I'm trying to block access to the internet for certain devices on my network. DD-WRT has a way to do it but only those that are on WAN. The device is connected on LAN. What would be the iptables rules for blocking internet but allow local network. Somewhere along these lines?
iptables FORWARD ????? -j DROP
Answering the question in the title, you can block forwarding by interface. If your internal interface is eth1, and your external is eth0, try
iptables -A FORWARD -i eth1 -o eth0 -j REJECT
Getting the rule in the right place in your FORWARD chain is up to you. And I tend to prefer REJECT to DROP, for internal clients, as it gives them an actual response, and one that makes it clear that they're not going to succeed.
Dealing with the issue in the question body (which says certain devices, instead of just devices), as Ron Maupin points out there is no simple way to do this, as reliably identifying devices on a network requires an intermediate step.
Assuming your switchgear doesn't support 802.1x, running an internal VPN allows you to give qualified devices credentials which they can use to secure their egress from the network. I use OpenVPN for this. The issue is addressed in detail in my technote, though in the context of traffic shaping and exemption therefrom, rather than traffic banning and exemption, but the latter is simpler. In broad outline you set up an OpenVPN server on the firewall device, issue keys and certificates to the qualified devices, then allow traffic on the router between the OpenVPN plaintext interface, and the internet, with eg
iptables -A FORWARD -i tun+ -o eth0 -j ACCEPT
Don't forget to permit the return-half traffic as well.
To answer the specific question: "How do I block a specific MAC address on my LAN from accessing the internet, but still keep it accessible over the LAN itself":
iptables -I FORWARD 1 -m mac --mac-source be:be:fe:fe:ca:12 -o eth0 -j REJECT
(assuming eth0 is your internet)
This inserts the rule at the top of the FORWARD chain, which worked for me.
I use this to keep my printer from phoning home without sacrificing wifi printingp.
Source: iptables, allow access from certain MAC addresses
Important caveat:
But this only works on the same network, as MAC addressing is link-layer specific and won't get forwarded when using routing. So, as long as the devices are on different networks that need routing, this won't work.
