Limiting access of a wireless client
So for my parents home network... got a wrt54g running OpenWrt/Xwrt.
However, my 17yr old brother likes to have his friends over, who bring their laptops and ipods and everything else.
One of them ended up downloading a virus while they were staying over. I'm able to limit their internet access with iptables.
I would like to limit their access to other machines on the network to prevent the virus from spreading to others. Is this possible? Or will all wireless traffic just hit the internal switch on the router and get switched without ever getting seen by linux?
Thanks a bunch for any help :)
The easiest way that I know of would be to use the physdev module for iptables, however I do not know if that will be compiled into OpenWRT.
This will be a good starting point...
iptables -A FORWARD -m physdev --physdev-in wlan0 ! --physdev-out eth0 -j DROP
Replace wlan0 with your wireless interface and eth0 with the interface used for your WAN. Run ifconfig to find that info out.
If you need further help run these commands and give us the output:
iptables -m physdev
That looks like it would block all wireless clients from accessing the internet. I just want to prevent them (or more preferably just a single mac or ip) from accessing other LAN/WLAN clients.
when worst comes to worst change the ssid :) just kidding the computer surely would change everything to the point where they can't access the internet anymore but this gives me an idea
q: what are all of the computers operating systems (if most are windows then this will be easy)
q: what are the linux distros that everyone uses (if any)
q: what is the brand of your router
heres my idea, you have an etherent cord right if so you can get access to the router and change the ssid, after you have done that then enter all of the stuff in the computers that you want to have access to all the time (windows and some linux distros are set to connect to a wireless ap automatically if they know all of the security settings) so you should have two wireless profiles in every computer (except for the one that the kids bring over) be sure to write down your alternate ssid somewhere along with the wep codes (for now until all of the computers are set with the same profile) (i'll tell you how to recover it) so now whenever you feel as if your brothers friends are getting alittle too destructive with it just go and change the routers ssid to the alternate one you just assigned all of the computers to reconize, (if you fogot it, i'll explain it later in the statement) after you do this, all of the other computers in the house should connect to the internet just fine after they disconnect from the network and reconize the alternet profile all except for the stange house guests computers because they do not reconize the profile they will be cut off as long as you decide to change it back to the original ssid
it would smarted for you to secure the ap in the first place if you haven't done so you should secure your network using wep or wpa encryption, to do this you need to access the router hardwired (i'm assuming you haven't secured it seeing as though you made it sound like people can easily connect to it) so if you shall decide to secure it (probiably a good idea that you do) for all you know someone could be stealing your network and using it to download something illegal (not as rare as you think i've met someone who was victim to this kinda thing before it turns out someone in the neighborhood downloaded a game or something and he took the fall for everything HE WAS FRAMED!!), very bad so allow me to explain on how to secure your router but first tell me what brand is it)
netgear: go into your favorite browser after you have connected to the router through ethernet cable
type 192.168.1.1 in the address bar and a login window should come up here is the default profile
go over to wireless settings and you should see the security sections to the left or the top change the security type to wpa (harder to intercept and crack if one of them happens to know that kind of stuff) apply and all the computer should dissconnect from it, this is normal go around and set all of the computers to your new password you just set you should now have a secured network nobody can get on unless you give them the encryption code (pretty sweet huh) you have secured it already and people are still getting in the then go through with my other plan make sure the profiles you assign are secure too
linksys by cisco:
the same first procedure as last time (all routers work this way) open up your favorite braowser and type 192.168.1.1 in the address bar and the profile will be as followed
now you should be in the router settings, at the top you will see a tab that says wireless, click on it and you should see another tab underneath it that says wireless security. you should now see a drop down menu click the arrow and select either wep or wpa)i suggest wpa it harder to intercept and crack if one of the stange house guests just happens to be a professional wireless hacker, now that you have it set to something, enter a wirless encryption code (recommended that you click generate (write it down for now until you configured all of the preferred computers to reconize it) then burn it or just throw it away when your done (guard it with your life but depending on how bad you don't want anyone to access the router :D) now your brothers friends should now have a hard time connecting to the wireless internet unless you give them the code if they start doing something funny change the wireless setting to the alternate wirless settings you set earlier) again write the other profile down to set the encryptions on the computers then throw it away don't worry if you forget what the settings were
don't worry if you forget the wpa or wep key just go to wirelessdefense.org and download the latest version of aircrack-ng from the windows section and there should be a app titled wzcook inside of the bin folder of the aircrack file, execute it and it should bring up all of the wireless profiles entered in your registry, pretty sweet :D
ps:you need to be an administrator to do this but you can do it with any profile in windows xp sometimes but forget about doing it with vista i don't know if they have one for linux yet i'll keep an eye out
up to now you should be able to change all of the wireless setting in the router wirlessly (seeing as though your computers now reconize the alternate profile it should disconnect and reconnect automatically after you apply the changes, but make sure that all of the settings are correct or else you'll have to configure it through hardwire again it gets the job done but its very inconvenient what if one of the friends decides to keep you from physically accessing it)
never set wireless settings with an alternate program chances are it won't work well just set it as i explained
ps: i'm an expert at making people mad and i'm just getting started
iptables -A FORWARD -m physdev --physdev-in wlan0 ! --physdev-out eth0 -j DROP
This part adds the rule to the FORWARD chain, this is where all packets go, unless they are to/from the router itself.
iptables -A FORWARD
This loads the 'physdev' module, which is used to find the physical device that packet comes from when it is part of a bridge.
This says: "any traffic coming in from the wireless interface."
This says: "all traffic going out all interfaces EXCEPT for the eth0 interface (your internet)"
! --physdev-out eth0
This says: "DROP all traffic that matches the criteria above."
The end result is...
If a packet is not from/going to me (the router)
AND if it is coming from the wireless interface
AND if it is not going to the internet
So if you send a packet from the wireless to the Ethernet LAN, it will be dropped.
If you send a packet from the wireless to another computer on the wireless, it will be dropped.
If you send a packet from the wireless, out through the internet then it will go through.
Thanks a ton SuperJedi. I won't have a chance to test it right now, but I thank you for the breakdown. I'll let you know if it works and any problems I run into :)
No problem, looking forward to hearing about it.
|All times are GMT -5. The time now is 12:20 PM.|