RE: How to isolate wireless clients from each other

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

----------------------------------------
> Date: Tue, 7 May 2013 07:17:20 -0500
> From: rob0@xxxxxxxxx
> To: netfilter@xxxxxxxxxxxxxxx
> Subject: Re: How to isolate wireless clients from each other
>
> On Mon, May 06, 2013 at 06:36:52PM +0000, jack seth wrote:
> > Does anyone know how to totally isolate wireless clients from
> > each other that are on a hotspot/guest WLAN?  I thought ebtables
> > might be the way but I can't figure it out.  Thanks!
>
> If CONFIG_BRIDGE_NETFILTER=y you should be able to filter this in
> your FORWARD chain, e.g., for an unbridged wlan0:
>
> -A FORWARD -i wlan0 -o wlan0 -j DROP
>
> (You might want to use a user chain with appropriate REJECT rules for
> the protocol in question.)
>
> If CONFIG_BRIDGE_NETFILTER=y and wlan0 is part of a bridge, you would
> need the physdev match:
>
> -A FORWARD -i br0 -o br0 -m physdev --physdev-in wlan0 --physdev-out wlan0 -j DROP
>
> However, do note that 802.11, being radio traffic, can be sniffed by
> any receiver. You cannot prevent that.
> --
> http://rob0.nodns4.us/ -- system administration and consulting
> Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at http://vger.kernel.org/majordomo-info.html

First, thanks for the response.  I'm not sure what 'CONFIG_BRIDGE_NETFILTER=y' is.  Is this 'setting' and the rules you posted for iptables or ebtables?  Let me provide some additional information.  This is on my router.  The clients are on 'wl0.1' interface.  This interface is inside 'br1' bridge.  Another question I have is what interface is the router on in this scenario?  The 2.4ghz wireless interface is 'eth1' for this router but 'brctl show' doesn't show that interface in the bridge.  Is the router somehow on 'wl0.1' also?  I am wondering what interface the router is on because I want to block the clients from the router also except what is necessary for internet to work. 		 	   		  --
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux