Re: IPTABLES rule for separating users



On 03/05/2011 03:58 AM, erikmccaskey64 wrote:
I have an OpenWrt 10.03 router [ IP: 192.168.1.1 ], and it has a DHCP server pool: 192.168.1.0/24 - clients are using it through wireless/wired connection. Ok!

Here's the catch: I need to separate the users from each other.

How i need to do it: by IPTABLES rule [ /etc/firewall.user ]. Ok!

"Loud thinking": So i need a rule something like this [on the OpenWrt router]:

- DROP where SOURCE: 192.168.1.2-192.168.1.255 and DESTINATION is 192.168.1.2-192.168.1.255

The idea is this. Ok!

Questions!
- Will i lock out myself if i apply this firewall rule?
- Is this a secure method? [ is it easy to do this?: hello, i'm a client, and i say, my IP address is 192.168.1.1! - now it can sniff the unencrypted traffic! :( - because all the clients are in the same subnet! ]
- Are there any good methods to find/audit for duplicated IP addresses?
- Are the any good methods to find/audit for duplicated MAC addresses?
- Are there any good methods to do this IPTALBES rule on Layer2?:
`$ wget -q "http://downloads.openwrt.org/backfire/10.03/ar71xx/packages/"; -O - | grep -i ebtables`
`$ `



p.s.: The rule would be [is it on a good chain?]:
iptables -A FORWARD -m iprange --src-range 192.168.1.2-192.168.1.255 --dst-range 192.168.1.2-192.168.1.255 -j DROP

Thank you!

On the face of it, it sounds like you want something this on your router:

-A INPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -j REJECT --reject-with icmp-host-prohibited
-I INPUT 1 -s 192.168.1.2/32 -d 192.168.1.1/32 -j ACCEPT

This assumes you have a static IP of 192.168.1.2, and the router is 192.168.1.1. That way you won't lock yourself out of the router's configuration gui or ssh. You can try and test it out anyway. I perfer REJECT rather than drop, it causes less problems. Leave DROP for the bad guys you want to slow down with time-outs.

I haven't tried this, so YMMV, and I might be all wet.

--
Chris Kloiber

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines