules.sh
I have done chmod 777 on run_firewall_rules.sh, rebooted router and still it doesn't block all traffic.

#!/bin/sh
iptables -I FORWARD 1 -p all -s 10.0.0.52 -d 10.0.0.4 -j DROP

What am I doing wrong?!?!

IPTables List:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP       icmp --  anywhere             anywhere             icmp echo-request
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
DROP       all  --  anywhere             anywhere             state INVALID
PTCSRVWAN  all  --  anywhere             anywhere
PTCSRVLAN  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             state NEW
ACCEPT     all  --  anywhere             anywhere             state NEW
OVPN       all  --  anywhere             anywhere             state NEW
ACCEPT     udp  --  anywhere             anywhere             udp spt:bootps dpt:bootpc
INPUT_ICMP  icmp --  anywhere            anywhere
DROP       all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
DROP       all  --  10.0.0.52            10.0.0.4
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
other2wan  all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere             state INVALID
ACCEPT     all  --  anywhere             anywhere
NSFW       all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT
OVPN       all  --  anywhere             anywhere             state NEW
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain ACCESS_RESTRICTION (0 references)
target     prot opt source               destination

Chain FUPNP (0 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             10.0.0.4             tcp dpt:6886

Chain INPUT_ICMP (1 references)
target     prot opt source               destination
RETURN     icmp --  anywhere             anywhere             icmp echo-request
RETURN     icmp --  anywhere             anywhere             icmp timestamp-request
ACCEPT     icmp --  anywhere             anywhere

Chain NSFW (1 references)
target     prot opt source               destination

Chain OVPN (2 references)
target     prot opt source               destination

Chain PControls (0 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain PTCSRVLAN (1 references)
target     prot opt source               destination

Chain PTCSRVWAN (1 references)
target     prot opt source               destination

Chain SECURITY (0 references)
target     prot opt source               destination
RETURN     tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5
DROP       tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,ACK/SYN
RETURN     tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
DROP       tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,ACK/RST
RETURN     icmp --  anywhere             anywhere             icmp echo-request limit: avg 1/sec burst 5
DROP       icmp --  anywhere             anywhere             icmp echo-request
RETURN     all  --  anywhere             anywhere

Chain default_block (0 references)
target     prot opt source               destination

Chain logaccept (0 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere             state NEW LOG level warning tcp-sequence tcp-options ip-options prefix "ACCEPT "
ACCEPT     all  --  anywhere             anywhere

Chain logdrop (0 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere             state NEW LOG level warning tcp-sequence tcp-options ip-options prefix "DROP "
DROP       all  --  anywhere             anywhere

Chain other2wan (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere

 

[ColinTaylor]

NSF can only block traffic between the LAN and WAN, it can't block LAN to LAN traffic.

 

[Martineau]

I have noticed that the 'Network Services Filter' doesn't work. I tried to block 10.0.0.52 from accessing 10.0.0.4 on all ports, but still connections got through

If 10.0.0.52 is on WiFi, and 10.0.0.4 is connected either via ethernet or WiFI, then you can block access using ebtables scripting

e.g. I have several IP cameras (wired/Wifi), and I use a WiFi tablet(s) to view them...but there are times when I don't want certain feeds to be available for viewing on the tablet(s) nor does the tablet need to access LAN resources such as a secure NAS etc.

