denying local traffic

denying local traffic

[Doug Yeager]

[-- Attachment #1: Type: text/plain, Size: 669 bytes --]

I'm using nocat as a wireless gateway w/ the hostap driver. This is 
Great because I should be able to use iptables firewall rules to 
Administer things. I've had some success w/ these rules as I'm new to 
iptables.
 
What I can't figure out is how to block local traffic between clients 
on the LAN. Basically, I want them to be invisible to each other but 
be able to get to the internet through the gateway.
Right now they can get to the internet but can see each other's shares
and so forth.
 
What should be the iptables commands for doing this.
 
My lan is 192.168.19.0/255.255.255.0
 
Help would be great as I've attempted many things w/o success.
 
Thx,
doug
 

[-- Attachment #2: Type: text/html, Size: 8285 bytes --]

Re: denying local traffic

[Arnt Karlsen]

On Tue, 11 Feb 2003 10:06:40 -0500, 
"Doug Yeager" <doug@aircomwireless.net> wrote in message 
<000101c2d1df$3166fb60$bb00a8c0@DOUG1>:

> I'm using nocat as a wireless gateway w/ the hostap driver. This is 
> Great because I should be able to use iptables firewall rules to 
> Administer things. I've had some success w/ these rules as I'm new to 
> iptables.
>  
> What I can't figure out is how to block local traffic between clients 
> on the LAN. Basically, I want them to be invisible to each other but 
> be able to get to the internet through the gateway.
> Right now they can get to the internet but can see each other's shares
> and so forth.
  
> What should be the iptables commands for doing this.
>  
> My lan is 192.168.19.0/255.255.255.0

..ascii art figure?  We use vpn (poptop) tunnels, but your net 
is likely different from ours.  

-- 
..med vennlig hilsen = with Kind Regards from Arnt... ;-)
...with a number of polar bear hunters in his ancestry...
  Scenarios always come in sets of three: 
  best case, worst case, and just in case.

RE: denying local traffic

[Doug Yeager]

Cool,

This is my first ascii art attempt:

/--------------------\
|  INTERNET          |
\--------------------/
       |
       |
/----linux server---------------------\
|  no cat gateway on eth0             |
|  iptables                           |
|  dhcp  192.168.19.0/255.255.255.0   |
|  hostap on wlan0 192.168.19.1       |
\-------------------------------------/
   |             |            |
   |             |            |
/-------\       /-------\     /-----------\
|client1|       |client2|     |client3    |
\-------/       \-------/     \-----------/

clients are of all flavors of OS.  And the users are not to smart
either.
It is in a coffee shop and users frequently leave shared drives open.

I want to be able to shut down all communications between clients so
they get to surf the net but not each other.  

Here is the firewall rules that set NOCAT up.   I just need the iptables
commands to shut down client to client traffic to add to these:

Localnet is 192.168.19.0/255.255.255.0  on wlan0
External device is eth0




#!/bin/sh
##
#
# initialize.fw: setup the default firewall rules
#
# *** NOTE ***
#
# If you want to have local firewall rules in addition to what NoCat
# provides, add them at the bottom of this file.  They will be recreated
# each time gateway is restarted.
#
##

# The current service classes by fwmark are:
#
#  1: Owner
#  2: Co-op
#  3: Public
#  4: Free

PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin:/usr/local/bin
export PATH

# Enable IP forwarding and rp_filter (to kill IP spoof attempts).
#
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter

# Load alllll the kernel modules we need.
#
rmmod ipchains > /dev/null 2>&1 # for RH 7.1 users.

for module in ip_tables ipt_REDIRECT ipt_MASQUERADE ipt_MARK ipt_REJECT
\
    ipt_TOS ipt_LOG iptable_mangle iptable_filter iptable_nat ip_nat_ftp
\
    ip_conntrack ipt_mac ipt_state ipt_mark; do

    modprobe $module
done

# Flush all user-defined chains
#
iptables -t filter -N NoCat 2>/dev/null
iptables -t filter -F NoCat
iptables -t filter -D FORWARD -j NoCat 2>/dev/null
iptables -t filter -A FORWARD -j NoCat

