* denying local traffic
@ 2003-02-11 15:06 Doug Yeager
2003-02-11 19:28 ` Arnt Karlsen
0 siblings, 1 reply; 6+ messages in thread
From: Doug Yeager @ 2003-02-11 15:06 UTC (permalink / raw)
To: netfilter
[-- Attachment #1: Type: text/plain, Size: 669 bytes --]
I'm using nocat as a wireless gateway w/ the hostap driver. This is
Great because I should be able to use iptables firewall rules to
Administer things. I've had some success w/ these rules as I'm new to
iptables.
What I can't figure out is how to block local traffic between clients
on the LAN. Basically, I want them to be invisible to each other but
be able to get to the internet through the gateway.
Right now they can get to the internet but can see each other's shares
and so forth.
What should be the iptables commands for doing this.
My lan is 192.168.19.0/255.255.255.0
Help would be great as I've attempted many things w/o success.
Thx,
doug
[-- Attachment #2: Type: text/html, Size: 8285 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* denying local traffic
2003-02-11 15:13 strange log entries Willi Mann
@ 2003-02-11 16:06 ` Doug Yeager
0 siblings, 0 replies; 6+ messages in thread
From: Doug Yeager @ 2003-02-11 16:06 UTC (permalink / raw)
To: netfilter
I'm using nocat as a wireless gateway w/ the hostap driver. This is
Great because I should be able to use iptables firewall rules to
Administer things. I've had some success w/ these rules as I'm new to
iptables.
What I can't figure out is how to block local traffic between clients
on the LAN. Basically, I want them to be invisible to each other but
be able to get to the internet through the gateway.
Right now they can get to the internet but can see each other's shares
and so forth.
What should be the iptables commands for doing this.
My lan is 192.168.19.0/255.255.255.0
Help would be great as I've attempted many things w/o success.
Thx,
doug
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: denying local traffic
2003-02-11 15:06 denying local traffic Doug Yeager
@ 2003-02-11 19:28 ` Arnt Karlsen
2003-02-11 20:20 ` Doug Yeager
0 siblings, 1 reply; 6+ messages in thread
From: Arnt Karlsen @ 2003-02-11 19:28 UTC (permalink / raw)
To: netfilter
On Tue, 11 Feb 2003 10:06:40 -0500,
"Doug Yeager" <doug@aircomwireless.net> wrote in message
<000101c2d1df$3166fb60$bb00a8c0@DOUG1>:
> I'm using nocat as a wireless gateway w/ the hostap driver. This is
> Great because I should be able to use iptables firewall rules to
> Administer things. I've had some success w/ these rules as I'm new to
> iptables.
>
> What I can't figure out is how to block local traffic between clients
> on the LAN. Basically, I want them to be invisible to each other but
> be able to get to the internet through the gateway.
> Right now they can get to the internet but can see each other's shares
> and so forth.
> What should be the iptables commands for doing this.
>
> My lan is 192.168.19.0/255.255.255.0
..ascii art figure? We use vpn (poptop) tunnels, but your net
is likely different from ours.
--
..med vennlig hilsen = with Kind Regards from Arnt... ;-)
...with a number of polar bear hunters in his ancestry...
Scenarios always come in sets of three:
best case, worst case, and just in case.
^ permalink raw reply [flat|nested] 6+ messages in thread
* RE: denying local traffic
2003-02-11 19:28 ` Arnt Karlsen
@ 2003-02-11 20:20 ` Doug Yeager
2003-02-11 21:26 ` Arnt Karlsen
0 siblings, 1 reply; 6+ messages in thread
From: Doug Yeager @ 2003-02-11 20:20 UTC (permalink / raw)
To: netfilter
Cool,
This is my first ascii art attempt:
/--------------------\
| INTERNET |
\--------------------/
|
|
/----linux server---------------------\
| no cat gateway on eth0 |
| iptables |
| dhcp 192.168.19.0/255.255.255.0 |
| hostap on wlan0 192.168.19.1 |
\-------------------------------------/
| | |
| | |
/-------\ /-------\ /-----------\
|client1| |client2| |client3 |
\-------/ \-------/ \-----------/
clients are of all flavors of OS. And the users are not to smart
either.
It is in a coffee shop and users frequently leave shared drives open.
