0

I have a Raspberry Pi set up to control a number of local IoT devices, and needed them connected to the Internet to set them up initially, but want to prevent them from "phoning home" to a cloud server more regularly. I have connected the smart devices to a hostapd-powered access point using the Raspberry Pi, bridged them using a bridge br0 to my eth0 interface, but now I'm having trouble restricting devices on the wireless network from communicating outside the local network.

Relevant bits of my ifconfig output are as follows:

br0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.18  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 fe80::ba27:ebff:fe8f:6637  prefixlen 64  scopeid 0x20<link>
        inet6 2a0e:cb01:22:4200:ba27:ebff:fe8f:6637  prefixlen 64  scopeid 0x0<global>
        inet6 fdaa:bbcc:ddee:0:ba27:ebff:fe8f:6637  prefixlen 64  scopeid 0x0<global>
        ether b8:27:eb:8f:66:37  txqueuelen 1000  (Ethernet)
        RX packets 1030237  bytes 662509131 (631.8 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 872280  bytes 115521631 (110.1 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.18  netmask 255.255.255.0  broadcast 192.168.1.255
        ether b8:27:eb:8f:66:37  txqueuelen 1000  (Ethernet)
        RX packets 1302889  bytes 707488434 (674.7 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 868337  bytes 119710458 (114.1 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 169.254.16.101  netmask 255.255.0.0  broadcast 169.254.255.255
        ether b8:27:eb:da:33:62  txqueuelen 1000  (Ethernet)
        RX packets 206395  bytes 24701387 (23.5 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 259922  bytes 56512014 (53.8 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

I've currently tried using ebtables - this is my current config:

Bridge table: filter

Bridge chain: INPUT, entries: 1, policy: ACCEPT
-p IPv4 -i wlan0 --ip-dst ! 192.168.1.0/24 -j DROP

Bridge chain: FORWARD, entries: 3, policy: ACCEPT
-p IPv4 -i wlan0 -o wlan0 --ip-src 192.168.1.0/24 -j ACCEPT
-p IPv4 -i wlan0 -o wlan0 --ip-dst 192.168.1.0/24 -j ACCEPT
-i wlan0 -o wlan0 -j DROP

Bridge chain: OUTPUT, entries: 1, policy: ACCEPT
-p IPv4 -o wlan0 --ip-src ! 192.168.1.0/24 -j DROP

However, this ruleset definitely isn't working - connecting my phone to it to test, I can access everything as normal. I'll admit I'm thrashing around a bit trying to find how some of these things work, so it's more than possible I'm missing something huge!

Help appreciated :)

Curtis Parfitt-Ford
  • 21
  • 4
  • If eth0 is bridged then it should not have an IP address or this can disrupt routing. And then wlan0 (the only visible Wifi here) has only an IPv4LL address which is non-routable. So in the end, is there actual bridging involved or needed? That should be addressed before trying to do actual filtering. Adding a schematic of your setup would help. This would also help: `ip -br link; ip -4 -br addr; /sbin/bridge link; ip -4 route` – A.B Aug 12 '23 at 14:23
  • Then this will likely not work by default: `-i wlan0 -o wlan0 ...`. See my answer to this Q/A about how to filter wireless: https://superuser.com/questions/1661060/hostapd-how-to-block-only-netbios-broadcasts-to-clients-in-same-wlan-by-applyin – A.B Aug 12 '23 at 14:27

0 Answers0