iptables -t filter -N NoCat_Ports 2>/dev/null
iptables -t filter -F NoCat_Ports
iptables -t filter -D NoCat -j NoCat_Ports 2>/dev/null
iptables -t filter -A NoCat -j NoCat_Ports

iptables -t filter -N NoCat_Inbound 2>/dev/null
iptables -t filter -F NoCat_Inbound
iptables -t filter -D NoCat -j NoCat_Inbound 2>/dev/null
iptables -t filter -A NoCat -j NoCat_Inbound

iptables -t nat -N NoCat_Capture 2>/dev/null
iptables -t nat -F NoCat_Capture
iptables -t nat -D PREROUTING -j NoCat_Capture 2>/dev/null
iptables -t nat -A PREROUTING -j NoCat_Capture

iptables -t nat -N NoCat_NAT 2>/dev/null
iptables -t nat -F NoCat_NAT

#
# Only nat if we're not routing
#
iptables -t nat -D POSTROUTING -j NoCat_NAT 2>/dev/null
[ "$RouteOnly" ] || iptables -t nat -A POSTROUTING -j NoCat_NAT

iptables -t mangle -N NoCat 2>/dev/null
iptables -t mangle -F NoCat
iptables -t mangle -D PREROUTING -j NoCat 2>/dev/null
iptables -t mangle -A PREROUTING -j NoCat


fwd="iptables       -t filter -A NoCat"
ports="iptables     -t filter -A NoCat_Ports"
nat="iptables       -t nat    -A NoCat_NAT"
redirect="iptables  -t nat    -A NoCat_Capture"
mangle="iptables    -t mangle -A NoCat"

if [ "$MembersOnly" ]; then
  classes="1 2"
else
  classes="1 2 3"
fi

# Handle tagged traffic.
#
for iface in $InternalDevice; do
    for net in $LocalNetwork; do
        for fwmark in $classes; do
            # Only forward tagged traffic per class
            $fwd -i $iface -s $net -m mark --mark $fwmark -j ACCEPT
#           $fwd -o $iface -d $net -m mark --mark $fwmark -j ACCEPT

            # Masquerade permitted connections.
            $nat -o $ExternalDevice -s $net -m mark --mark $fwmark -j
MASQUERADE
        done

        # Allow web traffic to the specified hosts, and don't capture
        # connections intended for them.
        #
        if [ "$AuthServiceAddr" -o "$AllowedWebHosts" ]; then
            for host in $AuthServiceAddr $AllowedWebHosts; do
                for port in 80 443; do
                    $nat      -s $net -d $host -p tcp --dport $port -j
MASQUERAD
E
                    $redirect -s $net -d $host -p tcp --dport $port -j
RETURN
                    $fwd -s $net -d $host -p tcp --dport $port -j ACCEPT
                    $fwd -d $net -s $host -p tcp --sport $port -j ACCEPT
                done
            done
        fi

        # Accept forward and back traffic to/from DNSAddr
        if [ "$DNSAddr" ]; then
            $fwd -i $iface -s $net -d $DNSAddr -p tcp --dport 53 -j
ACCEPT
            $fwd -i $iface -s $net -d $DNSAddr -p udp --dport 53 -j
ACCEPT
            $fwd -o $iface -d $net -s $DNSAddr -j ACCEPT

            $nat -p tcp -o $ExternalDevice -s $net -d $DNSAddr --dport
53 -j MAS
QUERADE
            $nat -p udp -o $ExternalDevice -s $net -d $DNSAddr --dport
53 -j MAS
QUERADE
        fi
    done

    # Set packets from internal devices to fw mark 4, or 'denied', by
default.
    $mangle -i $iface -j MARK --set-mark 4
done

# Redirect outbound non-auth web traffic to the local gateway process
#
# If MembersOnly is active, then redirect public class as well
#
for port in 80 443; do
    $redirect -m mark --mark 4 -p tcp --dport $port  -j REDIRECT
--to-port $Gate
wayPort
    if [ "$MembersOnly" ]; then
        $redirect -m mark --mark 3 -p tcp --dport $port  -j REDIRECT
--to-port $
GatewayPort
    fi
done



