<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
On 03/05/2011 12:58 AM, erikmccaskey64 wrote:
<blockquote
cite="mid:12e853d5560.5342897047913634965.-6987763735586305430@zoho.com"
type="cite">
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
<div><font class="Apple-style-span" face="Verdana, arial,
Helvetica, sans-serif"><span class="Apple-style-span"
style="font-size: 12px;">I have an OpenWrt 10.03 router [
IP: 192.168.1.1 ], and it has a DHCP server pool:
192.168.1.0/24 - clients are using it through wireless/wired
connection. Ok!</span></font></div>
</blockquote>
<blockquote
cite="mid:12e853d5560.5342897047913634965.-6987763735586305430@zoho.com"
type="cite">
<div><font class="Apple-style-span" face="Verdana, arial,
Helvetica, sans-serif"><span class="Apple-style-span"
style="font-size: 12px;"><br>
</span></font></div>
<div><font class="Apple-style-span" face="Verdana, arial,
Helvetica, sans-serif"><span class="Apple-style-span"
style="font-size: 12px;">Here's the catch: I need to
separate the users from each other.</span></font></div>
<div><font class="Apple-style-span" face="Verdana, arial,
Helvetica, sans-serif"><span class="Apple-style-span"
style="font-size: 12px;"><br>
</span></font></div>
<div><font class="Apple-style-span" face="Verdana, arial,
Helvetica, sans-serif"><span class="Apple-style-span"
style="font-size: 12px;">How i need to do it: by IPTABLES
rule [ /etc/firewall.user ]. Ok!</span></font></div>
<div><font class="Apple-style-span" face="Verdana, arial,
Helvetica, sans-serif"><span class="Apple-style-span"
style="font-size: 12px;"><br>
</span></font></div>
<div><font class="Apple-style-span" face="Verdana, arial,
Helvetica, sans-serif"><span class="Apple-style-span"
style="font-size: 12px;">
<meta http-equiv="content-type" content="text/html;
charset=UTF-8">
"Loud thinking": So i need a rule something like this [on
the OpenWrt router]: </span></font></div>
<div><font class="Apple-style-span" face="Verdana, arial,
Helvetica, sans-serif"><span class="Apple-style-span"
style="font-size: 12px;"><br>
</span></font></div>
<div><font class="Apple-style-span" face="Verdana, arial,
Helvetica, sans-serif"><span class="Apple-style-span"
style="font-size: 12px;">- DROP where SOURCE:
192.168.1.2-192.168.1.255 and DESTINATION is
192.168.1.2-192.168.1.255</span></font></div>
<div><font class="Apple-style-span" face="Verdana, arial,
Helvetica, sans-serif"><span class="Apple-style-span"
style="font-size: 12px;"><br>
</span></font></div>
<div><font class="Apple-style-span" face="Verdana, arial,
Helvetica, sans-serif"><span class="Apple-style-span"
style="font-size: 12px;">The idea is this. Ok!</span></font></div>
<div><font class="Apple-style-span" face="Verdana, arial,
Helvetica, sans-serif"><span class="Apple-style-span"
style="font-size: 12px;"><br>
</span></font></div>
<div><font class="Apple-style-span" face="Verdana, arial,
Helvetica, sans-serif"><span class="Apple-style-span"
style="font-size: 12px;">Questions! </span></font></div>
<div><font class="Apple-style-span" face="Verdana, arial,
Helvetica, sans-serif"><span class="Apple-style-span"
style="font-size: 12px;">- Will i lock out myself if i apply
this firewall rule?</span></font></div>
<div><font class="Apple-style-span" face="Verdana, arial,
Helvetica, sans-serif"><span class="Apple-style-span"
style="font-size: 12px;">- Is this a secure method? [ is it
easy to do this?: hello, i'm a client, and i say, my IP
address is 192.168.1.1! - now it can sniff the unencrypted
traffic! :( - because all the clients are in the same
subnet! ]</span></font></div>
</blockquote>
If your using bridged devices for your wired and wireless then they
should not be able to sniff other traffic. This would likely cause
a duplicate IP address error on the bridging device and I think how
that gets handled is probably vendor specific. If the clients are
talking to 192.168.1.1 as their router (or other server), then you
need to permit it in one direction.<br>
<br>
<blockquote
cite="mid:12e853d5560.5342897047913634965.-6987763735586305430@zoho.com"
type="cite">
<div><font class="Apple-style-span" face="Verdana, arial,
Helvetica, sans-serif"><span class="Apple-style-span"
style="font-size: 12px;">- Are there any good methods to
find/audit for duplicated IP addresses?</span></font></div>
<div><font class="Apple-style-span" face="Verdana, arial,
Helvetica, sans-serif"><span class="Apple-style-span"
style="font-size: 12px;">- Are the any good methods to
find/audit for duplicated MAC addresses?</span></font></div>
<div><font class="Apple-style-span" face="Verdana, arial,
Helvetica, sans-serif"><span class="Apple-style-span"
style="font-size: 12px;">- Are there any good methods to do
this IPTALBES rule on Layer2?:</span></font></div>
<div><font class="Apple-style-span" face="Verdana, arial,
Helvetica, sans-serif"><span class="Apple-style-span"
style="font-size: 12px;">`$ wget -q
<a class="moz-txt-link-rfc2396E" href="http://downloads.openwrt.org/backfire/10.03/ar71xx/packages/">"http://downloads.openwrt.org/backfire/10.03/ar71xx/packages/"</a>
-O - | grep -i ebtables`</span></font></div>
<div><font class="Apple-style-span" face="Verdana, arial,
Helvetica, sans-serif"><span class="Apple-style-span"
style="font-size: 12px;">`$ `</span></font></div>
<div><font class="Apple-style-span" face="Verdana, arial,
Helvetica, sans-serif"><span class="Apple-style-span"
style="font-size: 12px;"><br>
</span></font></div>
<div><font class="Apple-style-span" face="Verdana, arial,
Helvetica, sans-serif"><span class="Apple-style-span"
style="font-size: 12px;"><br>
</span></font></div>
<div><font class="Apple-style-span" face="Verdana, arial,
Helvetica, sans-serif"><span class="Apple-style-span"
style="font-size: 12px;"><br>
</span></font></div>
<div><font class="Apple-style-span" face="Verdana, arial,
Helvetica, sans-serif"><span class="Apple-style-span"
style="font-size: 12px;">p.s.: The rule would be [is it on a
good chain?]: </span></font></div>
<div><font class="Apple-style-span" face="Verdana, arial,
Helvetica, sans-serif"><span class="Apple-style-span"
style="font-size: 12px;">iptables -A FORWARD -m iprange
--src-range 192.168.1.2-192.168.1.255 --dst-range
192.168.1.2-192.168.1.255 -j DROP</span></font></div>
<div><font class="Apple-style-span" face="Verdana, arial,
Helvetica, sans-serif"><span class="Apple-style-span"
style="font-size: 12px;"><br>
</span></font></div>
<div><font class="Apple-style-span" face="Verdana, arial,
Helvetica, sans-serif"><span class="Apple-style-span"
style="font-size: 12px;">Thank you!</span></font></div>
</blockquote>
<br>
If you want your router to route traffic, then you can't block
forwarding from all the clients. Perhaps you want something like:<br>
<br>
iptables -A FORWARD -i CLIENTINTERFACENAME -s 192.168.1.1 -j drop<br>
iptables -A INPUT -i CLIENTINTERFACENAME -s 192.168.1.1 -j drop<br>
<br>
When I need a higher level of security in a situation like this, I
require the clients to run openvpn and authenticate to a vpn server
and then each client has an encrypted connection to the server. The
security of most wireless products on the market today is known to
be weak anyway.<br>
<br>
Nataraj<br>
<br>
<br>
</body>
</html>