# BYOD VLAN (ID 30) on gateway
ip link add link eth1 name eth1.30 type vlan id 30
ip addr add 192.168.30.1/24 dev eth1.30
ip link set eth1.30 up # Block BYOD from reaching internal LAN by default
iptables -I FORWARD -i eth1.30 -o eth1 -j DROP # Allow BYOD internet access
iptables -A FORWARD -i eth1.30 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -o eth1.30 -j ACCEPT
# BYOD VLAN (ID 30) on gateway
ip link add link eth1 name eth1.30 type vlan id 30
ip addr add 192.168.30.1/24 dev eth1.30
ip link set eth1.30 up # Block BYOD from reaching internal LAN by default
iptables -I FORWARD -i eth1.30 -o eth1 -j DROP # Allow BYOD internet access
iptables -A FORWARD -i eth1.30 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -o eth1.30 -j ACCEPT
# BYOD VLAN (ID 30) on gateway
ip link add link eth1 name eth1.30 type vlan id 30
ip addr add 192.168.30.1/24 dev eth1.30
ip link set eth1.30 up # Block BYOD from reaching internal LAN by default
iptables -I FORWARD -i eth1.30 -o eth1 -j DROP # Allow BYOD internet access
iptables -A FORWARD -i eth1.30 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -o eth1.30 -j ACCEPT
# Allow BYOD to reach internal web application only (192.168.1.50:443)
iptables -A FORWARD -i eth1.30 -d 192.168.1.50 -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -i eth1.30 -d 192.168.1.50 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow BYOD to reach internal web application only (192.168.1.50:443)
iptables -A FORWARD -i eth1.30 -d 192.168.1.50 -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -i eth1.30 -d 192.168.1.50 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow BYOD to reach internal web application only (192.168.1.50:443)
iptables -A FORWARD -i eth1.30 -d 192.168.1.50 -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -i eth1.30 -d 192.168.1.50 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Redirect BYOD HTTP to transparent proxy
iptables -t nat -A PREROUTING -i eth1.30 -p tcp --dport 80 -j REDIRECT --to-port 3128 # For HTTPS: require explicit proxy configuration or ssl-bump for transparent interception
# Redirect BYOD HTTP to transparent proxy
iptables -t nat -A PREROUTING -i eth1.30 -p tcp --dport 80 -j REDIRECT --to-port 3128 # For HTTPS: require explicit proxy configuration or ssl-bump for transparent interception
# Redirect BYOD HTTP to transparent proxy
iptables -t nat -A PREROUTING -i eth1.30 -p tcp --dport 80 -j REDIRECT --to-port 3128 # For HTTPS: require explicit proxy configuration or ssl-bump for transparent interception
# Block malware and phishing categories for BYOD VLAN
acl byod_vlan src 192.168.30.0/24
acl blocked_categories dstdom_regex -i "/etc/squid/malware_domains.txt"
http_access deny byod_vlan blocked_categories
http_access allow byod_vlan
# Block malware and phishing categories for BYOD VLAN
acl byod_vlan src 192.168.30.0/24
acl blocked_categories dstdom_regex -i "/etc/squid/malware_domains.txt"
http_access deny byod_vlan blocked_categories
http_access allow byod_vlan
# Block malware and phishing categories for BYOD VLAN
acl byod_vlan src 192.168.30.0/24
acl blocked_categories dstdom_regex -i "/etc/squid/malware_domains.txt"
http_access deny byod_vlan blocked_categories
http_access allow byod_vlan
iptables -A FORWARD -i eth1.30 -j LOG --log-prefix "BYOD-FORWARD: "
iptables -A FORWARD -i eth1.30 -j LOG --log-prefix "BYOD-FORWARD: "
iptables -A FORWARD -i eth1.30 -j LOG --log-prefix "BYOD-FORWARD: " - Certificate-based Wi-Fi authentication (802.1X/EAP-TLS)
- Remote wipe on lost/stolen devices
- App installation restrictions and containerization
- OS version compliance enforcement
- VPN profile distribution and always-on enforcement
- Full-disk encryption verification
