<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
On 03/05/2011 03:58 AM, erikmccaskey64 wrote:
<blockquote
cite="mid:12e853d5a13.5372973170338458244.-4204704850561573200@zoho.com"
type="cite">
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
<div><font class="Apple-style-span" face="Verdana, arial,
Helvetica, sans-serif"><span class="Apple-style-span"
style="font-size: 12px;">I have an OpenWrt 10.03 router [
IP: 192.168.1.1 ], and it has a DHCP server pool:
192.168.1.0/24 - clients are using it through wireless/wired
connection. Ok!</span></font></div>
<div><font class="Apple-style-span" face="Verdana, arial,
Helvetica, sans-serif"><span class="Apple-style-span"
style="font-size: 12px;"><br>
</span></font></div>
<div><font class="Apple-style-span" face="Verdana, arial,
Helvetica, sans-serif"><span class="Apple-style-span"
style="font-size: 12px;">Here's the catch: I need to
separate the users from each other.</span></font></div>
<div><font class="Apple-style-span" face="Verdana, arial,
Helvetica, sans-serif"><span class="Apple-style-span"
style="font-size: 12px;"><br>
</span></font></div>
<div><font class="Apple-style-span" face="Verdana, arial,
Helvetica, sans-serif"><span class="Apple-style-span"
style="font-size: 12px;">How i need to do it: by IPTABLES
rule [ /etc/firewall.user ]. Ok!</span></font></div>
<div><font class="Apple-style-span" face="Verdana, arial,
Helvetica, sans-serif"><span class="Apple-style-span"
style="font-size: 12px;"><br>
</span></font></div>
<div><font class="Apple-style-span" face="Verdana, arial,
Helvetica, sans-serif"><span class="Apple-style-span"
style="font-size: 12px;">"Loud thinking": So i need a rule
something like this [on the OpenWrt router]: </span></font></div>
<div><font class="Apple-style-span" face="Verdana, arial,
Helvetica, sans-serif"><span class="Apple-style-span"
style="font-size: 12px;"><br>
</span></font></div>
<div><font class="Apple-style-span" face="Verdana, arial,
Helvetica, sans-serif"><span class="Apple-style-span"
style="font-size: 12px;">- DROP where SOURCE:
192.168.1.2-192.168.1.255 and DESTINATION is
192.168.1.2-192.168.1.255</span></font></div>
<div><font class="Apple-style-span" face="Verdana, arial,
Helvetica, sans-serif"><span class="Apple-style-span"
style="font-size: 12px;"><br>
</span></font></div>
<div><font class="Apple-style-span" face="Verdana, arial,
Helvetica, sans-serif"><span class="Apple-style-span"
style="font-size: 12px;">The idea is this. Ok!</span></font></div>
<div><font class="Apple-style-span" face="Verdana, arial,
Helvetica, sans-serif"><span class="Apple-style-span"
style="font-size: 12px;"><br>
</span></font></div>
<div><font class="Apple-style-span" face="Verdana, arial,
Helvetica, sans-serif"><span class="Apple-style-span"
style="font-size: 12px;">Questions! </span></font></div>
<div><font class="Apple-style-span" face="Verdana, arial,
Helvetica, sans-serif"><span class="Apple-style-span"
style="font-size: 12px;">- Will i lock out myself if i apply
this firewall rule?</span></font></div>
<div><font class="Apple-style-span" face="Verdana, arial,
Helvetica, sans-serif"><span class="Apple-style-span"
style="font-size: 12px;">- Is this a secure method? [ is it
easy to do this?: hello, i'm a client, and i say, my IP
address is 192.168.1.1! - now it can sniff the unencrypted
traffic! :( - because all the clients are in the same
subnet! ]</span></font></div>
<div><font class="Apple-style-span" face="Verdana, arial,
Helvetica, sans-serif"><span class="Apple-style-span"
style="font-size: 12px;">- Are there any good methods to
find/audit for duplicated IP addresses?</span></font></div>
<div><font class="Apple-style-span" face="Verdana, arial,
Helvetica, sans-serif"><span class="Apple-style-span"
style="font-size: 12px;">- Are the any good methods to
find/audit for duplicated MAC addresses?</span></font></div>
<div><font class="Apple-style-span" face="Verdana, arial,
Helvetica, sans-serif"><span class="Apple-style-span"
style="font-size: 12px;">- Are there any good methods to do
this IPTALBES rule on Layer2?:</span></font></div>
<div><font class="Apple-style-span" face="Verdana, arial,
Helvetica, sans-serif"><span class="Apple-style-span"
style="font-size: 12px;">`$ wget -q
<a class="moz-txt-link-rfc2396E" href="http://downloads.openwrt.org/backfire/10.03/ar71xx/packages/">"http://downloads.openwrt.org/backfire/10.03/ar71xx/packages/"</a>
-O - | grep -i ebtables`</span></font></div>
<div><font class="Apple-style-span" face="Verdana, arial,
Helvetica, sans-serif"><span class="Apple-style-span"
style="font-size: 12px;">`$ `</span></font></div>
<div><font class="Apple-style-span" face="Verdana, arial,
Helvetica, sans-serif"><span class="Apple-style-span"
style="font-size: 12px;"><br>
</span></font></div>
<div><font class="Apple-style-span" face="Verdana, arial,
Helvetica, sans-serif"><span class="Apple-style-span"
style="font-size: 12px;"><br>
</span></font></div>
<div><font class="Apple-style-span" face="Verdana, arial,
Helvetica, sans-serif"><span class="Apple-style-span"
style="font-size: 12px;"><br>
</span></font></div>
<div><font class="Apple-style-span" face="Verdana, arial,
Helvetica, sans-serif"><span class="Apple-style-span"
style="font-size: 12px;">p.s.: The rule would be [is it on a
good chain?]: </span></font></div>
<div><font class="Apple-style-span" face="Verdana, arial,
Helvetica, sans-serif"><span class="Apple-style-span"
style="font-size: 12px;">iptables -A FORWARD -m iprange
--src-range 192.168.1.2-192.168.1.255 --dst-range
192.168.1.2-192.168.1.255 -j DROP</span></font></div>
<div><font class="Apple-style-span" face="Verdana, arial,
Helvetica, sans-serif"><span class="Apple-style-span"
style="font-size: 12px;"><br>
</span></font></div>
<div><font class="Apple-style-span" face="Verdana, arial,
Helvetica, sans-serif"><span class="Apple-style-span"
style="font-size: 12px;">Thank you!</span></font></div>
</blockquote>
<br>
On the face of it, it sounds like you want something this on your
router:<br>
<br>
-A INPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -j REJECT --reject-with
icmp-host-prohibited<br>
-I INPUT 1 -s 192.168.1.2/32 -d 192.168.1.1/32 -j ACCEPT<br>
<br>
This assumes you have a static IP of 192.168.1.2, and the router is
192.168.1.1. That way you won't lock yourself out of the router's
configuration gui or ssh. You can try and test it out anyway. I
perfer REJECT rather than drop, it causes less problems. Leave DROP
for the bad guys you want to slow down with time-outs.<br>
<br>
I haven't tried this, so YMMV, and I might be all wet.<br>
<br>
<pre class="moz-signature" cols="72">--
Chris Kloiber</pre>
</body>
</html>