On Tue, 11 Feb 2003 15:20:19 -0500, "Doug Yeager" <doug@aircomwireless.net> top-posted in message <000601c2d20b$035c2980$bb00a8c0@DOUG1>: > Cool, > > This is my first ascii art attempt: > > /--------------------\ > | INTERNET | > \--------------------/ > | > | > /----linux server---------------------\ > | no cat gateway on eth0 | > | iptables | > | dhcp 192.168.19.0/255.255.255.0 | > | hostap on wlan0 192.168.19.1 | > \-------------------------------------/ > | | | > | | | > /-------\ /-------\ /-----------\ > |client1| |client2| |client3 | > \-------/ \-------/ \-----------/ ..not at all bad. :-) > clients are of all flavors of OS. And the users are not to smart > either. > It is in a coffee shop and users frequently leave shared drives open. > > I want to be able to shut down all communications between clients so > they get to surf the net but not each other. ..first, _plug_ all wintendo ports, 137 tru 139. _Plug_ goes anywhere between the humanistic "reject" thru "drop" to less so "mirror", "same", and "tarpit". On the other hand, if these coffee shop boxes are to generate profits for the coffee shop, junk the wintendos and install Mandrake-9.0 or later, and set up game servers. ..if people bring their own boxes, and you have a 802.11 service, _plug_ the wintendo ports and wrap _all_ wifi traffic in throttled vpn tunnels, or you will have someone yanking _all_ the bandwidth to copy someone elses stolen music or whatever. ..a wifi ap is essentially "an hub", and you want "a switch", so wrap and trottle. ..to economize on the link out, consider a proxy server. An easy one to use, is ipcop-1.2 over at ipcop.org, it's really a firewall distro, with dhcp and proxy. 1.3 and 1.4 etc (still alpha) will use 2.4 and iptables, the previous ones uses 2.2 and ipchains. Can be put outside your current firewall. > Here is the firewall rules that set NOCAT up. I just need the > iptables commands to shut down client to client traffic to add to > these: > > Localnet is 192.168.19.0/255.255.255.0 on wlan0 > External device is eth0 > > > > > #!/bin/sh > ## > # > # initialize.fw: setup the default firewall rules > # > # *** NOTE *** > # > # If you want to have local firewall rules in addition to what NoCat > # provides, add them at the bottom of this file. They will be > # recreated each time gateway is restarted. > # > ## > > # The current service classes by fwmark are: > # > # 1: Owner > # 2: Co-op > # 3: Public > # 4: Free > > PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin:/usr/local/bin > export PATH > > # Enable IP forwarding and rp_filter (to kill IP spoof attempts). > # > echo "1" > /proc/sys/net/ipv4/ip_forward > echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter > > # Load alllll the kernel modules we need. > # > rmmod ipchains > /dev/null 2>&1 # for RH 7.1 users. ...and 'rpm -e ipchains'... ;-) > > for module in ip_tables ipt_REDIRECT ipt_MASQUERADE ipt_MARK > ipt_REJECT\ > ipt_TOS ipt_LOG iptable_mangle iptable_filter iptable_nat > ip_nat_ftp > \ > ip_conntrack ipt_mac ipt_state ipt_mark; do > > modprobe $module > done > > # Flush all user-defined chains > # > iptables -t filter -N NoCat 2>/dev/null > iptables -t filter -F NoCat > iptables -t filter -D FORWARD -j NoCat 2>/dev/null > iptables -t filter -A FORWARD -j NoCat > > iptables -t filter -N NoCat_Ports 2>/dev/null > iptables -t filter -F NoCat_Ports > iptables -t filter -D NoCat -j NoCat_Ports 2>/dev/null > iptables -t filter -A NoCat -j NoCat_Ports > > iptables -t filter -N NoCat_Inbound 2>/dev/null > iptables -t filter -F NoCat_Inbound > iptables -t filter -D NoCat -j NoCat_Inbound 2>/dev/null > iptables -t filter -A NoCat -j NoCat_Inbound > > iptables -t nat -N NoCat_Capture 2>/dev/null > iptables -t nat -F NoCat_Capture > iptables -t nat -D PREROUTING -j NoCat_Capture 2>/dev/null > iptables -t nat -A PREROUTING -j NoCat_Capture > > iptables -t nat -N NoCat_NAT 2>/dev/null > iptables -t nat -F NoCat_NAT > > # > # Only nat if we're not routing > # > iptables -t nat -D POSTROUTING -j NoCat_NAT 2>/dev/null > [ "$RouteOnly" ] || iptables -t nat -A POSTROUTING -j NoCat_NAT > > iptables -t mangle -N NoCat 2>/dev/null > iptables -t mangle -F NoCat > iptables -t mangle -D PREROUTING -j NoCat 2>/dev/null > iptables -t mangle -A PREROUTING -j NoCat > > > fwd="iptables -t filter -A NoCat" > ports="iptables -t filter -A NoCat_Ports" > nat="iptables -t nat -A NoCat_NAT" > redirect="iptables -t nat -A NoCat_Capture" > mangle="iptables -t mangle -A NoCat" > > if [ "$MembersOnly" ]; then > classes="1 2" > else > classes="1 2 3" > fi > > # Handle tagged traffic. > # > for iface in $InternalDevice; do > for net in $LocalNetwork; do > for fwmark in $classes; do > # Only forward tagged traffic per class > $fwd -i $iface -s $net -m mark --mark $fwmark -j ACCEPT > # $fwd -o $iface -d $net -m mark --mark $fwmark -j ACCEPT > > # Masquerade permitted connections. > $nat -o $ExternalDevice -s $net -m