So, I work for a computer shop and were have been having issues with our VoIP system getting spammed/hacked/explored or otherwise tampered with at one of our locations. As this isn't the location that I am usually at, I haven't been able to observe the network traffic when it has happened.
After getting a $5,000 network security quote from a local IT company I was able to convince my boss to instead pick up a $250 WRT3200ACM router so that I could install OpenWRT on it instead -- we're a small business, so the enterprise-class equipment they were recommending really is overkill for our needs.
After spending the last few days after-hours at the shop setting things up, I noticed a couple things about the VoIP system: On the old router, there were no UPnP mappings and no port forwards set. To me, this means that due to the PNAT setup, there really is no way for an attacker to compromise the phone system from the outside -- the box simply isn't accessible. Clearly, this means that the attack is coming from inside the network. I mean, I could simply re-install Windows on all the work machines, but I'm more interested in defeating this at the networking level since if the computers were to get compromised again it wouldn't take down that shop due to constant and incessant spam calls.
So, with our new WRT3200ACM I set up a couple of things that are helpful in our line of business: The router has 3 VLANs and 3 firewall zones: WAN, LAN, and Customer (for potentially compromised customer devices). I have 3 of the four ethernet ports on the router assigned to VLAN 1 (lan) and one port to VLAN 3 (customer). I also set up two wireless networks, one for store use, one with WLAN isolation for customer devices.
Just for the sake of clarity, I have the following logical setup:
- br-lan composed of eth0.1, and 3 separate radio interfaces (the non-guest WLAN), this is tied to the 'lan' firewall zone, as per usual.
- br-customer composed of eth0.3 and 3 other radio interfaces (the guest WLAN interfaces), tied to a 'customer' firewall zone.
- Inter-zone forwarding is denied by all zones except guest->wan and lan->wan
Just to be safe (and this is probably overkill), I also added firewall rules to tag legitimate connections between the WAN and the phone device (i.e., originating from or destined for the networks of our IP phone provider) and to deny all untagged packets/connections to the IP phone box. So far, so good.
But, this is where I hit a snag: a device connected via Ethernet to the router on a port on the same VLAN can still, for example, access the web interface of the IP phone box even though it's not a firewall "authorized" connection. I've done all kinds of firewall logging and can never seem to capture packets going from the "unauthorized" lan device to the IP phone box. After mulling it over, I think I know why this is: it's the internal switch doing its job: relaying the packet directly to the destination and thereby bypassing any routing the firewall might do -- from a layer 3 perspective, no routing needs to be done so FORWARD, PREROUTING, POSTROUTING tables are never hit and from a layer 2 perspective, the devices are adjacent so the ethernet frame can be relayed via layer 2 without ever having to consult layer 3, bypassing iptables.
So, the situation is this: I need to block all intra-LAN communication with this box (it does not need to talk to any other device than our IP phone provider) while allowing it to still continue talking via the WAN. This must have to be done at layer 2, since the packet never really has to be routed.
I've checked out a couple of iptables kernel modules such as ebtables and I think this might be the solution to my problem, I just can't figure out exactly where/how to use it. If my understanding it correct (and it should be), any IP packet that cannot be mapped via ARP in the ethernet frame, sets its destination MAC to that of the default gateway and traffic from the WAN should always have the ethernet source MAC set at the default router. This means that I should, theoretically, be able to DROP or REJECT all ethernet packets destined to the known MAC of the IP phone box if the packet's source MAC is not that of the default gateway.
Is this the correct way to go about this?
(Sorry, I really didn't mean to post the question before trying it on my own LAN but here it is -- can't delete it)