I want to be able to shut down all communications between clients so
they get to surf the net but not each other.
Here is the firewall rules that set NOCAT up. I just need the iptables
commands to shut down client to client traffic to add to these:
Localnet is 192.168.19.0/255.255.255.0 on wlan0
External device is eth0
#!/bin/sh
##
#
# initialize.fw: setup the default firewall rules
#
# *** NOTE ***
#
# If you want to have local firewall rules in addition to what NoCat
# provides, add them at the bottom of this file. They will be recreated
# each time gateway is restarted.
#
##
# The current service classes by fwmark are:
#
# 1: Owner
# 2: Co-op
# 3: Public
# 4: Free
PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin:/usr/local/bin
export PATH
# Enable IP forwarding and rp_filter (to kill IP spoof attempts).
#
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
# Load alllll the kernel modules we need.
#
rmmod ipchains > /dev/null 2>&1 # for RH 7.1 users.
for module in ip_tables ipt_REDIRECT ipt_MASQUERADE ipt_MARK ipt_REJECT
\
ipt_TOS ipt_LOG iptable_mangle iptable_filter iptable_nat ip_nat_ftp
\
ip_conntrack ipt_mac ipt_state ipt_mark; do
modprobe $module
done
# Flush all user-defined chains
#
iptables -t filter -N NoCat 2>/dev/null
iptables -t filter -F NoCat
iptables -t filter -D FORWARD -j NoCat 2>/dev/null
iptables -t filter -A FORWARD -j NoCat
iptables -t filter -N NoCat_Ports 2>/dev/null
iptables -t filter -F NoCat_Ports
iptables -t filter -D NoCat -j NoCat_Ports 2>/dev/null
iptables -t filter -A NoCat -j NoCat_Ports
iptables -t filter -N NoCat_Inbound 2>/dev/null
iptables -t filter -F NoCat_Inbound
iptables -t filter -D NoCat -j NoCat_Inbound 2>/dev/null
iptables -t filter -A NoCat -j NoCat_Inbound
iptables -t nat -N NoCat_Capture 2>/dev/null
iptables -t nat -F NoCat_Capture
iptables -t nat -D PREROUTING -j NoCat_Capture 2>/dev/null
iptables -t nat -A PREROUTING -j NoCat_Capture
iptables -t nat -N NoCat_NAT 2>/dev/null
iptables -t nat -F NoCat_NAT
#
# Only nat if we're not routing
#
iptables -t nat -D POSTROUTING -j NoCat_NAT 2>/dev/null
[ "$RouteOnly" ] || iptables -t nat -A POSTROUTING -j NoCat_NAT
iptables -t mangle -N NoCat 2>/dev/null
iptables -t mangle -F NoCat
iptables -t mangle -D PREROUTING -j NoCat 2>/dev/null
iptables -t mangle -A PREROUTING -j NoCat
fwd="iptables -t filter -A NoCat"
ports="iptables -t filter -A NoCat_Ports"
nat="iptables -t nat -A NoCat_NAT"
redirect="iptables -t nat -A NoCat_Capture"
mangle="iptables -t mangle -A NoCat"
if [ "$MembersOnly" ]; then
classes="1 2"
else
classes="1 2 3"
