Hi, On 6/18/20 2:01 AM, Thomas Pedersen wrote: > On 2020-06-17 23:00, Thomas Pedersen wrote: >> On 2020-06-14 13:10, Hooman wrote: >>> I have created a WiFi hotspot using Ubuntu 20.04. Under the hood it >>> uses >>> wpa_supplicant to create the AP. I'm trying to enable client isolation, >>> so that devices on the hotspot network cannot send packets to each >>> other. So once the hotspot is set up, I do the following: >>> >>> #sudo wpa_cli -i wlan0 >>> >>>> set ap_isolate 1 >>> OK >>>> get ap_isolate >>> 1 >>> >>> So I see that AP isolate is enabled. However, I still can send packets >>> from one device to another on the hotspot network. Why is that? Am I >>> missing something? >> >> Are the AP and STA interfaces on a bridge with hairpinning enabled? > > Sorry, obviously meant just the AP interface. > Thank you for your response. I don't see any bridge information when I run the brctl command: > root@myuser:~# brctl show > bridge name bridge id STP enabled interfaces The list is empty. Can you tell me how I can check if there's a bridge with hairpinning on the interface? Also to give you some background and info about my setup. I am using Ubuntu 18.04 default hotspot feature. The hotspot creates a network on subnet on my wifi interface: > root@myuser:~# ifconfig > eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 > inet 25.02.224.105 netmask 255.255.252.0 broadcast 25.02.227.255 > inet6 fe80::3521:18e2:11d9:7c70 prefixlen 64 scopeid 0x20<link> > ether 2e:61:a5:b2:3d:88 txqueuelen 1000 (Ethernet) > RX packets 1144162 bytes 508133990 (508.1 MB) > RX errors 0 dropped 0 overruns 0 frame 0 > TX packets 89831 bytes 7271961 (7.2 MB) > TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 > device interrupt 17 memory 0xb1200000-b1220000 > wlan1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 > inet 10.42.0.1 netmask 255.255.255.0 broadcast 10.42.0.255 > inet6 fe80::c112:bd92:d15:ea96 prefixlen 64 scopeid 0x20<link> > ether ac:6f:d2:2a:1b:9a txqueuelen 1000 (Ethernet) > RX packets 0 bytes 0 (0.0 B) > RX errors 0 dropped 0 overruns 0 frame 0 > TX packets 92 bytes 11830 (11.8 KB) > TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 Some other info about the setup: > root@myuser:~# ip link show > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000 > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > 2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000 > link/ether 2e:61:a5:b2:3d:88 brd ff:ff:ff:ff:ff:ff > 3: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DORMANT group default qlen 1000 > link/ether ac:6f:d2:2a:1b:9a brd ff:ff:ff:ff:ff:ff > root@myuser:~# ip rule show > 0: from all lookup local > 32766: from all lookup main > 32767: from all lookup default > root@myuser:~# ip route show > default via 25.02.224.1 dev eth1 proto dhcp metric 100 > 10.42.0.0/24 dev wlan1 proto kernel scope link src 10.42.0.1 metric 600 > 25.02.224.0/22 dev eth1 proto kernel scope link src 25.02.224.105 metric 100 > 169.254.0.0/16 dev eth1 scope link metric 1000 > root@myuser:~# ip netconf > ipv4 dev lo forwarding on rp_filter off mc_forwarding off proxy_neigh off ignore_routes_with_linkdown off > ipv4 dev eth1 forwarding on rp_filter loose mc_forwarding off proxy_neigh off ignore_routes_with_linkdown off > ipv4 dev wlan1 forwarding on rp_filter strict mc_forwarding off proxy_neigh off ignore_routes_with_linkdown off > ipv4 all forwarding on rp_filter strict mc_forwarding off proxy_neigh off ignore_routes_with_linkdown off > ipv4 default forwarding on rp_filter strict mc_forwarding off proxy_neigh off ignore_routes_with_linkdown off > ipv6 dev lo forwarding off mc_forwarding off proxy_neigh off ignore_routes_with_linkdown off > ipv6 dev eth1 forwarding off mc_forwarding off proxy_neigh off ignore_routes_with_linkdown off > ipv6 dev wlan1 forwarding off mc_forwarding off proxy_neigh off ignore_routes_with_linkdown off > ipv6 all forwarding off mc_forwarding off proxy_neigh off ignore_routes_with_linkdown off > ipv6 default forwarding off mc_forwarding off proxy_neigh off ignore_routes_with_linkdown off > root@myuser:~# brctl show > bridge name bridge id STP enabled interfaces > root@myuser:~# arp -a > ? (25.02.224.104) at 2e:61:a5:b2:3e:25 [ether] on eth1 > ? (10.42.0.57) at f6:2e:23:4b:72:ae [ether] on wlan1 > ? (25.02.224.1) at 00:00:0c:9f:f0:e0 [ether] on eth1 The hotspot feature creates some iptable rules: > root@myuser:~# iptables -vL -t filter > Chain INPUT (policy ACCEPT 284K packets, 89M bytes) > pkts bytes target prot opt in out source destination > 0 0 ACCEPT udp -- wlan1 any anywhere anywhere udp dpt:bootps > 0 0 ACCEPT tcp -- wlan1 any anywhere anywhere tcp dpt:bootps > 0 0 ACCEPT udp -- wlan1 any anywhere anywhere udp dpt:domain > 0 0 ACCEPT tcp -- wlan1 any anywhere anywhere tcp dpt:domain > > Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) > pkts bytes target prot opt in out source destination > 0 0 ACCEPT all -- any wlan1 anywhere 10.42.0.0/24 state RELATED,ESTABLISHED > 0 0 ACCEPT all -- wlan1 any 10.42.0.0/24 anywhere > 0 0 ACCEPT all -- wlan1 wlan1 anywhere anywhere > 0 0 REJECT all -- any wlan1 anywhere anywhere reject-with icmp-port-unreachable > 0 0 REJECT all -- wlan1 any anywhere anywhere reject-with icmp-port-unreachable > > Chain OUTPUT (policy ACCEPT 13186 packets, 1539K bytes) > pkts bytes target prot opt in out source destination > > > root@myuser:~# iptables -vL -t nat > Chain PREROUTING (policy ACCEPT 110K packets, 27M bytes) > pkts bytes target prot opt in out source destination > > Chain INPUT (policy ACCEPT 110K packets, 27M bytes) > pkts bytes target prot opt in out source destination > > Chain OUTPUT (policy ACCEPT 1309 packets, 99285 bytes) > pkts bytes target prot opt in out source destination > > Chain POSTROUTING (policy ACCEPT 1276 packets, 96891 bytes) > pkts bytes target prot opt in out source destination > 33 2394 MASQUERADE all -- any any 10.42.0.0/24 !10.42.0.0/24 > > > root@myuser:~# iptables -vL -t mangle > Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) > pkts bytes target prot opt in out source destination > > Chain INPUT (policy ACCEPT 0 packets, 0 bytes) > pkts bytes target prot opt in out source destination > > Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) > pkts bytes target prot opt in out source destination > > Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) > pkts bytes target prot opt in out source destination > > Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) > pkts bytes target prot opt in out source destination > > > root@myuser:~# iptables -vL -t raw > Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) > pkts bytes target prot opt in out source destination > > Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) > pkts bytes target prot opt in out source destination > > > root@myuser:~# iptables -vL -t security > Chain INPUT (policy ACCEPT 0 packets, 0 bytes) > pkts bytes target prot opt in out source destination > > Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) > pkts bytes target prot opt in out source destination > > Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) > pkts bytes target prot opt in out source destination > There are no ebatbles: > root@myuser:~# ebtables -t broute -L > Bridge table: broute > > Bridge chain: BROUTING, entries: 0, policy: ACCEPT > > > root@myuser:~# ebtables -t filter -L > Bridge table: filter > > Bridge chain: INPUT, entries: 0, policy: ACCEPT > > Bridge chain: FORWARD, entries: 0, policy: ACCEPT > > Bridge chain: OUTPUT, entries: 0, policy: ACCEPT > > > root@myuser:~# ebtables -t nat -L > Bridge table: nat > > Bridge chain: PREROUTING, entries: 0, policy: ACCEPT > > Bridge chain: OUTPUT, entries: 0, policy: ACCEPT > > Bridge chain: POSTROUTING, entries: 0, policy: ACCEPT > Now Machine A is on 10.42.0.34 and Machine B is on 10.42.0.57. Machine A (10.42.0.34) can ping Machine B (10.42.0.57) and can also ping 8.8.8.8 (external:Google). These ebtables rules don't have any effect: > sudo ebtables -t broute -F > sudo ebtables -t broute -P BROUTING DROP > > > sudo ebtables -t nat -F > sudo ebtables -t nat -P PREROUTING DROP > sudo ebtables -t nat -P OUTPUT DROP > sudo ebtables -t nat -P POSTROUTING DROP > > > sudo ebtables -t filter -F > sudo ebtables -t filter -P INPUT DROP > sudo ebtables -t filter -P OUTPUT DROP > sudo ebtables -t filter -P FORWARD DROP These following iptables rules stop packets from Machine A to Google but not from Machine A to B: > sudo iptables -t mangle -I PREROUTING -j DROP > sudo iptables -t filter -I FORWARD -j DROP > sudo iptables -t raw -I PREROUTING -j DROP The only way I can stop packets from machine A to B for a few second is to flush arp cache by running: > sudo ip -s -s neigh flush all _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
