Re: IPTABLES rule for separating users

On 03/05/2011 03:58 AM, erikmccaskey64 wrote:
I have an OpenWrt 10.03 router [ IP: ], and it has a DHCP server pool: - clients are using it through wireless/wired connection. Ok!

Here's the catch: I need to separate the users from each other.

How i need to do it: by IPTABLES rule [ /etc/firewall.user ]. Ok!

"Loud thinking": So i need a rule something like this [on the OpenWrt router]:


The idea is this. Ok!

- Will i lock out myself if i apply this firewall rule?
- Is this a secure method? [ is it easy to do this?: hello, i'm a client, and i say, my IP address is! - now it can sniff the unencrypted traffic! :( - because all the clients are in the same subnet! ]
- Are there any good methods to find/audit for duplicated IP addresses?
- Are the any good methods to find/audit for duplicated MAC addresses?
- Are there any good methods to do this IPTALBES rule on Layer2?:
`$ wget -q ""; -O - | grep -i ebtables`
`$ `

p.s.: The rule would be [is it on a good chain?]:
iptables -A FORWARD -m iprange --src-range --dst-range -j DROP

Thank you!

On the face of it, it sounds like you want something this on your router:

-A INPUT -s -d -j REJECT --reject-with icmp-host-prohibited
-I INPUT 1 -s -d -j ACCEPT

This assumes you have a static IP of, and the router is That way you won't lock yourself out of the router's configuration gui or ssh. You can try and test it out anyway. I perfer REJECT rather than drop, it causes less problems. Leave DROP for the bad guys you want to slow down with time-outs.

I haven't tried this, so YMMV, and I might be all wet.

Chris Kloiber

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

users mailing list
To unsubscribe or change subscription options: