Estou com um desafio semelhante, tenho um dispositivo IOT com várias vulnerabilidades que quero separar na minha LAN, mas está conectado por meio de um switch com outros dispositivos que NÃO quero ser separado.
Eu tentei criar uma cadeia separada e colocar uma referência a ela no início da cadeia INPUT para qualquer coisa com uma fonte do dispositivo IOT ou destino do dispositivo IOT e, em seguida, na nova cadeia, se a origem for LAN e o destino é IoT, em seguida, DROP ou se a fonte for IoT e o Destino for LAN, em seguida, DROP, mas não consigo fazer isso, os pacotes ainda podem pingar e acessar o dispositivo. até tentei adicionar minhas regras ao início de várias outras cadeias para ver se isso fazia diferença, mas sem sorte - alguma idéia?
b1tphr34k@RT-AC87U-C598:/tmp/home/root# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
TIVOFILTER all -- 192.168.10.8 anywhere
TIVOFILTER all -- anywhere 192.168.10.8
logdrop icmp -- anywhere anywhere icmp echo-request
logaccept all -- anywhere anywhere state RELATED,ESTABLISHED
logdrop all -- anywhere anywhere state INVALID
PTCSRVWAN all -- anywhere anywhere
PTCSRVLAN all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state NEW
ACCEPT all -- anywhere anywhere state NEW
logaccept udp -- anywhere anywhere udp spt:bootps dpt:bootpc
INPUT_ICMP icmp -- anywhere anywhere
logdrop all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
DROP all -- 192.168.10.8 192.168.10.0/24
DROP all -- 192.168.10.0/24 192.168.10.8
logaccept all -- anywhere anywhere state RELATED,ESTABLISHED
logdrop all -- anywhere anywhere
logdrop all -- anywhere anywhere state INVALID
logaccept all -- anywhere anywhere
SECURITY all -- anywhere anywhere
NSFW all -- anywhere anywhere
logaccept all -- anywhere anywhere ctstate DNAT
logaccept all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP all -- 192.168.10.0/24 192.168.10.8
DROP all -- 192.168.10.8 192.168.10.0/24
Chain ACCESS_RESTRICTION (0 references)
target prot opt source destination
Chain FUPNP (0 references)
target prot opt source destination
ACCEPT udp -- anywhere 192.168.10.5 udp dpt:54927
ACCEPT tcp -- anywhere 192.168.10.7 tcp dpt:32400
Chain INPUT_ICMP (1 references)
target prot opt source destination
RETURN icmp -- anywhere anywhere icmp echo-request
RETURN icmp -- anywhere anywhere icmp timestamp-request
logaccept icmp -- anywhere anywhere
Chain NSFW (1 references)
target prot opt source destination
logdrop udp -- anywhere anywhere udp spt:https
logdrop udp -- anywhere anywhere udp dpt:https
logdrop udp -- anywhere anywhere udp spt:www
logdrop udp -- anywhere anywhere udp dpt:www
logdrop icmp -- anywhere anywhere icmp timestamp-request
logdrop icmp -- anywhere anywhere icmp timestamp-reply
RETURN all -- anywhere anywhere
Chain PControls (0 references)
target prot opt source destination
logaccept all -- anywhere anywhere
Chain PTCSRVLAN (1 references)
target prot opt source destination
Chain PTCSRVWAN (1 references)
target prot opt source destination
Chain SECURITY (1 references)
target prot opt source destination
RETURN tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5
logdrop tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,ACK/SYN
RETURN tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
logdrop tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,ACK/RST
RETURN icmp -- anywhere anywhere icmp echo-request limit: avg 1/sec burst 5
logdrop icmp -- anywhere anywhere icmp echo-request
RETURN all -- anywhere anywhere
Chain TIVOFILTER (2 references)
target prot opt source destination
DROP all -- 192.168.10.0/24 192.168.10.8
DROP all -- 192.168.10.8 192.168.10.0/24
Chain logaccept (8 references)
target prot opt source destination
LOG all -- anywhere anywhere state NEW LOG level warning tcp-sequence tcp-options ip-options prefix "ACCEPT "
ACCEPT all -- anywhere anywhere
Chain logdrop (14 references)
target prot opt source destination
LOG all -- anywhere anywhere state NEW LOG level warning tcp-sequence tcp-options ip-options prefix "DROP "
DROP all -- anywhere anywhere