# Lock down more ports for public users, if specified. Port restrictions
# are not applied to co-op and owner class users.
#
# There are two philosophies in restricting access:  That Which Is Not
# Specifically Permitted Is Denied, and That Which Is Not Specifically
# Denied Is Permitted.
#
# If "IncludePorts" is defined, the default policy will be to deny all
# traffic, and only allow the ports mentioned.
#
# If "ExcludePorts" is defined, the default policy will be to allow all
# traffic, except to the ports mentioned.
#
# If both are defined, ExcludePorts will be ignored, and the default
policy
# will be to deny all traffic, allowing everything in IncludePorts, and
# issue a warning.
#
if [ "$IncludePorts" ]; then
  if [ "$ExcludePorts" ]; then
    echo "Warning: ExcludePorts and IncludePorts are both defined."
    echo "Ignoring 'ExcludePorts'.  Please check your nocat.conf."
  fi

  # Enable all ports in IncludePorts
  for iface in $InternalDevice; do
    for port in $IncludePorts; do
      $ports -p tcp -i $iface --dport $port -m mark --mark 3 -j ACCEPT
      $ports -p udp -i $iface --dport $port -m mark --mark 3 -j ACCEPT
    done

    # Always permit access to the GatewayPort (or we can't logout)
    $ports -p tcp -i $iface --dport $GatewayPort -j ACCEPT
    $ports -p udp -i $iface --dport $GatewayPort -j ACCEPT

    # ...and disable access to the rest.
    $ports -p tcp -i $iface -m mark --mark 3 -j DROP
    $ports -p udp -i $iface -m mark --mark 3 -j DROP
  done

elif [ "$ExcludePorts" ]; then
  # If ExcludePorts has entries, simply deny access to them.
  for iface in $InternalDevice; do
    for port in $ExcludePorts; do
        $ports -p tcp -i $iface --dport $port -m mark --mark 3 -j DROP
        $ports -p udp -i $iface --dport $port -m mark --mark 3 -j DROP
    done
  done
fi

#
# Disable access on the external to GatewayPort from anything but the
AuthServic
eAddr
#
if [ "$AuthServiceAddr" ]; then
    $fwd -i $ExternalDevice -s ! $AuthServiceAddr -p tcp --dport
$GatewayPort -j
 DROP
fi

# Filter policy.
$fwd -j DROP





-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Arnt Karlsen
Sent: Tuesday, February 11, 2003 2:29 PM
To: netfilter@lists.netfilter.org
Subject: Re: denying local traffic

On Tue, 11 Feb 2003 10:06:40 -0500, 
"Doug Yeager" <doug@aircomwireless.net> wrote in message 
<000101c2d1df$3166fb60$bb00a8c0@DOUG1>:

> I'm using nocat as a wireless gateway w/ the hostap driver. This is 
> Great because I should be able to use iptables firewall rules to 
> Administer things. I've had some success w/ these rules as I'm new to 
> iptables.
>  
> What I can't figure out is how to block local traffic between clients 
> on the LAN. Basically, I want them to be invisible to each other but 
> be able to get to the internet through the gateway.
> Right now they can get to the internet but can see each other's shares
> and so forth.
  
> What should be the iptables commands for doing this.
>  
> My lan is 192.168.19.0/255.255.255.0

..ascii art figure?  We use vpn (poptop) tunnels, but your net 
is likely different from ours.  

-- 
..med vennlig hilsen = with Kind Regards from Arnt... ;-)
...with a number of polar bear hunters in his ancestry...
  Scenarios always come in sets of three: 
  best case, worst case, and just in case.

Re: denying local traffic

[Arnt Karlsen]

On Tue, 11 Feb 2003 15:20:19 -0500, 
"Doug Yeager" <doug@aircomwireless.net> top-posted in message 
<000601c2d20b$035c2980$bb00a8c0@DOUG1>:

> Cool,
> 
> This is my first ascii art attempt:
> 
> /--------------------\
> |  INTERNET          |
> \--------------------/
>        |
>        |
> /----linux server---------------------\
> |  no cat gateway on eth0             |
> |  iptables                           |
> |  dhcp  192.168.19.0/255.255.255.0   |
> |  hostap on wlan0 192.168.19.1       |
> \-------------------------------------/
>    |             |            |
>    |             |            |
> /-------\       /-------\     /-----------\
> |client1|       |client2|     |client3    |
> \-------/       \-------/     \-----------/

..not at all bad.  :-)

> clients are of all flavors of OS.  And the users are not to smart
> either.
> It is in a coffee shop and users frequently leave shared drives open.
> 
> I want to be able to shut down all communications between clients so
> they get to surf the net but not each other.  

