Re: IPTABLES rule for separating users



On 03/05/2011 03:58 AM, erikmccaskey64 wrote:
I have an OpenWrt 10.03 router [ IP: 192.168.1.1 ], and it has a DHCP server pool: 192.168.1.0/24 - clients are using it through wireless/wired connection. Ok!

Here's the catch: I need to separate the users from each other.

How i need to do it: by IPTABLES rule [ /etc/firewall.user ]. Ok!

"Loud thinking": So i need a rule something like this [on the OpenWrt router]:

- DROP where SOURCE: 192.168.1.2-192.168.1.255 and DESTINATION is 192.168.1.2-192.168.1.255

The idea is this. Ok!

Questions!
- Will i lock out myself if i apply this firewall rule?
- Is this a secure method? [ is it easy to do this?: hello, i'm a client, and i say, my IP address is 192.168.1.1! - now it can sniff the unencrypted traffic! :( - because all the clients are in the same subnet! ]
- Are there any good methods to find/audit for duplicated IP addresses?
- Are the any good methods to find/audit for duplicated MAC addresses?
- Are there any good methods to do this IPTALBES rule on Layer2?:
`$ wget -q "http://downloads.openwrt.org/backfire/10.03/ar71xx/packages/"; -O - | grep -i ebtables`
`$ `



p.s.: The rule would be [is it on a good chain?]:
iptables -A FORWARD -m iprange --src-range 192.168.1.2-192.168.1.255 --dst-range 192.168.1.2-192.168.1.255 -j DROP

Thank you!

On the face of it, it sounds like you want something this on your router:

-A INPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -j REJECT --reject-with icmp-host-prohibited
-I INPUT 1 -s 192.168.1.2/32 -d 192.168.1.1/32 -j ACCEPT

This assumes you have a static IP of 192.168.1.2, and the router is 192.168.1.1. That way you won't lock yourself out of the router's configuration gui or ssh. You can try and test it out anyway. I perfer REJECT rather than drop, it causes less problems. Leave DROP for the bad guys you want to slow down with time-outs.

I haven't tried this, so YMMV, and I might be all wet.

--
Chris Kloiber

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines


Relevant Pages

  • Avoiding deadlocks in concurrent programming
    ... This is not really Python specific, but I know Python programmers are ... Since many clients can be making requests at once (>100 per second ... complicated by a backup thread which takes the data every 10 minutes ... The easiest way from a design stand point is have a single lock and let ...
    (comp.lang.python)
  • Re: Lock a row
    ... and if the connection dies you are not even going ... Use the readpast hint as mentioned by Hugo to keep any clients ... >> row from a wrok-queue table and acquire an exclusive lock; ...
    (microsoft.public.sqlserver.programming)
  • Re: Client/Server Fujitsu Cobol appplications
    ... Running the clients with shared file access on the server ... Fujitsu Cobol tech. suport says ... LOCK MODE MANUAL WITH LOCK ON MULTIPLE RECORDS ...
    (comp.lang.cobol)
  • Re: out-of-process servers -- how do I force thread separation?
    ... lockbegins a communication session & ensures exclusive access until ... a corresponding unlock() call. ... lock() will return FALSE. ... Clients should be allowed to ...
    (microsoft.public.vc.atl)
  • Re: 2.6.14-rt4: via DRM errors
    ... >> I made a fix to the locking code in main drm a couple of months ago. ... > DRM lock or several, what kind of lock it is or what it's protecting ... > DRM clients to keep from stepping on each other? ...
    (Linux-Kernel)