fi
# Handle tagged traffic.
#
for iface in $InternalDevice; do
for net in $LocalNetwork; do
for fwmark in $classes; do
# Only forward tagged traffic per class
$fwd -i $iface -s $net -m mark --mark $fwmark -j ACCEPT
# $fwd -o $iface -d $net -m mark --mark $fwmark -j ACCEPT
# Masquerade permitted connections.
$nat -o $ExternalDevice -s $net -m mark --mark $fwmark -j
MASQUERADE
done
# Allow web traffic to the specified hosts, and don't capture
# connections intended for them.
#
if [ "$AuthServiceAddr" -o "$AllowedWebHosts" ]; then
for host in $AuthServiceAddr $AllowedWebHosts; do
for port in 80 443; do
$nat -s $net -d $host -p tcp --dport $port -j
MASQUERAD
E
$redirect -s $net -d $host -p tcp --dport $port -j
RETURN
$fwd -s $net -d $host -p tcp --dport $port -j ACCEPT
$fwd -d $net -s $host -p tcp --sport $port -j ACCEPT
done
done
fi
# Accept forward and back traffic to/from DNSAddr
if [ "$DNSAddr" ]; then
$fwd -i $iface -s $net -d $DNSAddr -p tcp --dport 53 -j
ACCEPT
$fwd -i $iface -s $net -d $DNSAddr -p udp --dport 53 -j
ACCEPT
$fwd -o $iface -d $net -s $DNSAddr -j ACCEPT
$nat -p tcp -o $ExternalDevice -s $net -d $DNSAddr --dport
53 -j MAS
QUERADE
$nat -p udp -o $ExternalDevice -s $net -d $DNSAddr --dport
53 -j MAS
QUERADE
fi
done
# Set packets from internal devices to fw mark 4, or 'denied', by
default.
$mangle -i $iface -j MARK --set-mark 4
done
# Redirect outbound non-auth web traffic to the local gateway process
#
# If MembersOnly is active, then redirect public class as well
#
for port in 80 443; do
$redirect -m mark --mark 4 -p tcp --dport $port -j REDIRECT
--to-port $Gate
wayPort
if [ "$MembersOnly" ]; then
$redirect -m mark --mark 3 -p tcp --dport $port -j REDIRECT
--to-port $
GatewayPort
fi
done
# Lock down more ports for public users, if specified. Port restrictions
# are not applied to co-op and owner class users.
#
# There are two philosophies in restricting access: That Which Is Not
# Specifically Permitted Is Denied, and That Which Is Not Specifically
# Denied Is Permitted.
#
# If "IncludePorts" is defined, the default policy will be to deny all
# traffic, and only allow the ports mentioned.
#
# If "ExcludePorts" is defined, the default policy will be to allow all
# traffic, except to the ports mentioned.
#
# If both are defined, ExcludePorts will be ignored, and the default
policy
# will be to deny all traffic, allowing everything in IncludePorts, and
# issue a warning.
#
if [ "$IncludePorts" ]; then
if [ "$ExcludePorts" ]; then
echo "Warning: ExcludePorts and IncludePorts are both defined."
echo "Ignoring 'ExcludePorts'. Please check your nocat.conf."
fi
# Enable all ports in IncludePorts
for iface in $InternalDevice; do
for port in $IncludePorts; do
$ports -p tcp -i $iface --dport $port -m mark --mark 3 -j ACCEPT
$ports -p udp -i $iface --dport $port -m mark --mark 3 -j ACCEPT
done
# Always permit access to the GatewayPort (or we can't logout)
$ports -p tcp -i $iface --dport $GatewayPort -j ACCEPT
$ports -p udp -i $iface --dport $GatewayPort -j ACCEPT
# ...and disable access to the rest.
$ports -p tcp -i $iface -m mark --mark 3 -j DROP
$ports -p udp -i $iface -m mark --mark 3 -j DROP
done
elif [ "$ExcludePorts" ]; then
# If ExcludePorts has entries, simply deny access to them.
for iface in $InternalDevice; do
for port in $ExcludePorts; do
$ports -p tcp -i $iface --dport $port -m mark --mark 3 -j DROP
$ports -p udp -i $iface --dport $port -m mark --mark 3 -j DROP
done
done
fi
#
# Disable access on the external to GatewayPort from anything but the
AuthServic
eAddr
#
if [ "$AuthServiceAddr" ]; then
$fwd -i $ExternalDevice -s ! $AuthServiceAddr -p tcp --dport
$GatewayPort -j
DROP
fi
# Filter policy.
$fwd -j DROP
-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Arnt Karlsen
Sent: Tuesday, February 11, 2003 2:29 PM
To: netfilter@lists.netfilter.org
Subject: Re: denying local traffic
On Tue, 11 Feb 2003 10:06:40 -0500,
"Doug Yeager" <doug@aircomwireless.net> wrote in message
<000101c2d1df$3166fb60$bb00a8c0@DOUG1>:
> I'm using nocat as a wireless gateway w/ the hostap driver. This is
> Great because I should be able to use iptables firewall rules to
> Administer things. I've had some success w/ these rules as I'm new to
> iptables.
>
> What I can't figure out is how to block local traffic between clients
> on the LAN. Basically, I want them to be invisible to each other but
> be able to get to the internet through the gateway.