..first, _plug_ all wintendo ports, 137 tru 139.  _Plug_ goes anywhere 
between the humanistic "reject" thru "drop" to less so "mirror", "same",
and "tarpit".  On the other hand, if these coffee shop boxes are to
generate profits for the coffee shop, junk the wintendos and install 
Mandrake-9.0 or later, and set up game servers.  

..if people bring their own boxes, and you have a 802.11 service,
_plug_ the wintendo ports and wrap _all_ wifi traffic in throttled 
vpn tunnels, or you will have someone yanking _all_ the bandwidth 
to copy someone elses stolen music or whatever.  

..a wifi ap is essentially "an hub", and you want "a switch", 
so wrap and trottle.  

..to economize on the link out, consider a proxy server.  An easy 
one to use, is ipcop-1.2 over at ipcop.org, it's really a firewall
distro, with dhcp and proxy.  1.3 and 1.4 etc (still alpha) will 
use 2.4 and iptables, the previous ones uses 2.2 and ipchains. 
Can be put outside your current firewall.

> Here is the firewall rules that set NOCAT up.   I just need the
> iptables commands to shut down client to client traffic to add to
> these:
> 
> Localnet is 192.168.19.0/255.255.255.0  on wlan0
> External device is eth0
> 
> 
> 
> 
> #!/bin/sh
> ##
> #
> # initialize.fw: setup the default firewall rules
> #
> # *** NOTE ***
> #
> # If you want to have local firewall rules in addition to what NoCat
> # provides, add them at the bottom of this file.  They will be
> # recreated each time gateway is restarted.
> #
> ##
> 
> # The current service classes by fwmark are:
> #
> #  1: Owner
> #  2: Co-op
> #  3: Public
> #  4: Free
> 
> PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin:/usr/local/bin
> export PATH
> 
> # Enable IP forwarding and rp_filter (to kill IP spoof attempts).
> #
> echo "1" > /proc/sys/net/ipv4/ip_forward
> echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
> 
> # Load alllll the kernel modules we need.
> #
> rmmod ipchains > /dev/null 2>&1 # for RH 7.1 users.

...and 'rpm -e ipchains'... ;-)