mark --mark $fwmark -j > MASQUERADE > done > > # Allow web traffic to the specified hosts, and don't capture > # connections intended for them. > # > if [ "$AuthServiceAddr" -o "$AllowedWebHosts" ]; then > for host in $AuthServiceAddr $AllowedWebHosts; do > for port in 80 443; do > $nat -s $net -d $host -p tcp --dport $port -j > MASQUERAD > E > $redirect -s $net -d $host -p tcp --dport $port -j > RETURN > $fwd -s $net -d $host -p tcp --dport $port -j > ACCEPT$fwd -d $net -s $host -p tcp --sport $port > -j ACCEPT > done > done > fi > > # Accept forward and back traffic to/from DNSAddr > if [ "$DNSAddr" ]; then > $fwd -i $iface -s $net -d $DNSAddr -p tcp --dport 53 -j > ACCEPT > $fwd -i $iface -s $net -d $DNSAddr -p udp --dport 53 -j > ACCEPT > $fwd -o $iface -d $net -s $DNSAddr -j ACCEPT > > $nat -p tcp -o $ExternalDevice -s $net -d $DNSAddr --dport > 53 -j MAS > QUERADE > $nat -p udp -o $ExternalDevice -s $net -d $DNSAddr --dport > 53 -j MAS > QUERADE > fi > done > > # Set packets from internal devices to fw mark 4, or 'denied', by > default. > $mangle -i $iface -j MARK --set-mark 4 > done > > # Redirect outbound non-auth web traffic to the local gateway process > # > # If MembersOnly is active, then redirect public class as well > # > for port in 80 443; do > $redirect -m mark --mark 4 -p tcp --dport $port -j REDIRECT > --to-port $Gate > wayPort > if [ "$MembersOnly" ]; then > $redirect -m mark --mark 3 -p tcp --dport $port -j REDIRECT > --to-port $ > GatewayPort > fi > done > > > > # Lock down more ports for public users, if specified. Port > # restrictions are not applied to co-op and owner class users. > # > # There are two philosophies in restricting access: That Which Is Not > # Specifically Permitted Is Denied, and That Which Is Not Specifically > # Denied Is Permitted. > # > # If "IncludePorts" is defined, the default policy will be to deny all > # traffic, and only allow the ports mentioned. > # > # If "ExcludePorts" is defined, the default policy will be to allow > # all traffic, except to the ports mentioned. > # > # If both are defined, ExcludePorts will be ignored, and the default > policy > # will be to deny all traffic, allowing everything in IncludePorts, > # and issue a warning. > # > if [ "$IncludePorts" ]; then > if [ "$ExcludePorts" ]; then > echo "Warning: ExcludePorts and IncludePorts are both defined." > echo "Ignoring 'ExcludePorts'. Please check your nocat.conf." > fi > > # Enable all ports in IncludePorts > for iface in $InternalDevice; do > for port in $IncludePorts; do > $ports -p tcp -i $iface --dport $port -m mark --mark 3 -j ACCEPT > $ports -p udp -i $iface --dport $port -m mark --mark 3 -j ACCEPT > done > > # Always permit access to the GatewayPort (or we can't logout) > $ports -p tcp -i $iface --dport $GatewayPort -j ACCEPT > $ports -p udp -i $iface --dport $GatewayPort -j ACCEPT > > # ...and disable access to the rest. > $ports -p tcp -i $iface -m mark --mark 3 -j DROP > $ports -p udp -i $iface -m mark --mark 3 -j DROP > done > > elif [ "$ExcludePorts" ]; then > # If ExcludePorts has entries, simply deny access to them. > for iface in $InternalDevice; do > for port in $ExcludePorts; do > $ports -p tcp -i $iface --dport $port -m mark --mark 3 -j DROP > $ports -p udp -i $iface --dport $port -m mark --mark 3 -j DROP > done > done > fi > > # > # Disable access on the external to GatewayPort from anything but the > AuthServic > eAddr > # > if [ "$AuthServiceAddr" ]; then > $fwd -i $ExternalDevice -s ! $AuthServiceAddr -p tcp --dport > $GatewayPort -j > DROP > fi > > # Filter policy. > $fwd -j DROP > > > > > > -----Original Message----- > From: netfilter-admin@lists.netfilter.org > [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Arnt Karlsen > Sent: Tuesday, February 11, 2003 2:29 PM > To: netfilter@lists.netfilter.org > Subject: Re: denying local traffic > > On Tue, 11 Feb 2003 10:06:40 -0500, > "Doug Yeager" <doug@aircomwireless.net> wrote in message > <000101c2d1df$3166fb60$bb00a8c0@DOUG1>: > > > I'm using nocat as a wireless gateway w/ the hostap driver. This is > > Great because I should be able to use iptables firewall rules to > > Administer things. I've had some success w/ these rules as I'm new > > to iptables. > > > > What I can't figure out is how to block local traffic between > > clients on the LAN. Basically, I want them to be invisible to each > > other but be able to get to the internet through the gateway. > > Right now they can get to the internet but can see each other's > > shares and so forth. > > > What should be the iptables commands for doing this. > > > > My lan is 192.168.19.0/255.255.255.0 > > ..ascii art figure? We use vpn (poptop) tunnels, but your net > is likely different from ours. > -- ..med vennlig hilsen = with Kind Regards from Arnt... ;-) ...with a number of polar bear hunters in his ancestry... Scenarios always come in sets of three: best case, worst case, and just in case.
