securing internal network traffic against rogue apps / devices

[Doverton]

Hi,

I am trying to stop undesired behaviour on my internal network and this means I want to stop the following items:
- Unknown MAC addresses communicating
- HTTPS VPNs
- DNS redirection
- DNS over https (DoH)
- Quic

Here is what I've done so far:
- My network has 3 WiFi routers and I have created an "allow-list" of MACs on each router
- I've forced all DNS (not DoH) to go to the router
- I've blocked UDP traffic to port 80/443
- I've tried the following script to stop non-authorised MACs from working (I've created the file with all the MACs listed), but this doesn't appear to work on my RT-AX56U router.
for MAC in `cat mac_addresses_file`; do
iptables -A FORWARD -i eth0 -o eth1 -m mac --mac-source $MAC -j ACCEPT
done
iptables -P FORWARD DROP

What I am seeing is that the client with a blocked MAC is still able to connect to the network, I presume through another wifi spot, even though MAC filtering is enabled on them all.

Any thoughts on how I achieve the above? I'm using unbound, but that is it.

Thanks

David

 

[bbunge]

Do you have any iOS devices that change their MAC address? Might explain the unknown MAC address.

 

[KevTech]

WPS disabled?

 

[eibgrad]

First off, it's usually not a good idea to append (-A) rules unless you know for *sure* that any prior rules will not let the traffic through. Since we can't see those rules in context, we just have to assume they should work as intended. That's why most ppl suggest insertion (-I); it's just more likely to work, esp. when you have no further information about the state of the firewall.

Second, you're referencing the raw wireless network interfaces (eth0 and eth1), but usually those are bound to a bridge (e.g., br0) along w/ the switch's VLAN (e.g., vlan1). And once a network interface is bound to a bridge, it can't be referenced anymore in iptables! Any such rules are simply ignored. You can only reference the *bridge* to which they are assigned.

In short, without any further context than what you've described, it's just a guessing game.

 

[Jack Yaz]

Second, you're referencing the raw wireless network interfaces (eth0 and eth1), but usually those are bound to a bridge (e.g., br0) along w/ the switch's VLAN (e.g., vlan1). And once a network interface is bound to a bridge, it can't be referenced anymore in iptables! Any such rules are simply ignored. You can only reference the *bridge* to which they are assigned.

Incorrect. You can use ebtables to drop the bridged traffic from the interfaces, and use the interfaces directly in iptables. YazFi does this successfully.

 

[eibgrad]

Incorrect. You can use ebtables to drop the bridged traffic from the interfaces, and use the interfaces directly in iptables. YazFi does this successfully.

Well are you saying that dropping the bridged traffic from the interfaces via ebtables is a *prerequisite* for this to work from iptables? Because the OP never suggested this is what he's doing. And I'm only claiming that when dealing strictly w/ iptables (no other prerequisites), in my experience, you can't do it. But if you now change the conditions, and use something like ebtables to drop/manipulate the bridge, I would presume it's possible. But again, that was never part of the discussion from either the OP or me.

 

[mike37]

Hi,

I am trying to stop undesired behaviour on my internal network and this means I want to stop the following items:
- Unknown MAC addresses communicating
- HTTPS VPNs
- DNS redirection
- DNS over https (DoH)
- Quic

Here is what I've done so far:
- My network has 3 WiFi routers and I have created an "allow-list" of MACs on each router
- I've forced all DNS (not DoH) to go to the router
- I've blocked UDP traffic to port 80/443
- I've tried the following script to stop non-authorised MACs from working (I've created the file with all the MACs listed), but this doesn't appear to work on my RT-AX56U router.
for MAC in `cat mac_addresses_file`; do
iptables -A FORWARD -i eth0 -o eth1 -m mac --mac-source $MAC -j ACCEPT
done
iptables -P FORWARD DROP

What I am seeing is that the client with a blocked MAC is still able to connect to the network, I presume through another wifi spot, even though MAC filtering is enabled on them all.

Any thoughts on how I achieve the above? I'm using unbound, but that is it.

Thanks

David

You might be interested in:

Suricata - Suricata - IDS on AsusWRT Merlin

Suricata is a free and open source, mature, fast and robust network threat detection engine. The Suricata engine is capable of real time intrusion detection (IDS), inline intrusion prevention (IPS), network security monitoring (NSM) and offline pcap processing. Suricata inspects the network...

www.snbforums.com

and

[Experimental] Snort3 IDS/IPS on AsusMerlin [AC86/AX88 routers ONLY]

What is Snort? It is an open source intrusion prevention system (IPS) capable of real-time traffic analysis and packet logging. Snort is an open source project under Gnu Public License (GPL) 2.0, it is an open source alternative to some of the proprietary IDS/IPS such as TrendMicro's AiProtect...

www.snbforums.com

These come with rules that'l flag many of the actions you listed. In IDS mode you'll see these and perhaps additional undesirable activity. You'd then customize the rules to ignore actions you approve of, and flag other actions.

Switch over to IPS mode and the unwanted actions will be both flagged and blocked. If processes "evolve" to using other addresses or techniques, the IPS would likely detect and block it.

Well..... this is how the IDS/IPS apps are supposed to work - in fact for asus-merlin they are under development and appear to work on only a few of the routers at this time. But IDS mode (flagging) only would be informative even if you have to tweak iptables to block things

Your situation and ability seem ripe for an IPS, and I'm guessing either of these projects would be very happy to have you involved.