> 
> for module in ip_tables ipt_REDIRECT ipt_MASQUERADE ipt_MARK
> ipt_REJECT\
>     ipt_TOS ipt_LOG iptable_mangle iptable_filter iptable_nat
>     ip_nat_ftp
> \
>     ip_conntrack ipt_mac ipt_state ipt_mark; do
> 
>     modprobe $module
> done
> 
> # Flush all user-defined chains
> #
> iptables -t filter -N NoCat 2>/dev/null
> iptables -t filter -F NoCat
> iptables -t filter -D FORWARD -j NoCat 2>/dev/null
> iptables -t filter -A FORWARD -j NoCat
> 
> iptables -t filter -N NoCat_Ports 2>/dev/null
> iptables -t filter -F NoCat_Ports
> iptables -t filter -D NoCat -j NoCat_Ports 2>/dev/null
> iptables -t filter -A NoCat -j NoCat_Ports
> 
> iptables -t filter -N NoCat_Inbound 2>/dev/null
> iptables -t filter -F NoCat_Inbound
> iptables -t filter -D NoCat -j NoCat_Inbound 2>/dev/null
> iptables -t filter -A NoCat -j NoCat_Inbound
> 
> iptables -t nat -N NoCat_Capture 2>/dev/null
> iptables -t nat -F NoCat_Capture
> iptables -t nat -D PREROUTING -j NoCat_Capture 2>/dev/null
> iptables -t nat -A PREROUTING -j NoCat_Capture
> 
> iptables -t nat -N NoCat_NAT 2>/dev/null
> iptables -t nat -F NoCat_NAT
> 
> #
> # Only nat if we're not routing
> #
> iptables -t nat -D POSTROUTING -j NoCat_NAT 2>/dev/null
> [ "$RouteOnly" ] || iptables -t nat -A POSTROUTING -j NoCat_NAT
> 
> iptables -t mangle -N NoCat 2>/dev/null
> iptables -t mangle -F NoCat
> iptables -t mangle -D PREROUTING -j NoCat 2>/dev/null
> iptables -t mangle -A PREROUTING -j NoCat
> 
> 
> fwd="iptables       -t filter -A NoCat"
> ports="iptables     -t filter -A NoCat_Ports"
> nat="iptables       -t nat    -A NoCat_NAT"
> redirect="iptables  -t nat    -A NoCat_Capture"
> mangle="iptables    -t mangle -A NoCat"
> 
> if [ "$MembersOnly" ]; then
>   classes="1 2"
> else
>   classes="1 2 3"
> fi
> 
> # Handle tagged traffic.
> #
> for iface in $InternalDevice; do
>     for net in $LocalNetwork; do
>         for fwmark in $classes; do
>             # Only forward tagged traffic per class
>             $fwd -i $iface -s $net -m mark --mark $fwmark -j ACCEPT
> #           $fwd -o $iface -d $net -m mark --mark $fwmark -j ACCEPT
> 
>             # Masquerade permitted connections.
>             $nat -o $ExternalDevice -s $net -m mark --mark $fwmark -j
> MASQUERADE
>         done
> 
>         # Allow web traffic to the specified hosts, and don't capture
>         # connections intended for them.
>         #
>         if [ "$AuthServiceAddr" -o "$AllowedWebHosts" ]; then
>             for host in $AuthServiceAddr $AllowedWebHosts; do
>                 for port in 80 443; do
>                     $nat      -s $net -d $host -p tcp --dport $port -j
> MASQUERAD
> E
>                     $redirect -s $net -d $host -p tcp --dport $port -j
> RETURN
>                     $fwd -s $net -d $host -p tcp --dport $port -j
>                     ACCEPT$fwd -d $net -s $host -p tcp --sport $port
>                     -j ACCEPT
>                 done
>             done
>         fi
> 
>         # Accept forward and back traffic to/from DNSAddr
>         if [ "$DNSAddr" ]; then
>             $fwd -i $iface -s $net -d $DNSAddr -p tcp --dport 53 -j
> ACCEPT
>             $fwd -i $iface -s $net -d $DNSAddr -p udp --dport 53 -j
> ACCEPT
>             $fwd -o $iface -d $net -s $DNSAddr -j ACCEPT
> 
>             $nat -p tcp -o $ExternalDevice -s $net -d $DNSAddr --dport
> 53 -j MAS
> QUERADE
>             $nat -p udp -o $ExternalDevice -s $net -d $DNSAddr --dport
> 53 -j MAS
> QUERADE
>         fi
>     done
> 
>     # Set packets from internal devices to fw mark 4, or 'denied', by
> default.
>     $mangle -i $iface -j MARK --set-mark 4
> done
> 
> # Redirect outbound non-auth web traffic to the local gateway process
> #
