[Chilli] IPTABLES

Dennehy, Liam Liam.Dennehy at paperlinx.com
Thu Jun 5 08:04:52 UTC 2014


Has anyone got back to you on this?

Simply:
iptables -I FORWARD 1 -s 10.1.0.0/24 -d 192.168.1.0/24 -j DROP

To prevent people on your LAN talking to you guests:
iptables -I FORWARD 1 -d 10.1.0.0/24 -s 192.168.1.0/24 -j DROP

This inserts a rule on the first line of the FORWARD (routing) iptable dropping packets from and then to the subnets in question (-s for "source" and -d for "destination").

The best starting point is a decent understanding of how IP does routing, and from there take a look at the diagram here that explains how packets flow through the kernel's various tables:
http://l7-filter.sourceforge.net/PacketFlow.png

Without any parameters, the iptables command acts on the "filter" table, as with the two commands above. The NAT table is the one that does your address translation and is specified using "-t nat".

Liam Dennehy
Technical Design Authority
PaperlinX Europe
M: +31 621 877 185

-----Original Message-----
From: chilli-bounces at coova.org [mailto:chilli-bounces at coova.org] On Behalf Of Stephen Davies
Sent: 28 May 2014 20:55
To: chilli at coova.org
Subject: [Chilli] IPTABLES

Hello all,

Does anyone have any experience with IPTABLES and setting up rules to
prevent access from the captive portal clients to the local LAN. My
wireless Coovachilli access point is plugged into my LAN and is assigned
(HS_WANIF) an IP in the range of 192.168.1.x. The wireless captive
portal side (HS_LANIF) is running a subnet of 10.1.0.x.

When a client is authenticated and granted internet access, the client
can access services or ping any device in the private LAN of
192.168.1.x. I want to prevent this for security reasons. I have tried
and tried with various settings in IPTABLES but I am not getting very
far. Does anyone have any pointers or rules examples. I am guessing this
is a very important subject for public access Coovachilli installations.

Thanks
Steve

_______________________________________________
Chilli mailing list
Chilli at coova.org
http://lists.coova.org/cgi-bin/mailman/listinfo/chilli

This email is privileged and confidential and is intended only for those to whom it is addressed. If you are not the intended recipient then any disclosure, dissemination, copying or use of the information is strictly prohibited. If you have received this email in error, please notify this office immediately by return email.

Before opening any attachments please make sure they have been checked for viruses and defects.


More information about the Chilli mailing list