# Create IoT VLAN (ID 20) on Linux gateway
ip link add link eth1 name eth1.20 type vlan id 20
ip addr add 192.168.20.1/24 dev eth1.20
ip link set eth1.20 up # Internal LAN on eth1 (untagged, 192.168.1.0/24)
# IoT VLAN on eth1.20 (tagged, 192.168.20.0/24)
# Create IoT VLAN (ID 20) on Linux gateway
ip link add link eth1 name eth1.20 type vlan id 20
ip addr add 192.168.20.1/24 dev eth1.20
ip link set eth1.20 up # Internal LAN on eth1 (untagged, 192.168.1.0/24)
# IoT VLAN on eth1.20 (tagged, 192.168.20.0/24)
# Create IoT VLAN (ID 20) on Linux gateway
ip link add link eth1 name eth1.20 type vlan id 20
ip addr add 192.168.20.1/24 dev eth1.20
ip link set eth1.20 up # Internal LAN on eth1 (untagged, 192.168.1.0/24)
# IoT VLAN on eth1.20 (tagged, 192.168.20.0/24)
# Drop all forwarded traffic from IoT VLAN to internal LAN
iptables -I FORWARD -i eth1.20 -o eth1 -j DROP # Allow IoT to reach internet (via external interface eth0)
iptables -A FORWARD -i eth1.20 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -o eth1.20 -j ACCEPT
# Drop all forwarded traffic from IoT VLAN to internal LAN
iptables -I FORWARD -i eth1.20 -o eth1 -j DROP # Allow IoT to reach internet (via external interface eth0)
iptables -A FORWARD -i eth1.20 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -o eth1.20 -j ACCEPT
# Drop all forwarded traffic from IoT VLAN to internal LAN
iptables -I FORWARD -i eth1.20 -o eth1 -j DROP # Allow IoT to reach internet (via external interface eth0)
iptables -A FORWARD -i eth1.20 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -o eth1.20 -j ACCEPT
# Allow internal LAN to initiate connections to IoT printer only
iptables -A FORWARD -i eth1 -o eth1.20 -d 192.168.20.10 -p tcp --dport 9100 -j ACCEPT
iptables -A FORWARD -i eth1.20 -s 192.168.20.10 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow internal LAN to initiate connections to IoT printer only
iptables -A FORWARD -i eth1 -o eth1.20 -d 192.168.20.10 -p tcp --dport 9100 -j ACCEPT
iptables -A FORWARD -i eth1.20 -s 192.168.20.10 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow internal LAN to initiate connections to IoT printer only
iptables -A FORWARD -i eth1 -o eth1.20 -d 192.168.20.10 -p tcp --dport 9100 -j ACCEPT
iptables -A FORWARD -i eth1.20 -s 192.168.20.10 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow specific destination ranges for smart TV (192.168.20.5)
# Block everything else from that device
iptables -A FORWARD -i eth1.20 -s 192.168.20.5 -d 0.0.0.0/0 -j DROP
iptables -I FORWARD -i eth1.20 -s 192.168.20.5 -d 52.0.0.0/8 -j ACCEPT # AWS (streaming CDNs)
iptables -I FORWARD -i eth1.20 -s 192.168.20.5 -d 17.0.0.0/8 -j ACCEPT # Apple
# Allow specific destination ranges for smart TV (192.168.20.5)
# Block everything else from that device
iptables -A FORWARD -i eth1.20 -s 192.168.20.5 -d 0.0.0.0/0 -j DROP
iptables -I FORWARD -i eth1.20 -s 192.168.20.5 -d 52.0.0.0/8 -j ACCEPT # AWS (streaming CDNs)
iptables -I FORWARD -i eth1.20 -s 192.168.20.5 -d 17.0.0.0/8 -j ACCEPT # Apple
# Allow specific destination ranges for smart TV (192.168.20.5)
# Block everything else from that device
iptables -A FORWARD -i eth1.20 -s 192.168.20.5 -d 0.0.0.0/0 -j DROP
iptables -I FORWARD -i eth1.20 -s 192.168.20.5 -d 52.0.0.0/8 -j ACCEPT # AWS (streaming CDNs)
iptables -I FORWARD -i eth1.20 -s 192.168.20.5 -d 17.0.0.0/8 -j ACCEPT # Apple
# squid.conf — transparent proxy for IoT VLAN
http_port 3128 intercept # ICAP antivirus
icap_enable on
icap_service av_service reqmod_precache bypass=1 icap://127.0.0.1:1344/squid_clamav
adaptation_service_set av_service_set av_service
adaptation_access av_service_set allow all
# squid.conf — transparent proxy for IoT VLAN
http_port 3128 intercept # ICAP antivirus
icap_enable on
icap_service av_service reqmod_precache bypass=1 icap://127.0.0.1:1344/squid_clamav
adaptation_service_set av_service_set av_service
adaptation_access av_service_set allow all
# squid.conf — transparent proxy for IoT VLAN
http_port 3128 intercept # ICAP antivirus
icap_enable on
icap_service av_service reqmod_precache bypass=1 icap://127.0.0.1:1344/squid_clamav
adaptation_service_set av_service_set av_service
adaptation_access av_service_set allow all
iptables -t nat -A PREROUTING -i eth1.20 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i eth1.20 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i eth1.20 -p tcp --dport 80 -j REDIRECT --to-port 3128
# Log dropped IoT traffic for anomaly detection
iptables -A FORWARD -i eth1.20 -j LOG --log-prefix "IoT-FORWARD-DROP: " --log-level 4
iptables -A FORWARD -i eth1.20 -j DROP
# Log dropped IoT traffic for anomaly detection
iptables -A FORWARD -i eth1.20 -j LOG --log-prefix "IoT-FORWARD-DROP: " --log-level 4
iptables -A FORWARD -i eth1.20 -j DROP
# Log dropped IoT traffic for anomaly detection
iptables -A FORWARD -i eth1.20 -j LOG --log-prefix "IoT-FORWARD-DROP: " --log-level 4
iptables -A FORWARD -i eth1.20 -j DROP - Botnet participation (DDoS, port scanning, spam relay)
- Lateral movement to other devices on the same network segment
- Data exfiltration if the device has access to sensitive internal resources
- Persistent backdoor installation for long-term access