> # If MembersOnly is active, then redirect public class as well
> #
> for port in 80 443; do
>     $redirect -m mark --mark 4 -p tcp --dport $port  -j REDIRECT
> --to-port $Gate
> wayPort
>     if [ "$MembersOnly" ]; then
>         $redirect -m mark --mark 3 -p tcp --dport $port  -j REDIRECT
> --to-port $
> GatewayPort
>     fi
> done
> 
> 
> 
> # Lock down more ports for public users, if specified. Port
> # restrictions are not applied to co-op and owner class users.
> #
> # There are two philosophies in restricting access:  That Which Is Not
> # Specifically Permitted Is Denied, and That Which Is Not Specifically
> # Denied Is Permitted.
> #
> # If "IncludePorts" is defined, the default policy will be to deny all
> # traffic, and only allow the ports mentioned.
> #
> # If "ExcludePorts" is defined, the default policy will be to allow
> # all traffic, except to the ports mentioned.
> #
> # If both are defined, ExcludePorts will be ignored, and the default
> policy
> # will be to deny all traffic, allowing everything in IncludePorts,
> # and issue a warning.
> #
> if [ "$IncludePorts" ]; then
>   if [ "$ExcludePorts" ]; then
>     echo "Warning: ExcludePorts and IncludePorts are both defined."
>     echo "Ignoring 'ExcludePorts'.  Please check your nocat.conf."
>   fi
> 
>   # Enable all ports in IncludePorts
>   for iface in $InternalDevice; do
>     for port in $IncludePorts; do
>       $ports -p tcp -i $iface --dport $port -m mark --mark 3 -j ACCEPT
>       $ports -p udp -i $iface --dport $port -m mark --mark 3 -j ACCEPT
>     done
> 
>     # Always permit access to the GatewayPort (or we can't logout)
>     $ports -p tcp -i $iface --dport $GatewayPort -j ACCEPT
>     $ports -p udp -i $iface --dport $GatewayPort -j ACCEPT
> 
>     # ...and disable access to the rest.
>     $ports -p tcp -i $iface -m mark --mark 3 -j DROP
>     $ports -p udp -i $iface -m mark --mark 3 -j DROP
>   done
> 
> elif [ "$ExcludePorts" ]; then
>   # If ExcludePorts has entries, simply deny access to them.
>   for iface in $InternalDevice; do
>     for port in $ExcludePorts; do
>         $ports -p tcp -i $iface --dport $port -m mark --mark 3 -j DROP
>         $ports -p udp -i $iface --dport $port -m mark --mark 3 -j DROP
>     done
>   done
> fi
> 
> #
> # Disable access on the external to GatewayPort from anything but the
> AuthServic
> eAddr
> #
> if [ "$AuthServiceAddr" ]; then
>     $fwd -i $ExternalDevice -s ! $AuthServiceAddr -p tcp --dport
> $GatewayPort -j
>  DROP
> fi
> 
> # Filter policy.
> $fwd -j DROP
> 
> 
> 
> 
> 
> -----Original Message-----
> From: netfilter-admin@lists.netfilter.org
> [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Arnt Karlsen
> Sent: Tuesday, February 11, 2003 2:29 PM
> To: netfilter@lists.netfilter.org
> Subject: Re: denying local traffic
> 
> On Tue, 11 Feb 2003 10:06:40 -0500, 
> "Doug Yeager" <doug@aircomwireless.net> wrote in message 
> <000101c2d1df$3166fb60$bb00a8c0@DOUG1>:
> 
> > I'm using nocat as a wireless gateway w/ the hostap driver. This is 
> > Great because I should be able to use iptables firewall rules to 
> > Administer things. I've had some success w/ these rules as I'm new
> > to iptables.
> >  
> > What I can't figure out is how to block local traffic between
> > clients on the LAN. Basically, I want them to be invisible to each
> > other but be able to get to the internet through the gateway.
> > Right now they can get to the internet but can see each other's
> > shares and so forth.
>   
> > What should be the iptables commands for doing this.
> >  
> > My lan is 192.168.19.0/255.255.255.0
> 
> ..ascii art figure?  We use vpn (poptop) tunnels, but your net 
> is likely different from ours.  
> 


