A little iptables help for Guest Access


Login or Register for Dates, Times and to Reply

 
Thread Tools Search this Thread
# 1  
A little iptables help for Guest Access

Hey folks,

I've setup a wifi guest network on an E2500 router running TomatoUSB, that I only want to have internet access provided for.

Did this by creating a separate bridge (br1), then putting it in it's own VLAN, created a virtual wifi interface, then set some firewall rules to isolate that network from the primary wifi network.

However, this router isn't directly connected to a modem on the WAN, it connects to another router on my local LAN (192.168.0.1) first. I've gotten ambituous and want to isolate out the local lan the other router is part of as well by keeping guests from seeing any of the devices there (except the router and the dns server), but it's not working and I can't figure out why…

here's the details:

br0 (full access wifi, 192.168.22.0)
br1 (guest access wifi, 192.168.23.0)
eth0 (E2500 WAN ip is 192.168.0.245, using 192.168.0.1 as gateway to router on local lan that is connected to modem)

I also use my own custom local dns server which is at 192.168.0.121

(ok, so here's the bit I wrote that isolates the two bridges from seeing each other which works fine)
Code:
iptables -P FORWARD DROP
iptables -A FORWARD -i eth0 -o br0 -j ACCEPT
iptables -A FORWARD -i br0 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o br1 -j ACCEPT
iptables -A FORWARD -i br1 -o eth0 -j ACCEPT

(now here's the bit that I hoped would keep the guests out of the 192.168.0.0 subnet, except for the gateway and DNS ips, but it doesn't work)
Code:
iptables -A FORWARD -s 192.168.0.0/24 -o br1 -j DROP
iptables -A FORWARD -i br1 -s 192.168.0.0/24 -j DROP
iptables -A FORWARD -s 192.168.0.1 -o br1 -j ACCEPT
iptables -A FORWARD -i br1 -s 192.168.0.1 -j ACCEPT
iptables -A FORWARD -s 192.168.0.121 -o br1 -j ACCEPT
iptables -A FORWARD -i br1 -s 192.168.0.121 -j ACCEPT

I can still ping and access 192.168.0.0 devices from the guest network Smilie

I thought maybe the ordering was the issue, so i tried this as well:
Code:
iptables -P FORWARD DROP
iptables -A FORWARD -i eth0 -o br0 -j ACCEPT
iptables -A FORWARD -i br0 -o eth0 -j ACCEPT
iptables -A FORWARD -s 192.168.0.1 -o br1 -j ACCEPT
iptables -A FORWARD -i br1 -s 192.168.0.1 -j ACCEPT
iptables -A FORWARD -s 192.168.0.121 -o br1 -j ACCEPT
iptables -A FORWARD -i br1 -s 192.168.0.121 -j ACCEPT
iptables -A FORWARD -s 192.168.0.0/24 -o br1 -j DROP
iptables -A FORWARD -i br1 -s 192.168.0.0/24 -j DROP
iptables -A FORWARD -i eth0 -o br1 -j ACCEPT
iptables -A FORWARD -i br1 -o eth0 -j ACCEPT

Still no dice...

Any ideas?
Thanks
Mike

Moderator's Comments:
Mod Comment Please use code tags for your code and data, thanks


---------- Post updated at 11:00 AM ---------- Previous update was at 09:35 AM ----------

Nevermind! I figured it out. Also, the way it was written, communication was still happening between the bridges. Replaced all the code with this and now it's correctly blocking all traffic on both between the bridges as well as the local downstream lan..

Code:
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to 192.168.22.1
iptables -I FORWARD -i br1 -m iprange --dst-range 192.168.22.2-192.168.22.254 -j REJECT
iptables -I FORWARD -i br1 -m iprange --dst-range 192.168.0.2-192.168.22.254 -j REJECT


Last edited by vbe; 09-14-2015 at 12:09 PM..
Login or Register for Dates, Times and to Reply

Previous Thread | Next Thread
Thread Tools Search this Thread
Search this Thread:
Advanced Search

8 More Discussions You Might Find Interesting

1. Red Hat

KVM - VM Guest

Background : - Need to create addition 40G storage for VM guest. 1. I have created new KVM - VM guest on RHEL 5.8 server hosting server. 2. Hosting server has occupied all size with LV and there is not space to create new LV. 3. I tried to achieve this requirement by creating 40G file size and... (1 Reply)
Discussion started by: Nats
1 Replies

2. IP Networking

iptables allow access to one site

Hi all I need help with a set of iptables rules that would allow a portion of a bank of ipaddresses acces to only one or two named wbsites. Please advise Thank You Ed (3 Replies)
Discussion started by: wa1ed
3 Replies

3. UNIX for Dummies Questions & Answers

iptables rule to block access from VM Browser to Firewall Login Page

(1 Reply)
Discussion started by: senrabdet
1 Replies

4. Solaris

Why I cannot access internet from Solaris guest using url?

Hi all, I'm using virtualbox bridged adapter Host:Windows 7 Guest: Solaris 11 while I can ping between the host and guess, I cannot access the Internet from the solaris guest. here's my settings: while I can ping 173.194.38.128 (which is actually google.com), I cannot ping... (3 Replies)
Discussion started by: jediwannabe
3 Replies

5. IP Networking

Squid vs iptables = no Squid access.log?

Hello, I have a pretty useless satellite link at home (far from any civilization), so I wanted to set up caching in order to speed things up. My Squid 2.6 runs "3128 transparent" and is set up quite well on a separate machine. I also have my dd-wrt router to move all port 80 traffic through... (0 Replies)
Discussion started by: theWojtek
0 Replies

6. Red Hat

Could not see virtual fc in KVM guest OS

Hi All, I have RHEL 5u4 physical system with 2 Qlogic fc cards. It hosts 2 KVM virtual machines which are also running RHEL 5u4 OS. After all these I have created a virutal HBA (refered in google) successfully on the base OS. But the same is not visible to guest OS. My question here is, ... (1 Reply)
Discussion started by: Vichu
1 Replies

7. Ubuntu

How to set guest static IP

Hi folks, Ubuntu 8.04 server amd64 - host Ubuntu 6.06 server amd64 - guest KVM I referred; The Kernel Virtual Machine https://help.ubuntu.com/community/KVM and couldn't figure out how to set guest static IP address Host; /etc/network/interfaces # This file describes the... (3 Replies)
Discussion started by: satimis
3 Replies

8. IP Networking

cant access certain pages through iptables fw/router

hey, i have a problem with my routing setup i cant figure out. there is a unix router using iptables, and behind that a small lan. everything works when requesting directly from the router, but the machines behind that router cant access certain webpages, ie drupal.org (waits forever to establish... (1 Reply)
Discussion started by: sonicx
1 Replies

Featured Tech Videos