> Right now they can get to the internet but can see each other's shares
> and so forth.
> What should be the iptables commands for doing this.
>
> My lan is 192.168.19.0/255.255.255.0
..ascii art figure? We use vpn (poptop) tunnels, but your net
is likely different from ours.
--
..med vennlig hilsen = with Kind Regards from Arnt... ;-)
...with a number of polar bear hunters in his ancestry...
Scenarios always come in sets of three:
best case, worst case, and just in case.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: denying local traffic
2003-02-11 20:20 ` Doug Yeager
@ 2003-02-11 21:26 ` Arnt Karlsen
[not found] ` <000701c2d226$24f56f50$bb00a8c0@DOUG1>
0 siblings, 1 reply; 6+ messages in thread
From: Arnt Karlsen @ 2003-02-11 21:26 UTC (permalink / raw)
To: netfilter
On Tue, 11 Feb 2003 15:20:19 -0500,
"Doug Yeager" <doug@aircomwireless.net> top-posted in message
<000601c2d20b$035c2980$bb00a8c0@DOUG1>:
> Cool,
>
> This is my first ascii art attempt:
>
> /--------------------\
> | INTERNET |
> \--------------------/
> |
> |
> /----linux server---------------------\
> | no cat gateway on eth0 |
> | iptables |
> | dhcp 192.168.19.0/255.255.255.0 |
> | hostap on wlan0 192.168.19.1 |
> \-------------------------------------/
> | | |
> | | |
> /-------\ /-------\ /-----------\
> |client1| |client2| |client3 |
> \-------/ \-------/ \-----------/
..not at all bad. :-)
> clients are of all flavors of OS. And the users are not to smart
> either.
> It is in a coffee shop and users frequently leave shared drives open.
>
> I want to be able to shut down all communications between clients so
> they get to surf the net but not each other.
..first, _plug_ all wintendo ports, 137 tru 139. _Plug_ goes anywhere
between the humanistic "reject" thru "drop" to less so "mirror", "same",
and "tarpit". On the other hand, if these coffee shop boxes are to
generate profits for the coffee shop, junk the wintendos and install
Mandrake-9.0 or later, and set up game servers.
..if people bring their own boxes, and you have a 802.11 service,
_plug_ the wintendo ports and wrap _all_ wifi traffic in throttled
vpn tunnels, or you will have someone yanking _all_ the bandwidth
to copy someone elses stolen music or whatever.
..a wifi ap is essentially "an hub", and you want "a switch",
so wrap and trottle.
..to economize on the link out, consider a proxy server. An easy
one to use, is ipcop-1.2 over at ipcop.org, it's really a firewall
distro, with dhcp and proxy. 1.3 and 1.4 etc (still alpha) will
use 2.4 and iptables, the previous ones uses 2.2 and ipchains.
Can be put outside your current firewall.
> Here is the firewall rules that set NOCAT up. I just need the
> iptables commands to shut down client to client traffic to add to
> these:
>
> Localnet is 192.168.19.0/255.255.255.0 on wlan0
> External device is eth0
>
>
>
>
> #!/bin/sh
> ##
> #
> # initialize.fw: setup the default firewall rules
> #
> # *** NOTE ***
> #
> # If you want to have local firewall rules in addition to what NoCat
> # provides, add them at the bottom of this file. They will be
> # recreated each time gateway is restarted.
> #
> ##
>
> # The current service classes by fwmark are:
> #
> # 1: Owner
> # 2: Co-op
> # 3: Public
> # 4: Free
>
> PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin:/usr/local/bin
> export PATH
>
> # Enable IP forwarding and rp_filter (to kill IP spoof attempts).
> #
> echo "1" > /proc/sys/net/ipv4/ip_forward
> echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
>
> # Load alllll the kernel modules we need.
> #
> rmmod ipchains > /dev/null 2>&1 # for RH 7.1 users.