-- 
..med vennlig hilsen = with Kind Regards from Arnt... ;-)
...with a number of polar bear hunters in his ancestry...
  Scenarios always come in sets of three: 
  best case, worst case, and just in case.

Re: denying local traffic --SOLUTION

[Doug Yeager]

i'm an idiot.  found out that wi-fi acts on layer 3 and netfilter code 
can't do much about it.
it act as a "hub" just like arnt has pointed out.  so the hostap guys said 
there is a configuration for this if you are using the hostap code to run 
the access point.  it is pretty handy code for a situation like this. here 
was the solution:


 > is there a way to not allow this using hostap? any settings at compile
 > time to only allow traffic from client to AP? but not client to client
 > through ap?
Yes, you can disable this internal driver bridge code by setting
ap_bridge_packets to 0: 'prism2_param wlan0 ap_bridge_packets 0'.
This does not require any compile time configuration.





At 03:11 AM 02/12/2003 +0100, Arnt Karlsen wrote:
>On Tue, 11 Feb 2003 18:34:32 -0500,
>"Doug Yeager" <doug@aircomwireless.net> top posted, err,
>top mailed in message <000701c2d226$24f56f50$bb00a8c0@DOUG1>:
> >
> > Arnt,
> > Thank you very much.
> > I think I understand what you are saying.  Just wanted to clear a few
> > things up:
> >
> > This is the case:
> > >..if people bring their own boxes
> >
> > >plug_ all wintendo ports, 137 tru 139.  _Plug_ goes anywhere
> > >between the humanistic "reject" thru "drop" to less so "mirror",
> > "same",
> > >and "tarpit".
> >
> > What are the wintendo ports?  What purpose do they serve on windows
> > machines?  I'm hoping you are referring to the ports that show the
> > shared folders and such, so that I can prevent open file sharing by
> > blocking them.  That is really what I want.
>
>..yup. 137 thru 139, there may be more, I don't know wintendo
>that well, I dropped wintendo95 in 1997, 23 reinstall in my last
>5 weeks... I took the hint.  ;-)
>
>..the wise way is block _everything_ below 1024, and then
>pop open _only_ the ports you need.
>
> > If hostap acts like a hub, how can I manage any of these ports w/
> > iptables?
>
>..you can't, ip address or not, _all_ antennas hears the same packets.
>You're left with vpn tunnels, ok, you _can_ use WEP etc too, it might
>not hurt to much, overheadwise.  Ok, iptables _can_ help deny and award
>a wifi card ip traffic access, and iptables can match on mac addresses.
>
>..in patch-o-matic, a few more modules can be thrown in to help
>troubleshoot your coffeeshop site, conn'track'ers etc.
>
>..once you're done, anonymize ip's where needed and post your solution
>on the list, there are more people around who needs this knowledge.
>
> > Something like this does not work unless I'm trying to do it wrong:
> > Is this because of the HUB issue?
> >
> > iptables -A INPUT -d 192.168.19.1 -i wlan0 -j ACCEPT #allow packets to
> > AP
> > iptables -A INPUT -d 192.168.19.0/255.255.255.0 -i wlan0 -j DENY
> > #deny
> > lan
> >
> > of course, it would be a similar command for the port blocking right?
> >
> > thx again,
> > doug
> >
>
>
>--
>..med vennlig hilsen = with Kind Regards from Arnt... ;-)
>...with a number of polar bear hunters in his ancestry...
>   Scenarios always come in sets of three:
>   best case, worst case, and just in case.

strange log entries

[Willi Mann]

Hi!

I'm fighting with some strange log entries in my firewall.
The machine is a proxy server and these entries appear only while the 
proxy (squid) is heavily used. (about 200 hits/minute, so I don't think 
it's caused by ip_conntrack_max=16376)

I allow all ESTABLISHED,RELATED connections and of course some ports 
(8080) in the INPUT chain and all connections in the OUTPUT chain.
The rest of the INPUT chain is logged with stateNEW or stateINVALID prefix.


e.g.:

stateNEW: IN=eth1 OUT= MAC=xxx SRC=131.131.131.131 DST=193.193.193.193 
LEN=1500 TOS=0x00 PREC=0x00 TTL=47 ID=10226 DF PROTO=TCP SPT=80 
DPT=37678 WINDOW=33304 RES=0x00 ACK URGP=0

The flags vary. ACK - ACK,FIN.- ACK,PSH,FIN

Does anybody know the reason for this? Bug in netfilter, bug in remote 
system?

Willi Mann

denying local traffic

[Doug Yeager]

I'm using nocat as a wireless gateway w/ the hostap driver. This is 

Great because I should be able to use iptables firewall rules to 

Administer things. I've had some success w/ these rules as I'm new to 

iptables.

 

What I can't figure out is how to block local traffic between clients 

on the LAN. Basically, I want them to be invisible to each other but 

be able to get to the internet through the gateway.

Right now they can get to the internet but can see each other's shares

and so forth.

 

What should be the iptables commands for doing this.

 

My lan is 192.168.19.0/255.255.255.0

 

Help would be great as I've attempted many things w/o success.

 

Thx,

doug