WIKIABOUT

FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

Most popular tags

rut955 rut240 rut950 rutx11 rms vpn to openvpn wifi not sms trb140 firmware connection - ipsec on rutx12 rutx09 modbus
We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.

Home LAN protection at unmonitored remote site - Combined MAC filtering and hostname restriction

0 votes
160 views 1 comments
by anonymous

Hi all,
I’m going to install a RUT955 at an unmonitored remote location with low security and access restrictions.
The remote site and my home site LAN will permanently be connected via a mobile data based IPsec VPN connection.

I figured out that the available firewall rules and options don’t provide the required functionality.
Therefor my focus moved to protect my home site LAN via iptable rules by use of a combined of MAC and hostename restrictions against unauthorized access.

My objectives

  • Accessibility of up to 6 devices at remote site from my home location
  • Prevent any unauthorized access from remote site

From my limited perspective a combination of MAC and hostname restriction would be the best protection against unauthorized access of my home LAN from the remote site.
As I’m not an expert in iptable rules I would be grateful for any kind of support or ideas.

Kind regards,
HW

4 Answers

0 votes
by anonymous

Hi,

There are loads of instructions on how to use the iptables.

You should find most of the information in this Linux man page: https://linux.die.net/man/8/iptables

As I understood, you want to keep the limit of 6 connected devices from your home location? In this case, you would need to make a script that would count how many connected addresses there are and on the 6th to stop the incrementation. This will be hard, as you will need to find a way to identify when the device connects and what is the device, so I guess you will also need to check with iptables rules that you've created.

Example for accepting one MAC address and dropping everything else would look like this:

  -A FORWARD -i eth1.10 -o eth0 -j DROP
  -A FORWARD -i eth1.10 -p tcp -m tcp --dport 80 -m mac --mac-source 00:60:DD:44:85:43 -j ACCEPT
0 votes
by anonymous
ErnestasB, thank you for your response.

first question, I don't use VLAN10 (eth1.10) why to drop/accept that?

What does eth1.10 mean in this context?

To limit it to certain amount of allowed connected devices is just a subordinate goal.

More important would be to restrict according to hostnames in addition if possible.

Accessing the devices at the remote site through VPN from home LAN should always be possilbe.

I'm a greenhorn regarding iptables but trying to learn.

Thank you in advance.
by anonymous
I used that command as an example, it wasn't for you to copy and paste. Please take what is needed in that command and use it in your solution.

Restricting the hostnames? Why exactly hostnames in this case? Are the hostnames you're trying to filter are somehow similar to each other or is there another reason?

EB.
0 votes
by anonymous
Hi ErnestasB,

it’s an unrestricted unmonitored site where inverter systems are located outside.

There are very limited physical protection options. Without any access protection anybody could connect with his equipment, e.g. PC, and would be able to access the office LAN via VPN. -

Therefor my idea is to restrict the access at the remote site by use of a combination of the device specific MAC address and individual hostnames.

What would be the interface idenifier for a IPSec connection? - Similar to eth0 as the LAN identifier.

HW
0 votes
by anonymous
I got it working.

Thank you for your support.

HW