Re: IPTABLES rule for separating users

erikmccaskey64 wrote:
I have an OpenWrt 10.03 router [ IP: 192.168.1.1 ], and it has a DHCP
server pool: 192.168.1.0/24 - clients are using it through
wireless/wired connection. Ok!

Here's the catch: I need to separate the users from each other.

How i need to do it: by IPTABLES rule [ /etc/firewall.user ]. Ok!

"Loud thinking": So i need a rule something like this [on the OpenWrt
router]:

- DROP where SOURCE: 192.168.1.2-192.168.1.255 and DESTINATION is
192.168.1.2-192.168.1.255

The idea is this. Ok!

Questions!
- Will i lock out myself if i apply this firewall rule?
- Is this a secure method? [ is it easy to do this?: hello, i'm a
client, and i say, my IP address is 192.168.1.1! - now it can sniff the
unencrypted traffic! :( - because all the clients are in the same subnet! ]

Why? Is your DHCP handing out a big subnet mask instead of /32 mask to make them
go through the router? Or drop anything but the VPN port and make them encrypt,
which helps. But people will set up clients badly, and you probably can't keep
the wireless clients apart.

- Are there any good methods to find/audit for duplicated IP addresses?

arpwatch may help, will tell you if two MACs share an IP.

- Are the any good methods to find/audit for duplicated MAC addresses?

I don't know any which fit my idea of "good," no.

- Are there any good methods to do this IPTALBES rule on Layer2?:
`$ wget -q
"http://downloads.openwrt.org/backfire/10.03/ar71xx/packages/"; -O - |
grep -i ebtables`
`$ `

You have one approach there, use of "ip route" may allow some methods.

If you are using encryption on the wifi, I think some of the problems is
addresses, there should be a session key so nothing should be "in the clear."
Forcing VPN takes that a step farther, only accept packets from known MACs will
eliminate some attacks, but wireless in general isn't secure without VPN.

--
Bill Davidsen <davidsen@xxxxxxx>
"We have more to fear from the bungling of the incompetent than from
the machinations of the wicked." - from Slashdot
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

Relevant Pages

  • Re: Wireless Network in Public Places Options
    ... the clients can be trusted. ... DHCP server on a wireless laptop that will deliver a creative IP ... wireless access point and router going to the internet. ... In a common shared network, broadcasts go to every machine on the ...
    (microsoft.public.win2000.networking)
  • RE: ISA bug blocking IAS authentication?
    ... IAS and VPN are on the same SBS2003 server. ... wireless radius authentication works but the VPN connection fails. ... Implement WPA with shared keys on your clients. ...
    (microsoft.public.isa)
  • Re: IP routing on VPN
    ... >my VPN clients can't connect to the VPN server. ... >Frame router that routes to subnets 192.168.30.1 ... >How do the VPN clients know to get to the outside NIC? ...
    (microsoft.public.windows.server.networking)
  • Re: VPN error with SBS2003 and ISA
    ... some of the cable/dsl router just don't work with VPN. ... When you switch your clients from the x.x.2.x network to x.x.3.x ...
    (microsoft.public.isaserver)
  • Re: IP routing on VPN
    ... > I have a RRAS Server setup as a VPN with two NICs. ... Just use the Internet Router as ... All the clients on ... VPN Clients, when getting the DHCP assignment, must use a Default Gateway ...
    (microsoft.public.windows.server.networking)