...and 'rpm -e ipchains'... ;-)
>
> for module in ip_tables ipt_REDIRECT ipt_MASQUERADE ipt_MARK
> ipt_REJECT\
> ipt_TOS ipt_LOG iptable_mangle iptable_filter iptable_nat
> ip_nat_ftp
> \
> ip_conntrack ipt_mac ipt_state ipt_mark; do
>
> modprobe $module
> done
>
> # Flush all user-defined chains
> #
> iptables -t filter -N NoCat 2>/dev/null
> iptables -t filter -F NoCat
> iptables -t filter -D FORWARD -j NoCat 2>/dev/null
> iptables -t filter -A FORWARD -j NoCat
>
> iptables -t filter -N NoCat_Ports 2>/dev/null
> iptables -t filter -F NoCat_Ports
> iptables -t filter -D NoCat -j NoCat_Ports 2>/dev/null
> iptables -t filter -A NoCat -j NoCat_Ports
>
> iptables -t filter -N NoCat_Inbound 2>/dev/null
> iptables -t filter -F NoCat_Inbound
> iptables -t filter -D NoCat -j NoCat_Inbound 2>/dev/null
> iptables -t filter -A NoCat -j NoCat_Inbound
>
> iptables -t nat -N NoCat_Capture 2>/dev/null
> iptables -t nat -F NoCat_Capture
> iptables -t nat -D PREROUTING -j NoCat_Capture 2>/dev/null
> iptables -t nat -A PREROUTING -j NoCat_Capture
>
> iptables -t nat -N NoCat_NAT 2>/dev/null
> iptables -t nat -F NoCat_NAT
>
> #
> # Only nat if we're not routing
> #
> iptables -t nat -D POSTROUTING -j NoCat_NAT 2>/dev/null
> [ "$RouteOnly" ] || iptables -t nat -A POSTROUTING -j NoCat_NAT
>
> iptables -t mangle -N NoCat 2>/dev/null
> iptables -t mangle -F NoCat
> iptables -t mangle -D PREROUTING -j NoCat 2>/dev/null
> iptables -t mangle -A PREROUTING -j NoCat
>
>
> fwd="iptables -t filter -A NoCat"
> ports="iptables -t filter -A NoCat_Ports"
> nat="iptables -t nat -A NoCat_NAT"
> redirect="iptables -t nat -A NoCat_Capture"
> mangle="iptables -t mangle -A NoCat"
>
> if [ "$MembersOnly" ]; then
> classes="1 2"
> else
> classes="1 2 3"
> fi
>
> # Handle tagged traffic.
> #
> for iface in $InternalDevice; do
> for net in $LocalNetwork; do
> for fwmark in $classes; do
> # Only forward tagged traffic per class
> $fwd -i $iface -s $net -m mark --mark $fwmark -j ACCEPT
> # $fwd -o $iface -d $net -m mark --mark $fwmark -j ACCEPT
>
> # Masquerade permitted connections.
> $nat -o $ExternalDevice -s $net -m mark --mark $fwmark -j
> MASQUERADE
> done
>
> # Allow web traffic to the specified hosts, and don't capture
> # connections intended for them.
> #
> if [ "$AuthServiceAddr" -o "$AllowedWebHosts" ]; then
> for host in $AuthServiceAddr $AllowedWebHosts; do
> for port in 80 443; do
> $nat -s $net -d $host -p tcp --dport $port -j
> MASQUERAD
> E
> $redirect -s $net -d $host -p tcp --dport $port -j
> RETURN
> $fwd -s $net -d $host -p tcp --dport $port -j
> ACCEPT$fwd -d $net -s $host -p tcp --sport $port
> -j ACCEPT
> done
> done
> fi
>
> # Accept forward and back traffic to/from DNSAddr
> if [ "$DNSAddr" ]; then
> $fwd -i $iface -s $net -d $DNSAddr -p tcp --dport 53 -j
> ACCEPT
> $fwd -i $iface -s $net -d $DNSAddr -p udp --dport 53 -j
> ACCEPT
> $fwd -o $iface -d $net -s $DNSAddr -j ACCEPT
>
> $nat -p tcp -o $ExternalDevice -s $net -d $DNSAddr --dport
> 53 -j MAS
> QUERADE
> $nat -p udp -o $ExternalDevice -s $net -d $DNSAddr --dport
> 53 -j MAS
> QUERADE
> fi
> done
>
> # Set packets from internal devices to fw mark 4, or 'denied', by
> default.
