Re: IPTABLES rule for separating users

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



erikmccaskey64 wrote:
> I have an OpenWrt 10.03 router [ IP: 192.168.1.1 ], and it has a DHCP
> server pool: 192.168.1.0/24 - clients are using it through
> wireless/wired connection. Ok!
>
> Here's the catch: I need to separate the users from each other.
>
> How i need to do it: by IPTABLES rule [ /etc/firewall.user ]. Ok!
>
> "Loud thinking": So i need a rule something like this [on the OpenWrt
> router]:
>
> - DROP where SOURCE: 192.168.1.2-192.168.1.255 and DESTINATION is
> 192.168.1.2-192.168.1.255
>
> The idea is this. Ok!
>
> Questions!
> - Will i lock out myself if i apply this firewall rule?
> - Is this a secure method? [ is it easy to do this?: hello, i'm a
> client, and i say, my IP address is 192.168.1.1! - now it can sniff the
> unencrypted traffic! :( - because all the clients are in the same subnet! ]

Why? Is your DHCP handing out a big subnet mask instead of /32 mask to make them 
go through the router? Or drop anything but the VPN port and make them encrypt, 
which helps. But people will set up clients badly, and you probably can't keep 
the wireless clients apart.

> - Are there any good methods to find/audit for duplicated IP addresses?

arpwatch may help, will tell you if two MACs share an IP.

> - Are the any good methods to find/audit for duplicated MAC addresses?

I don't know any which fit my idea of "good," no.

> - Are there any good methods to do this IPTALBES rule on Layer2?:
> `$ wget -q
> "http://downloads.openwrt.org/backfire/10.03/ar71xx/packages/"; -O - |
> grep -i ebtables`
> `$ `
>
You have one approach there, use of "ip route" may allow some methods.

If you are using encryption on the wifi, I think some of the problems is 
addresses, there should be a session key so nothing should be "in the clear." 
Forcing VPN takes that a step farther, only accept packets from known MACs will 
eliminate some attacks, but wireless in general isn't secure without VPN.

-- 
Bill Davidsen <davidsen@xxxxxxx>
   "We have more to fear from the bungling of the incompetent than from
the machinations of the wicked."  - from Slashdot
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux