I have a device on the network that doesn't appear to be going through iptables from what I can tell when logging, which I 100% don't understand how this is happening.
The device itself is connected over a wireless AP, which is plugged into the network. The AP, as expected, just passes the traffic like a switch. I want this one device to not be able to communicate to other devices on the network (without setting up a VLAN in this case). The issue I'm having, is this device CAN communicate to certain devices even though I've explicitly put in rules to keep it from being allowed to.
I have a firewall chain called "mac_check_pre_forward", where I basically only allow specific mac addresses on the network to talk to certain devices on the network. So for example, I have the following two lines in there (changed mac address):
ACCEPT all -- * * 0.0.0.0/0 192.168.1.0/24 MACaa:aa:aa:aa:aa:aa DROP all -- * * 192.168.1.0/24 192.168.1.0/24
This is inserted into FORWARD at the very beginning:
mac_check_pre_forward all -- * * 0.0.0.0/0 0.0.0.0/0
When from this device (with mac example of bb:bb:bb:bb:bb:bb), I run a ping to the device in the 192.168.1.0/24 subnet with
ping 192.168.1.55. When adding
iptables -I FORWARD -j LOG, I see logs for only the ICMP response, but no logs for the send request from bb:bb...:
Oct 10 12:21:20 192.168.1.1 kernel: [213670.920538] IN=br-lan OUT=br-lan MAC=xx...aa:aa:aa:aa:aa:aa... SRC=192.168.1.55 DST=192.168.1.30 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=11099 PROTO=ICMP TYPE=0 CODE=0 ID=55626 SEQ=113
When the ICMP is coming from my device that shouldn't be able to communicate to the rest of the network, iptables appears to be logging as if the source is actually the destination. I see zero logs related to this actual device I'm trying to block from accessing the rest of the network.
What am I missing here? Outside of setting up a VLAN, how would I get this device to only be allowed to communicate to the Internet and not local network (by means of filtering it by mac address)?
NOTE: It's not just ICMP. It can reach out to all open ports on the network, ICMP is just an example above.