> $mangle -i $iface -j MARK --set-mark 4
> done
>
> # Redirect outbound non-auth web traffic to the local gateway process
> #
> # If MembersOnly is active, then redirect public class as well
> #
> for port in 80 443; do
> $redirect -m mark --mark 4 -p tcp --dport $port -j REDIRECT
> --to-port $Gate
> wayPort
> if [ "$MembersOnly" ]; then
> $redirect -m mark --mark 3 -p tcp --dport $port -j REDIRECT
> --to-port $
> GatewayPort
> fi
> done
>
>
>
> # Lock down more ports for public users, if specified. Port
> # restrictions are not applied to co-op and owner class users.
> #
> # There are two philosophies in restricting access: That Which Is Not
> # Specifically Permitted Is Denied, and That Which Is Not Specifically
> # Denied Is Permitted.
> #
> # If "IncludePorts" is defined, the default policy will be to deny all
> # traffic, and only allow the ports mentioned.
> #
> # If "ExcludePorts" is defined, the default policy will be to allow
> # all traffic, except to the ports mentioned.
> #
> # If both are defined, ExcludePorts will be ignored, and the default
> policy
> # will be to deny all traffic, allowing everything in IncludePorts,
> # and issue a warning.
> #
> if [ "$IncludePorts" ]; then
> if [ "$ExcludePorts" ]; then
> echo "Warning: ExcludePorts and IncludePorts are both defined."
> echo "Ignoring 'ExcludePorts'. Please check your nocat.conf."
> fi
>
> # Enable all ports in IncludePorts
> for iface in $InternalDevice; do
> for port in $IncludePorts; do
> $ports -p tcp -i $iface --dport $port -m mark --mark 3 -j ACCEPT
> $ports -p udp -i $iface --dport $port -m mark --mark 3 -j ACCEPT
> done
>
> # Always permit access to the GatewayPort (or we can't logout)
> $ports -p tcp -i $iface --dport $GatewayPort -j ACCEPT
> $ports -p udp -i $iface --dport $GatewayPort -j ACCEPT
>
> # ...and disable access to the rest.
> $ports -p tcp -i $iface -m mark --mark 3 -j DROP
> $ports -p udp -i $iface -m mark --mark 3 -j DROP
> done
>
> elif [ "$ExcludePorts" ]; then
> # If ExcludePorts has entries, simply deny access to them.
> for iface in $InternalDevice; do
> for port in $ExcludePorts; do
> $ports -p tcp -i $iface --dport $port -m mark --mark 3 -j DROP
> $ports -p udp -i $iface --dport $port -m mark --mark 3 -j DROP
> done
> done
> fi
>
> #
> # Disable access on the external to GatewayPort from anything but the
> AuthServic
> eAddr
> #
> if [ "$AuthServiceAddr" ]; then
> $fwd -i $ExternalDevice -s ! $AuthServiceAddr -p tcp --dport
> $GatewayPort -j
> DROP
> fi
>
> # Filter policy.
> $fwd -j DROP
>
>
>
>
>
> -----Original Message-----
> From: netfilter-admin@lists.netfilter.org
> [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Arnt Karlsen
> Sent: Tuesday, February 11, 2003 2:29 PM
> To: netfilter@lists.netfilter.org
> Subject: Re: denying local traffic
>
> On Tue, 11 Feb 2003 10:06:40 -0500,
> "Doug Yeager" <doug@aircomwireless.net> wrote in message
> <000101c2d1df$3166fb60$bb00a8c0@DOUG1>:
>
> > I'm using nocat as a wireless gateway w/ the hostap driver. This is
> > Great because I should be able to use iptables firewall rules to
> > Administer things. I've had some success w/ these rules as I'm new
> > to iptables.
> >
> > What I can't figure out is how to block local traffic between
> > clients on the LAN. Basically, I want them to be invisible to each
> > other but be able to get to the internet through the gateway.
> > Right now they can get to the internet but can see each other's
> > shares and so forth.
>
> > What should be the iptables commands for doing this.
> >
> > My lan is 192.168.19.0/255.255.255.0
>
> ..ascii art figure? We use vpn (poptop) tunnels, but your net
> is likely different from ours.
>
--
..med vennlig hilsen = with Kind Regards from Arnt... ;-)
...with a number of polar bear hunters in his ancestry...
