I tried many solutions but I am still open to another one if it does what I am looking for. I used OpenWRT because it can be ran with a RSBPi so I didn't have to buy a router. I am still open to suggestions for a router that can match what I am looking to do.
I already use Kubuntu on my laptop (no double boot). I am still learning so this is why I wrote this thread.
I actually have a VLAN setup doing what you described. So, it is possible. I wouldn't suggest this for a normal LAN setup, though.
It's your responsibility to determine:
- what traffic needs to be received by the router (e.g. DNS, DHCP, etc.)
- Forwarding
- and if you're that paranoid, what output from the device itself
You then make rules for them. Editing the output is risky; and an easy method to lock yourself out of the router.
Maybe make a VLAN is a better idea but can I do this with the RSBPi I use as a router ?
I meant you will have to use the existing constructs to get anywhere....
Default POLICY
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
Excerpt 1
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j **input_rule**
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j **forwarding_rule**
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -m comment --comment "!fw3" -j reject
See above.....
The INPUT chain input_rule is parsed prior to conntrack ACCEPT existing
The FORWARDING chain forwarding_rule likewise
For a beginner these are the ideal places for you to add custom rules.
Packets to the router in input_rule
Packets beyond the router in forwarding_rule
Next NOTE the default filter policy....
INPUT = ACCEPT so you will be DROPPING
FORWARD = REJECT so you will be ACCEPTING
These are overridden with the following;
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
Which inserts end of chain ACTIONS in each of the relative "zone" chains
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
You'll notice that the TARGETS are not just ACCEPT but more CHAINS that perform further logging or sanity checks
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
So that is a brief dissection of the rule flow.... and a good place to start for you with perhaps adding some rules in /etc/firewall.user .... i.e.
-A input_rule -i br-lan -p udp -m udp --dport 53 -m comment --comment "onrouterdnsdrop" -j DROP
-A forwarding_rule -i br-lan -p udp -m udp --dport 53 -m comment --comment "beyondrouterlandnsdrop" -j DROP
To which you could add source ip's to..... it's not efficient.... but is a clear way to get a foot in..... the other would be the gui.....
And a safer approach......
-A input_rule -i br-lan -p udp -m udp --dport 53 -m comment --comment "testonrouterdnsdrop" -j LOG
-A forwarding_rule -i br-lan -p udp -m udp --dport 53 -m comment --comment "testbeyondrouterlandnsdrop" -j LOG
And the last one;
iptables -N loglimit
iptables -A loglimit -m limit --limit 2/sec --limit-burst 12 -m comment --comment "loglimit-watchingdawabbit" -j LOG
iptables -A loglimit -m comment --comment "wabbit" -j RETURN
-A input_rule -i br-lan -s watchip/32 -m comment --comment "testonrouterdnsdrop" -j loglimit
-A forwarding_rule -i br-lan watchip/32 -m comment --comment "testbeyondrouterlandnsdrop" -j loglimit
Does it means that like everything is blocked, it let the priority to the rules of "input_rule" ?
it means that the next rule in the sequence ( after that chain is iterated )
lets established traffic through ... so you will not have access to those streams anymore.
fine for most practical uses.... not fine when your learning.
This means we add a comment to a custom rule called "input_rule" or the double stars have another meaning ?
I imagine I have to create it first ?
That is the EXISTING rule.
The * * is bold but I put it on code tags..... they are not part of the actual default "iptables-save" output.
Ahh I didn't pay attention of the ** BOLD signification in the forum.
So the name of the rule is only "input_rule".
I read a lot about what you wrote before trying to get more explanations. I start to understanding but still need to organize it in my head
INPUTS ACCEPTS means to me :
it filters the inputs by accepting all the connections ports from 0 to 0 which means it doesn't accept anything ?
practical application.... will help alot.....
you can just enter those commands manually....
( examples i wrote after "perhaps adding some rules in /etc/firewall.user .... i.e." )
if something breaks or is not right.... just do a
/etc/init.d/firewall restart
easy! glad to hear your making progress
No idea what "[0:0]" means.... ignore it, or tell me and we'll both know
So the extract below come from your default iptables ?
I tried this but my device from which I want to isolate is still working
I tried many of the iptables commands things, but I still don't know how to do a "blocking everything by default except this and this".
I struggle so hard
It's not hard:
- BLOCK everything in the zone using BLOCK/BLOCK/BLOCK, you do this on the General Firewall page
- Remove the rule permitting traffic from this zone to WAN
- At this point stuff will stop working (for this reason, I suggest you do this to a 3rd, untrusted VLAN, leaving LAN intact)
- Allow everything you want
- Done
You need to mainly consider:
- Allow DHCP requests
- Allow DNS requests
- Allow Forwarding of clients to WAN
- access to SSH and LuCI
I think it's also a better thing to not do it on the LAN.
So it will be like WAN --> LAN --> VLAN (virtual network on which my device is connected)
So how can I do that ? Should I do it directly using LuCi ?
I guess it's different than a ZONE ?
No, it would be <name_of_network> --> WAN
Are you saying that this is a virtual router?
And yes, you'd create a new network Interface and Firewall zone, then add this VLAN to a switch port/attach a WiFi SSID. You will basically make a copy of the LAN configs from the network and dhcp files, and rename/renumber its IP and VLAN number (in most devices the next free VLAN ID is 3).
This is getting more complex and requiring more skills than just figuring out packets.
<name_of_network> will be the name of my VLAN ? I don't understand why it comes before the WAN interface.
It's a raspberryPi with OpenWRT and I am not sure what you mean by "virtual router" ?
This I can do.
This I am not sure how to, I will have to use another USB port of the raspberryPi I imagine ?
This I should be able to do.
Exactly, but I see the VLAN at the best solution to make a "blocking by default except this and this" on my configuration.
Really? Just flip what I wrote. In your config, you permit traffic from a network to WAN. It doesn't matter to me how you note it, as long as you configure it properly in your router.
If you only have one port available, you'll have to do this via WiFi only, or convert the port to a trunk (if you have a managed switch available).
I hope it works out. Personally, I found this much easier on a device with more ports and can be configured to have different SSIDs. I'm just saying...
I can't make a VLAN with the RaspBerrryPi because the "Switch" option is not available and Wifi is not supported(if I don't say bullshit).
Next actions : invest in a router
It's possible to use VLAN tags if you connect the port to a managed switch or another device which supports VLAN tags. Refer to the interface page in luci:
You can also use VLAN notation INTERFACE.VLANNR (e.g.: eth0.1).