Spoiler: Block_WiFiClient script

#======================================================================================================= © 2016-2017 Martineau, v1.01
#
# Allow blocking of standard WiFi devices (non-Guest) from accessing LAN/WAN resources.
#
#     BlockWiFiClient   [help | -h] | [status [full] | ['from_ip' ['to_ip' | lan | wan] ] [accept] [del]
#                                     [ {'config_file'} [del] ]
#     BlockWiFiClient   10.88.8.155 10.88.8.197
#                       WiFi Client 10.88.8.155 will be BLOCKED from accessing 10.88.8.197
#     BlockWiFiClient   10.88.8.155 del
#                       All blocking rules for WIfi Client 10.88.8.155 will be deleted
#     BlockWiFiClient   10.88.8.155 lan
#                       WiFi Client 10.88.8.155 will be BLOCKED from accessing LAN (10.88.8.0/24)
#     BlockWiFiClient   10.88.8.155 wan
#                       Wifi Client 10.88.8.155 will be BLOCKED from accessing the (Internet) WAN
#     BlockWiFiClient   Nexus-7 DS-416
#                       WiFI Nexus-7 Client (10.88.8.155) will be BLOCKED from accessing DS-416 (NAS 10.88.8.197) - LAN or WiFI
#     BlockWiFiClient   Nexus-7 DS-416 accept
#                       WiFI Nexus-7 Client (10.88.8.155) ALL LAN access will be BLOCKED except for access to DS-416 (NAS 10.88.8.197)
#                            i.e. ALL previous BLOCK rules for this WiFi Client are deleted
#     BlockWiFiClient   Nexus-7 DS-416 accept del
#                       WiFI Nexus-7 Client (10.88.8.155) will be allowed access to DS-416 (NAS 10.88.8.197) unless the LAN BLOCK rule still exists.
#     BlockWiFiClient   Nexus-7 lan
#                       WiFI Nexus-7 Client (10.88.8.155) will be BLOCKED from accessing anything on the LAN
#     BlockWiFiClient   Nexus-7 del
#                       WiFI Nexus-7 Client (10.88.8.155) will be allowed access to LAN/WAN (all rules deleted for this WiFI Client)
#     BlockWiFiClient
#                       will show status of the 'logical' rules
#     BlockWiFiClient   status
#                       will show status of the relevant ebtables rules (use 'status full' for full ebtable -t broute BROUTING chain)
#     BlockWiFiClient /jffs/config/Nexus-7
#                       All Peer to Peer DROP/ACCEPT rules are to be read from the file and applied to WiFi Client Nexus-7
#     BlockWiFiClient /jffs/config/Nexus-7 del
#                       All blocking rules for WiFI Nexus-7 Client (10.88.8.155) will be deleted.
#
#                       NOTE: The name of the file is assumed to be the HOSTNAME of the WiFi Client.
#
#                             Format of config directives: (DROP/ACCEPT cannot be used concurrently - comment either out with #)
#
#                             e.g.  # Peer rules
#                                   DROP         DS-416
#                                   DROP         10.88.8.120-10.88.8.125,RaspberryPiB
#
#                                   or
#
#                                   ACCEPT       CAMERAS
#
#                             For the ACCEPT rule, a LAN subnet BLOCKING (DROP) rule is automatically added and the exception ACCEPT rules are then inserted,
#                                 and ALL BLOCK rules below the LAN Blocking rule are deleted!
#                             Custom IP Groups may be defined/referenced in '/jffs/configs/IPGroups'
#                                    e.g. 'CAMERAS' entry (Uppercase text!)
#                                         CAMERAS  10.88.8.10, 10.88.8.15-10.88.8.20, 10.88.8.50:10.88.8.55   #Comment

 

[cauddy]

Hi,
Just wondering where can i download the complete script for block wifi to LAN resources?

That seems to achieve half of what i want, the other half is trying to block LAN to LAN...... is there any way to do this?


Thanks!

If 10.0.0.52 is on WiFi, and 10.0.0.4 is connected either via ethernet or WiFI, then you can block access using ebtables scripting

e.g. I have several IP cameras (wired/Wifi), and I use a WiFi tablet(s) to view them...but there are times when I don't want certain feeds to be available for viewing on the tablet(s) nor does the tablet need to access LAN resources such as a secure NAS etc.

Spoiler: Block_WiFiClient script

#======================================================================================================= © 2016-2017 Martineau, v1.01
#
# Allow blocking of standard WiFi devices (non-Guest) from accessing LAN/WAN resources.
#
#     BlockWiFiClient   [help | -h] | [status [full] | ['from_ip' ['to_ip' | lan | wan] ] [accept] [del]
#                                     [ {'config_file'} [del] ]
#     BlockWiFiClient   10.88.8.155 10.88.8.197
#                       WiFi Client 10.88.8.155 will be BLOCKED from accessing 10.88.8.197
#     BlockWiFiClient   10.88.8.155 del
#                       All blocking rules for WIfi Client 10.88.8.155 will be deleted
#     BlockWiFiClient   10.88.8.155 lan
#                       WiFi Client 10.88.8.155 will be BLOCKED from accessing LAN (10.88.8.0/24)
#     BlockWiFiClient   10.88.8.155 wan
#                       Wifi Client 10.88.8.155 will be BLOCKED from accessing the (Internet) WAN
#     BlockWiFiClient   Nexus-7 DS-416
#                       WiFI Nexus-7 Client (10.88.8.155) will be BLOCKED from accessing DS-416 (NAS 10.88.8.197) - LAN or WiFI
#     BlockWiFiClient   Nexus-7 DS-416 accept
#                       WiFI Nexus-7 Client (10.88.8.155) ALL LAN access will be BLOCKED except for access to DS-416 (NAS 10.88.8.197)
#                            i.e. ALL previous BLOCK rules for this WiFi Client are deleted
#     BlockWiFiClient   Nexus-7 DS-416 accept del
#                       WiFI Nexus-7 Client (10.88.8.155) will be allowed access to DS-416 (NAS 10.88.8.197) unless the LAN BLOCK rule still exists.
#     BlockWiFiClient   Nexus-7 lan
#                       WiFI Nexus-7 Client (10.88.8.155) will be BLOCKED from accessing anything on the LAN
#     BlockWiFiClient   Nexus-7 del
#                       WiFI Nexus-7 Client (10.88.8.155) will be allowed access to LAN/WAN (all rules deleted for this WiFI Client)
#     BlockWiFiClient
#                       will show status of the 'logical' rules
#     BlockWiFiClient   status
#                       will show status of the relevant ebtables rules (use 'status full' for full ebtable -t broute BROUTING chain)
#     BlockWiFiClient /jffs/config/Nexus-7
#                       All Peer to Peer DROP/ACCEPT rules are to be read from the file and applied to WiFi Client Nexus-7
#     BlockWiFiClient /jffs/config/Nexus-7 del
#                       All blocking rules for WiFI Nexus-7 Client (10.88.8.155) will be deleted.
#
#                       NOTE: The name of the file is assumed to be the HOSTNAME of the WiFi Client.
#
#                             Format of config directives: (DROP/ACCEPT cannot be used concurrently - comment either out with #)
#
#                             e.g.  # Peer rules
#                                   DROP         DS-416
#                                   DROP         10.88.8.120-10.88.8.125,RaspberryPiB
#
#                                   or
#
#                                   ACCEPT       CAMERAS
#
#                             For the ACCEPT rule, a LAN subnet BLOCKING (DROP) rule is automatically added and the exception ACCEPT rules are then inserted,
#                                 and ALL BLOCK rules below the LAN Blocking rule are deleted!
#                             Custom IP Groups may be defined/referenced in '/jffs/configs/IPGroups'
#                                    e.g. 'CAMERAS' entry (Uppercase text!)
#                                         CAMERAS  10.88.8.10, 10.88.8.15-10.88.8.20, 10.88.8.50:10.88.8.55   #Comment

