IPTABLES rule for separating users
Chris Kloiber
ckloiber at ckloiber.com
Mon Mar 21 00:39:37 UTC 2011
On 03/05/2011 03:58 AM, erikmccaskey64 wrote:
> I have an OpenWrt 10.03 router [ IP: 192.168.1.1 ], and it has a DHCP
> server pool: 192.168.1.0/24 - clients are using it through
> wireless/wired connection. Ok!
>
> Here's the catch: I need to separate the users from each other.
>
> How i need to do it: by IPTABLES rule [ /etc/firewall.user ]. Ok!
>
> "Loud thinking": So i need a rule something like this [on the OpenWrt
> router]:
>
> - DROP where SOURCE: 192.168.1.2-192.168.1.255 and DESTINATION is
> 192.168.1.2-192.168.1.255
>
> The idea is this. Ok!
>
> Questions!
> - Will i lock out myself if i apply this firewall rule?
> - Is this a secure method? [ is it easy to do this?: hello, i'm a
> client, and i say, my IP address is 192.168.1.1! - now it can sniff
> the unencrypted traffic! :( - because all the clients are in the same
> subnet! ]
> - Are there any good methods to find/audit for duplicated IP addresses?
> - Are the any good methods to find/audit for duplicated MAC addresses?
> - Are there any good methods to do this IPTALBES rule on Layer2?:
> `$ wget -q
> "http://downloads.openwrt.org/backfire/10.03/ar71xx/packages/" -O - |
> grep -i ebtables`
> `$ `
>
>
>
> p.s.: The rule would be [is it on a good chain?]:
> iptables -A FORWARD -m iprange --src-range 192.168.1.2-192.168.1.255
> --dst-range 192.168.1.2-192.168.1.255 -j DROP
>
> Thank you!
On the face of it, it sounds like you want something this on your router:
-A INPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -j REJECT --reject-with
icmp-host-prohibited
-I INPUT 1 -s 192.168.1.2/32 -d 192.168.1.1/32 -j ACCEPT
This assumes you have a static IP of 192.168.1.2, and the router is
192.168.1.1. That way you won't lock yourself out of the router's
configuration gui or ssh. You can try and test it out anyway. I perfer
REJECT rather than drop, it causes less problems. Leave DROP for the bad
guys you want to slow down with time-outs.
I haven't tried this, so YMMV, and I might be all wet.
--
Chris Kloiber
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/users/attachments/20110320/7bd6060c/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6223 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.fedoraproject.org/pipermail/users/attachments/20110320/7bd6060c/attachment-0001.bin
More information about the users
mailing list