Using iptables to control network access

[leon]

Hello,

I am thinking of preventing my wireless printer from accessing the internet but allow assess to my local home network. Can this be done via iptables? I tried the below, but it does not work...

iptables -A OUTPUT -s 192.168.1.157 -d 192.168.1.1/255.255.255.0 -j ACCEPT
iptables -A OUTPUT -s 192.168.1.157  -j DROP

192.168.1.157 is the ip of a computer which I used for testing. After I SSH to the router and issued the above two commands, the computer can still ping site such as google.com...

My next step is to allow some devices to assess the internet only, and via port 80 and 443. These devices cannot assess the local home network.

Any guidance is much appreciated. Thanks!

 

[ColinTaylor]

I think you need to add your rules to the beginning of the chain (-I) rather than the end (-A). Also, you need to use the FORWARD chain not the OUTPUT.

 

[leon]

I think you need to add your rules to the beginning of the chain (-I) rather than the end (-A). Also, you need to use the FORWARD chain not the OUTPUT.

Thank you! Indeed by issue the command

iptables -I FORWARD -s 192.168.1.157  -j DROP

it stops the computer from assessing external network. However, if I issue this command, it does not stop the computer from assessing local internet...

iptables -I FORWARD  -s 192.168.1.157 -d 192.168.1.1/255.255.255.0 -j DROP

I read the iptables man page... and still cannot figure it out.

 

[ColinTaylor]

However, if I issue this command, it does not stop the computer from assessing local internet...

iptables -I FORWARD  -s 192.168.1.157 -d 192.168.1.1/255.255.255.0 -j DROP

I think it's because all the LAN traffic is bridged on interface br0, so it never hits the iptables rules because it doesn't need to be forwarded anywhere.

From what I've read on here (but I've never tried this) the trick is to drop the packets from the bridge so that they are then able to be manipulated by iptables. So you would have something like this:

ebtables -I FORWARD -p IPv4 --ip-src 192.168.1.157 -j DROP
iptables -I FORWARD -s 192.168.1.157 -d 192.168.1.1/255.255.255.0 -j DROP

But this is just a wild guess!

 

[leon]

I think it's because all the LAN traffic is bridged on interface br0, so it never hits the iptables rules because it doesn't need to be forwarded anywhere.

From what I've read on here (but I've never tried this) the trick is to drop the packets from the bridge so that they are then able to be manipulated by iptables. So you would have something like this:

ebtables -I FORWARD -p IPv4 --ip-src 192.168.1.157 -j DROP
iptables -I FORWARD -s 192.168.1.157 -d 192.168.1.1/255.255.255.0 -j DROP

But this is just a wild guess!

Thanks... It does not work... I will need to dive deeper to know if iptables can control local-to-local assess.

 

[vanic]

@leon,
1. packet flow concept : https://www.csie.ntu.edu.tw/~b93070/CNL/v4.0/CNLv4.0.files/Page697.htm
2. if you want to block LAN to LAN, it's impossible due to switch packets can't reach CPU, and you can't control it.
3. if you want to control LAN to router or router to LAN, you can use input / output chain.

Thanks,
Vanic

 

[ColinTaylor]

2. if you want to block LAN to LAN, it's impossible due to switch packets can't reach CPU, and you can't control it.

But it is possible to block WLAN to LAN using ebtables and iptables (that's how guest networks do it). It's also possible to block WLAN to WLAN using "Set AP Isolated".