IPTABLES rule for separating users

Chris Kloiber ckloiber at ckloiber.com
Mon Mar 21 00:39:37 UTC 2011 

On 03/05/2011 03:58 AM, erikmccaskey64 wrote:
> I have an OpenWrt 10.03 router [ IP: 192.168.1.1 ], and it has a DHCP 
> server pool: 192.168.1.0/24 - clients are using it through 
> wireless/wired connection. Ok!
>
> Here's the catch: I need to separate the users from each other.
>
> How i need to do it: by IPTABLES rule [ /etc/firewall.user ]. Ok!
>
> "Loud thinking": So i need a rule something like this [on the OpenWrt 
> router]:
>
> - DROP where SOURCE: 192.168.1.2-192.168.1.255 and DESTINATION is 
> 192.168.1.2-192.168.1.255
>
> The idea is this. Ok!
>
> Questions!
> - Will i lock out myself if i apply this firewall rule?
> - Is this a secure method? [ is it easy to do this?: hello, i'm a 
> client, and i say, my IP address is 192.168.1.1! - now it can sniff 
> the unencrypted traffic! :( - because all the clients are in the same 
> subnet! ]
> - Are there any good methods to find/audit for duplicated IP addresses?
> - Are the any good methods to find/audit for duplicated MAC addresses?
> - Are there any good methods to do this IPTALBES rule on Layer2?:
> `$ wget -q 
> "http://downloads.openwrt.org/backfire/10.03/ar71xx/packages/" -O - | 
> grep -i ebtables`
> `$ `
>
>
>
> p.s.: The rule would be [is it on a good chain?]:
> iptables -A FORWARD  -m iprange --src-range 192.168.1.2-192.168.1.255 
> --dst-range 192.168.1.2-192.168.1.255 -j DROP
>
> Thank you!

On the face of it, it sounds like you want something this on your router:

-A INPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -j REJECT --reject-with 
icmp-host-prohibited
-I INPUT 1 -s 192.168.1.2/32 -d 192.168.1.1/32 -j ACCEPT

This assumes you have a static IP of 192.168.1.2, and the router is 
192.168.1.1. That way you won't lock yourself out of the router's 
configuration gui or ssh. You can try and test it out anyway. I perfer 
REJECT rather than drop, it causes less problems. Leave DROP for the bad 
guys you want to slow down with time-outs.

I haven't tried this, so YMMV, and I might be all wet.

-- 
Chris Kloiber

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/users/attachments/20110320/7bd6060c/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6223 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.fedoraproject.org/pipermail/users/attachments/20110320/7bd6060c/attachment-0001.bin

More information about the users mailing list