Scenarios always come in sets of three:
best case, worst case, and just in case.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: denying local traffic --SOLUTION
[not found] ` <20030212031133.6cef010e.arnt@c2i.net>
@ 2003-02-12 12:05 ` Doug Yeager
0 siblings, 0 replies; 6+ messages in thread
From: Doug Yeager @ 2003-02-12 12:05 UTC (permalink / raw)
To: netfilter
i'm an idiot. found out that wi-fi acts on layer 3 and netfilter code
can't do much about it.
it act as a "hub" just like arnt has pointed out. so the hostap guys said
there is a configuration for this if you are using the hostap code to run
the access point. it is pretty handy code for a situation like this. here
was the solution:
> is there a way to not allow this using hostap? any settings at compile
> time to only allow traffic from client to AP? but not client to client
> through ap?
Yes, you can disable this internal driver bridge code by setting
ap_bridge_packets to 0: 'prism2_param wlan0 ap_bridge_packets 0'.
This does not require any compile time configuration.
At 03:11 AM 02/12/2003 +0100, Arnt Karlsen wrote:
>On Tue, 11 Feb 2003 18:34:32 -0500,
>"Doug Yeager" <doug@aircomwireless.net> top posted, err,
>top mailed in message <000701c2d226$24f56f50$bb00a8c0@DOUG1>:
> >
> > Arnt,
> > Thank you very much.
> > I think I understand what you are saying. Just wanted to clear a few
> > things up:
> >
> > This is the case:
> > >..if people bring their own boxes
> >
> > >plug_ all wintendo ports, 137 tru 139. _Plug_ goes anywhere
> > >between the humanistic "reject" thru "drop" to less so "mirror",
> > "same",
> > >and "tarpit".
> >
> > What are the wintendo ports? What purpose do they serve on windows
> > machines? I'm hoping you are referring to the ports that show the
> > shared folders and such, so that I can prevent open file sharing by
> > blocking them. That is really what I want.
>
>..yup. 137 thru 139, there may be more, I don't know wintendo
>that well, I dropped wintendo95 in 1997, 23 reinstall in my last
>5 weeks... I took the hint. ;-)
>
>..the wise way is block _everything_ below 1024, and then
>pop open _only_ the ports you need.
>
> > If hostap acts like a hub, how can I manage any of these ports w/
> > iptables?
>
>..you can't, ip address or not, _all_ antennas hears the same packets.
>You're left with vpn tunnels, ok, you _can_ use WEP etc too, it might
>not hurt to much, overheadwise. Ok, iptables _can_ help deny and award
>a wifi card ip traffic access, and iptables can match on mac addresses.
>
>..in patch-o-matic, a few more modules can be thrown in to help
>troubleshoot your coffeeshop site, conn'track'ers etc.
>
>..once you're done, anonymize ip's where needed and post your solution
>on the list, there are more people around who needs this knowledge.
>
> > Something like this does not work unless I'm trying to do it wrong:
> > Is this because of the HUB issue?
> >
> > iptables -A INPUT -d 192.168.19.1 -i wlan0 -j ACCEPT #allow packets to
> > AP
> > iptables -A INPUT -d 192.168.19.0/255.255.255.0 -i wlan0 -j DENY
> > #deny
> > lan
> >
> > of course, it would be a similar command for the port blocking right?
> >
> > thx again,
> > doug
> >
>
>
>--
>..med vennlig hilsen = with Kind Regards from Arnt... ;-)
>...with a number of polar bear hunters in his ancestry...
> Scenarios always come in sets of three:
> best case, worst case, and just in case.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2003-02-12 12:05 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-02-11 15:06 denying local traffic Doug Yeager
2003-02-11 19:28 ` Arnt Karlsen
2003-02-11 20:20 ` Doug Yeager
2003-02-11 21:26 ` Arnt Karlsen
[not found] ` <000701c2d226$24f56f50$bb00a8c0@DOUG1>
[not found] ` <20030212031133.6cef010e.arnt@c2i.net>
2003-02-12 12:05 ` denying local traffic --SOLUTION Doug Yeager
-- strict thread matches above, loose matches on Subject: below --
2003-02-11 15:13 strange log entries Willi Mann
2003-02-11 16:06 ` denying local traffic Doug Yeager
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox