Using iptables and hostapd to create isolated guest AP

Question

I'm trying to setup my raspberry pi as an access point for guests to be able to connect to, that should allow them internet access but not access to the rest of my network, the pi also is my DHCP and DNS server, for which I am using hostapd, dnsmasq & iptables all running on alpine linux.

My network interfaces create a bridge and assign the ethernet port to it, as well as a static IP:

auto lo
iface lo inet loopback
auto br0
iface br0 inet static
        bridge_ports eth0
        gateway 192.168.1.1
        address 192.168.1.32
        netmask 255.255.255.0

HostAPd then sets up an access point using the usb wifi adapter, and adds it to the bridge

interface=wlan0
driver=nl80211
ssid=myssid
bridge=br0
channel=6
hw_mode=g
macaddr_acl=0

DNSmasq assigns DHCP ip addresses in the 100-200 range

dhcp-range= 192.168.1.100, 192.168.1.200, 24h

Up to here everything works OK, I can connect to the AP and have full internet access. However I also have full private network access, what I want to achieve is to still have internet access but block internal network access except for DHCP/DNS for which I have tried the following iptables rules:

--append INPUT --protocol tcp -m physdev --physdev-in wlan0 --sport 22 --dst 192.168.1.32 --jump DROP
--append INPUT --protocol tcp -m physdev --physdev-in wlan0 --sport 22 --dst 192.168.1.1 --jump DROP
--append INPUT --protocol all -m physdev --physdev-in wlan0 --dst 192.168.1.32 --jump ACCEPT
--append INPUT --protocol all -m physdev --physdev-in wlan0 --dst 192.168.1.1 --jump ACCEPT
--append INPUT --protocol all -m physdev --physdev-in wlan0 --dst 192.168.1.0 --jump DROP
--append INPUT --protocol all -m physdev --physdev-in wlan0 --dst 0.0.0.0 --jump ACCEPT

I have also tried using IP address ranges

--append INPUT --protocol tcp -m iprange --src-range 192.168.1.100-192.168.1.200 --sport 22 --dst 192.168.1.32 --jump DROP
--append INPUT --protocol tcp -m iprange --src-range 192.168.1.100-192.168.1.200 --sport 22 --dst 192.168.1.1 --jump DROP
--append INPUT --protocol all -m iprange --src-range 192.168.1.100-192.168.1.200 --dst 192.168.1.32 --jump ACCEPT
--append INPUT --protocol all -m iprange --src-range 192.168.1.100-192.168.1.200 --dst 192.168.1.1 --jump ACCEPT
--append INPUT --protocol all -m iprange --src-range 192.168.1.100-192.168.1.200 --dst 192.168.1.0 --jump DROP
--append INPUT --protocol all -m iprange --src-range 192.168.1.100-192.168.1.200 --dst 0.0.0.0 --jump ACCEPT

The idea being I drop ssh, allow all other connections to the gateway and the DNS/DHCP servers, and drop any other internal connections, allowing all other network connections.

But with all of this I still am able to access internal services, so I am kind of stumped now as to how else to proceed

I have enabled br_netfilter and have echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables

Answer 1

I think the thing that's throwing you off here is the bridge interface.

Once you create a bridge interface and bridge 2 ports together, iptables has no way of restricting the traffic going between those ports.

A bridge interface is essentially a layer 2 connection, meaning your wifi hosts on wlan0 are effectively connected to a switch, with all the hosts on your eth0 interface. No routing happens here; the IP packet headers is not even checked -- traffic is forwarded solely based on MAC-layer frame headers.

Iptables would be able to block ssh connections to the pi itself, since as it is the destination it would look at the IP packet headers and thus see that it has a rule to block this type of traffic. It would also be able to block anything trying to leave the network as it is the gateway and has to do routing there. For any traffic that doesn't fall into one of these 2 categories though, it can't do anything.

Some normal home Wi-Fi routers have this feature where you can block Wi-Fi clients from accessing the wired network even though they share the same address range, but I don't know the details of how they implement that.
If it is doable with the setup you have though, I suspect it's some configuration with bridge itself that would be how you get it done, not iptables.

Take a look at this question and see if any of those responses have what you want. I myself am not familiar with ebtables/nftables but it seems like it might be what you're looking for.