IPTABLES rule for separating users

Nataraj incoming-ubuntu at rjl.com
Sat Mar 5 21:07:49 UTC 2011 

On 03/05/2011 12:58 AM, erikmccaskey64 wrote:
> I have an OpenWrt 10.03 router [ IP: 192.168.1.1 ], and it has a DHCP
> server pool: 192.168.1.0/24 - clients are using it through
> wireless/wired connection. Ok!
>
> Here's the catch: I need to separate the users from each other.
>
> How i need to do it: by IPTABLES rule [ /etc/firewall.user ]. Ok!
>
> "Loud thinking": So i need a rule something like this [on the OpenWrt
> router]: 
>
> - DROP where SOURCE: 192.168.1.2-192.168.1.255 and DESTINATION is
> 192.168.1.2-192.168.1.255
>
> The idea is this. Ok!
>
> Questions! 
> - Will i lock out myself if i apply this firewall rule?
> - Is this a secure method? [ is it easy to do this?: hello, i'm a
> client, and i say, my IP address is 192.168.1.1! - now it can sniff
> the unencrypted traffic! :( - because all the clients are in the same
> subnet! ]
If your using bridged devices for your wired and wireless then they
should not be able to sniff other traffic.  This would likely cause a
duplicate IP address error on the bridging device and I think how that
gets handled is probably vendor specific. If the clients are talking to
192.168.1.1 as their router (or other server), then you need to permit
it in one direction.

> - Are there any good methods to find/audit for duplicated IP addresses?
> - Are the any good methods to find/audit for duplicated MAC addresses?
> - Are there any good methods to do this IPTALBES rule on Layer2?:
> `$ wget -q
> "http://downloads.openwrt.org/backfire/10.03/ar71xx/packages/" -O - |
> grep -i ebtables`
> `$ `
>
>
>
> p.s.: The rule would be [is it on a good chain?]: 
> iptables -A FORWARD  -m iprange --src-range 192.168.1.2-192.168.1.255
> --dst-range 192.168.1.2-192.168.1.255 -j DROP
>
> Thank you!

If you want your router to route traffic, then you can't block
forwarding from all the clients.  Perhaps you want something like:

iptables -A FORWARD -i CLIENTINTERFACENAME -s 192.168.1.1 -j drop
iptables -A INPUT -i CLIENTINTERFACENAME -s 192.168.1.1 -j drop

When I need a higher level of security in a situation like this, I
require the clients to run openvpn and authenticate to a vpn server and
then each client has an encrypted connection to the server.  The
security of most wireless products on the market today is known to be
weak anyway.

Nataraj


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20110305/d05408d6/attachment.html>

More information about the ubuntu-users mailing list