 

[cauddy]

sorry this is also my network setup:
1x RT-AC68U which acts as the primary router.
1x Router which has DHCP Disabled and is extending the primary router (Has a few ETH connections and a WIFI SSID coming from it).

I would like to block Wifi + LAN from another LAN address.
DHCP (on RT-AC68U) only hands out addresses from 10.0.0.2-10.0.0.254

 

[Martineau]

That seems to achieve half of what i want....

Just wondering where can i download the complete script for block wifi to LAN resources?

I will PM you the scripts​

...the other half is trying to block LAN to LAN...... is there any way to do this?

Well technically the WiFi is obviously part of your LAN so if my 'BlockWiFiClient.sh' script works for you then you will have implemented (limited) LAN to LAN blocking!

NOTE: Devices physically attached to the router ports have visibility of each other at the hardware level and are therefore not subject to routing/iptables rules.

However, if you are able to segregate device 10.0.0.4 i.e. attach it to a physical switch port on its own VLAN subnet (say create bridge br10 VLAN111 subnet 10.0.111.4 using VLANSwitch.sh), then until you explicitly create appropriate access rules it will not be accessible from your main LAN 10.0.0.0.

 

[cauddy]

Thanks for all your help.
Haha thats actually a good way to think outside the box!
Gosh its been way too long since I've done hardcore networking......

I will PM you the scripts​

Well technically the WiFi is obviously part of your LAN so if my 'BlockWiFiClient.sh' script works for you then you will have implemented (limited) LAN to LAN blocking!

NOTE: Devices physically attached to the router ports have visibility of each other at the hardware level and are therefore not subject to routing/iptables rules.

However, if you are able to segregate device 10.0.0.4 i.e. attach it to a physical switch port on its own VLAN subnet (say create bridge br10 VLAN111 subnet 10.0.111.4 using VLANSwitch.sh), then until you explicitly create appropriate access rules it will not be accessible from your main LAN 10.0.0.0.

 

[Martineau]

Thanks for all your help.
Haha thats actually a good way to think outside the box!
Gosh its been way too long since I've done hardcore networking......

EDIT: Was composing my reply and didn't see your post regarding your hardware configuration i.e. two routers.

My scripts may not be appropriate as LAN isolation/segregation may be better achieved by simply using the routers in the correct configuration.

 

[cauddy]

EDIT: Was composing my reply and didn't see your post regarding your hardware configuration i.e. two routers.

My scripts may not be appropriate as LAN isolation/segregation may be better achieved by simply using the routers in the correct configuration.

Ahhh I see. It would be interesting to see your scripts, as I will be fixing the entire topology up soon when i implement my Cameras, so we don't have multiple routers around.

 

[peart504]

I am looking to block all traffic from inbound OpenVPN clients terminating on my Asus router, except traffic to one internal IP/port. Would your script be something that could help w/ this?

 

[Martineau]

I am looking to block all traffic from inbound OpenVPN clients terminating on my Asus router, except traffic to one internal IP/port. Would your script be something that could help w/ this?

Two rules are required.
e.g. Allow any OpenVPN Server client access to LAN socket 192.168.1.123 via TCP port 4321:

iptables -I OVPN -d 192.168.1.0/24 -i tun2+ -o br0 -m comment --comment "ONE LAN RESOURCE ONLY" -j RETURN
iptables -I OVPN -i tun2+ -d 192.168.1.123/32 -o br0 -p tcp -m tcp --dport 4321 -m comment --comment "Allow VPN client access to socket" -j ACCEPT

However, you probably need to configure a 'VPN Client Connect' script (or one of the openvpn-event scripts) to ensure the appropriate iptables rules are enforced every time permitted (static IP nominated?) OpenVPN client(s) connect:
e.g. include the following in the Custom Configuration GUI

client-connect /jffs/scripts/VPNClientConnect.sh

then simply create /jffs/scripts/VPNClientConnect.sh to include the necessary socket access rules (ensuring no duplicates rules) to your LAN device etc.

NOTE: If you want to restrict access to certain clients, then you need to assign static IP addresses from the OpenVPN server pool.