A Linux router/bridge/access point filtering question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello!

At home I have a network topology like this:

Internet
 |
[D-Link router] 192.168.0.254
 |             | | |
eth0      [Machine 1,2,3] 192.168.0.1-3
 |
[Linux-box] 192.168.0.4
 |             |
eth1       ra0
 |             |
LAN       WLAN - (my notebook) 192.168.1.x
(friends
machines)
192.168.0.5-x

So I have a wired router having four computers on it (it's a 4
ethernet port type DLink model). One of these machines is a simple
Linux server which has 3 interfaces: eth0 through it connects to the
wired router, eth1 on which it provides connectivity for my friends
computers and ra0 an rt2500 based wireless card.

eth0 and eth1 are bridged actually with brctl (br0). This way
computers connected to eth1 get DHCP, firewalling and NAT services
directly from the DLink router.

Unfortunately current rt2500 code doesn't support AP mode so I run my
ra0 card in Ad-Hoc mode. I set up a DHCP server on the Linux box to
the wireless connection which also provides masquerading for the wlan
network.
(Note: I've tried to include ra0 in the br0 bridge but that way
wireless performance was unacceptable - maybe my rt2500 card didn't
have proper promisc mode support)

I managed to configure this entire setup successfully but I'd like to
achieve one more thing. I'd like to forbid anything except my notebook
to be able to connect to my wlan network. I'd like to do this by
restricting access through mac address filtering. Here's is what I
have now:

As I previously said I run a dhcp3 server on the linux box which
provides 192.168.1.x/24 addresses on the wlan interface. I also set up
SNAT masquerading and ip forwarding (the chain is iptables -t nat -A
POSTROUTING -o br0 -j MASQUERADE).

After experimenting and reading manuals for a few days I managed to
restrict internet access on the wifi net by using the following rules:
iptables -t nat -P PREROUTING DROP #default policy DROP
iptables -t nat -A PREROUTING -s br0 -j ACCEPT #allow connections from
the wired LAN
iptables -t nat -A PREROUTING -s ra0 -m mac --mac-source
00:11:33:e7:52:1a -j ACCEPT # allow only my notebook's NIC to connect
to my wifi network

However I realized that other notebooks with other NICs can still get
DHCP parameters from the dhcp3 server running on the Linux box. I
could configure the server to only serve addresses for my notebook
only but I would prefer if other laptops wouldn't be able to connect
at any level at all - I'd like some rule that drops every packets
coming from other wireless clients with unknown mac addresses. Also I
wouldn't like to restrict my wired LANs in any way.

I have also tried
iptables -A INPUT -i ra0 -m mac --mac-source ! xx:xx:xx:xx:xx:xx -j DROP
iptables -A FORWARD -i ra0 -m mac --mac-source ! xx:xx:xx:xx:xx:xx -j DROP
which didn't do what I liked. Maybe because masquerading, maybe
because of the bridged eth0/1 interfaces.



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux