0

I'm on local 192.168.1.0/24 network with an openwrt router at 192.168.1.1 and I want to block any tcp connection to an IoT device that has an open port, let's say 192.168.1.12:5001. I don't have access to the device's linux so I can't enforce the rule there,

Is that even possible from the router without any complex segmentation? maybe I need special router/switch?

I have tried these on the router, but none of them work:

root@OpenWrt:~# iptables  -I INPUT  -p tcp --destination-port 5001 -j DROP
root@OpenWrt:~# iptables  -I OUTPUT  -p tcp --destination-port 5001 -j DROP
root@OpenWrt:~# iptables  -I FORWARD  -p tcp --destination-port 5001 -j DROP

(I'm fine dropping any packets to port 5001 just for testing)

Improve this question

2 Answers 2

Reset to default
1

You can't do this directly, as traffic from your client will go straight to another device on the LAN without bothering the router.

Improve this answer
0
1

Because it is on the same sub-net. It does not go through the router.

The routing tables will say something like route local staff your self (this is usually almost hard coded). Then (for most devices) send the rest to your default router.

The device will broadcast "arp: who is 192.168.1.12?" Then 129.168.1.12 will respond "Arp: I am 192.168.1.12". Any device hearing this can extract the MAC address, and put it in its own apt table, and then send IP packets direct to the device.

Therefore your would have to set up two sub-nets, and have the router route between them. They can be on the same physical network, however if you want the security to be worth anything, then you will need to put them on separate physical networks (otherwise it would be trivial to get around the security, if you can gain control of any machine on the network.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.