1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Blocking two IPs / MACs on the same LAN from communicating - ebtables how?

Discussion in 'Tomato Firmware' started by Livin, Feb 6, 2013.

  1. Livin

    Livin Serious Server Member

    I have 2 devices that do not like each other. Someone suggested using EBTABLES to block the communications. I looked at the EBTABLES usage info but not sure how to get it working... hoping someone could provide some specific lines I can learn from and save me 3 hours of trying/testing/failing.

    thanks!
     
  2. lancethepants

    lancethepants Network Guru Member

    These were a ton of ebtables entries I used to block dhcp, natpmp, upnp, teredo, and ipv6 between two routers with a layer 2 vpn. You'll want to modify, interface, protocol, and port depending on what you're blocking.
    What exactly are you wanting to block? Depending on what it is, iptables may be the way to go.

    Code:
    ebtables -A INPUT --in-interface tap21 --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
    ebtables -A INPUT --in-interface tap21 --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP
    ebtables -A FORWARD --in-interface tap21 --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
    ebtables -A FORWARD --in-interface tap21 --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP
    ebtables -A FORWARD --out-interface tap21 --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
    ebtables -A FORWARD --out-interface tap21 --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP
    ebtables -A OUTPUT --out-interface tap21 --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
    ebtables -A OUTPUT --out-interface tap21 --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP
     
    ebtables -A INPUT --in-interface tap21 --protocol ipv4 --ip-protocol udp --ip-destination-port 1900 -j DROP
    ebtables -A INPUT --in-interface tap21 --protocol ipv4 --ip-protocol udp --ip-source-port 1900 -j DROP
    ebtables -A FORWARD --in-interface tap21 --protocol ipv4 --ip-protocol udp --ip-destination-port 1900 -j DROP
    ebtables -A FORWARD --in-interface tap21 --protocol ipv4 --ip-protocol udp --ip-source-port 1900 -j DROP
    ebtables -A FORWARD --out-interface tap21 --protocol ipv4 --ip-protocol udp --ip-destination-port 1900 -j DROP
    ebtables -A FORWARD --out-interface tap21 --protocol ipv4 --ip-protocol udp --ip-source-port 1900 -j DROP
    ebtables -A OUTPUT --out-interface tap21 --protocol ipv4 --ip-protocol udp --ip-destination-port 1900 -j DROP
    ebtables -A OUTPUT --out-interface tap21 --protocol ipv4 --ip-protocol udp --ip-source-port 1900 -j DROP
     
    ebtables -A INPUT --in-interface tap21 --protocol ipv4 --ip-protocol udp --ip-destination-port 5351 -j DROP
    ebtables -A INPUT --in-interface tap21 --protocol ipv4 --ip-protocol udp --ip-source-port 5351 -j DROP
    ebtables -A FORWARD --in-interface tap21 --protocol ipv4 --ip-protocol udp --ip-destination-port 5351 -j DROP
    ebtables -A FORWARD --in-interface tap21 --protocol ipv4 --ip-protocol udp --ip-source-port 5351 -j DROP
    ebtables -A FORWARD --out-interface tap21 --protocol ipv4 --ip-protocol udp --ip-destination-port 5351 -j DROP
    ebtables -A FORWARD --out-interface tap21 --protocol ipv4 --ip-protocol udp --ip-source-port 5351 -j DROP
    ebtables -A OUTPUT --out-interface tap21 --protocol ipv4 --ip-protocol udp --ip-destination-port 5351 -j DROP
    ebtables -A OUTPUT --out-interface tap21 --protocol ipv4 --ip-protocol udp --ip-source-port 5351 -j DROP
     
    ebtables -A INPUT --in-interface tap21 --protocol ipv4 --ip-protocol udp --ip-destination-port 3544 -j DROP
    ebtables -A INPUT --in-interface tap21 --protocol ipv4 --ip-protocol udp --ip-source-port 3544 -j DROP
    ebtables -A FORWARD --in-interface tap21 --protocol ipv4 --ip-protocol udp --ip-destination-port 3544 -j DROP
    ebtables -A FORWARD --in-interface tap21 --protocol ipv4 --ip-protocol udp --ip-source-port 3544 -j DROP
    ebtables -A FORWARD --out-interface tap21 --protocol ipv4 --ip-protocol udp --ip-destination-port 3544 -j DROP
    ebtables -A FORWARD --out-interface tap21 --protocol ipv4 --ip-protocol udp --ip-source-port 3544 -j DROP
    ebtables -A OUTPUT --out-interface tap21 --protocol ipv4 --ip-protocol udp --ip-destination-port 3544 -j DROP
    ebtables -A OUTPUT --out-interface tap21 --protocol ipv4 --ip-protocol udp --ip-source-port 3544 -j DROP
     
    ebtables -A INPUT --in-interface tap21 --protocol ipv6  -j DROP
    ebtables -A FORWARD --in-interface tap21 --protocol ipv6 -j DROP
    ebtables -A FORWARD --out-interface tap21 --protocol ipv6 -j DROP
    ebtables -A OUTPUT --out-interface tap21 --protocol ipv6 -j DROP
     
  3. jerrm

    jerrm Network Guru Member

    Are both devices wired, both wireless, or a combination? If both wired, I'd be surprised if ebtables will do anything if you're not using vlans. I think the same would hold if both are wireless, but wouldn't be too surprised if it worked for wireless.

    If both are on the default wired vlan1, I don't think the kernel can intercept the packets - all the traffic should be passed at the hardware level in the switch. I think you'd have to have the ports on different vlans to get the kernel/ebtables involved.

    With vlans, you could still have the units on the same IP network without subnetting, but I don't think that could be done in the gui. Thinking out loud, you could probably use the gui to setup "vlan3" assigned to bridge br1 as if it were a separate ip range then script moving vlan3 to br0, something like:
    Code:
    brctl delif br1 vlan3
    brctl addif br0 vlan3
    ebtables -A rule1...
    ebtables -A rule2...
    ebtables -A rule3...
    
    That is obviously not complete code.

    Someone correct me if I'm way off base - it wouldn't be the first time.
     
  4. Livin

    Livin Serious Server Member

    I prefer to keep the Vera wired if I can, just makes it a lot faster and more reliable BUT I can make the Vera wireless in 2 seconds so if that is needed. I want to do the easiest thing I can to block comms from it to my Onkyo receiver while still allowing both devices to talk to all other devices.

    DHCP must be blocked from each other and we think uPnP has problems between the Vera & Onkyo but we are not positive as no one has figured it out exactly yet.

    what's the easiest way?
     
  5. jerrm

    jerrm Network Guru Member

    A gui configured vlan is probably simplest, unless there us a real need to keep the offending device in the same address space - like if it uses broadcasts to find related devices.

    Even if you let both nets see each other, your issues will probably go away without any adding any manual rules.
     
  6. Livin

    Livin Serious Server Member

    jerrm,
    I've never setup a VLAN before... how should I set it up?

    Do I create a new VLAN (say VLAN 3), assign a Port, place the Vera in that VLAN (give it a static IP addr), then Bridge it to VLAN 1?
    - does this automatically stop uPnP and DHCP broadcasts from going to/from VLAN 1 <-> VLAN 3?

    thx for the help!
     
  7. SteveF

    SteveF Serious Server Member

    Look at thread 'How to set up a VLAN on Tomato'. I started that thread, I did not know how to set up a VLAN before,now I have one and it works real well. Many thanks to the people on this forum, they helped me a great deal.

    Here is the thread:

    http://www.linksysinfo.org/index.php?threads/how-to-set-up-a-vlan-on-tomato.65405/

    Steve
     

Share This Page