Ahoy.
So i've got this small home network (172.16.16.0/255.255.0.0). I recently was given a hand-me-down Linksys WRT54G2 wifi router, and as a weekend project I decided to employ as a free public "hotspot"-type wireless AP. The network as it stands originally consists of the following:
- 1 Arch Linux PC as an iptables NAT'ing gateway, containing 2 NICs; 1 called "external" going to cable modem, another called "internal" w/static address of 172.16.16.1
- 1 internal Arch machine as a local BIND/DHCP/SMB/OpenVPN server w/static address of 172.16.16.2 (we'll call it "Server1")
- WPA2 wireless N access point for internal network. It's own address is 172.16.16.254
- Numerous connected clients (my gaming box, 2 laptops, media center pc, PS3, smartphones) most with static DHCP reservs.
All this is connected through a gigabit switch. I had a spare 10/100 switch lying around as well. My idea was to use this second switch as the basis for the new public network, 192.168.68.0/255.255.255.0 . Server1 has 2 network jacks on the mobo, so I enabled the second one & set to 192.168.68.2, named "wifi". I added a PCI NIC to the gateway and set it as 192.168.68.1 also named "wifi", making that the 3rd interface in the gateway. I disabled DHCP and all wireless security on the Linksys and set it to a static IP of 192.168.68.254. All these are plugged into that 10/100 switch.
I then set about configuring the existing ISC DHCP server on Server1 adding parameters for the new subnet. I had been doing dynamic local DNS updates for my internal 172.16. network but disabled this for the public one. I'm giving out IP's from 192.168.68.50-100 all with a default router of 192.168.68.1 and DNS of OpenDNS' servers. BIND is configured to only accept requests from 172.16.16.0/16, as is Samba, so no access from the public.
Then I configured iptables on the gateway, adding in what I believe to be the requisite entries to direct traffic from the "wifi" interface to the "external" one, and to allow all input traffic from "wifi". Additionally, I added a rule barring the public wireless clients from accessing any 172.16. clients via the gateway (rejects with icmp-host-prohibited).
The bulk of this setup works; clients are able to connect to the open wifi, pull IP settings from Server1, and be routed through the gateway to the internet with no problem. Here are my issues:
- Public clients are still able to ping/discover the 172.16.16.1 "internal" interface on the gateway, even though I've made the iptables rejection rule for this network (pinging all other 172.16.16.2-254 addresses results in proper rejection)
- From inside the "internal" 172.16.16.x network, I am able to ping clients on the public 192.168.68.x. This is somewhat desirable, as I can quickly see who/what exactly is using the open wifi. However, crazily enough I am NOT able to ping/access the little Linksys WAP (192.168.68.254). Go figure?? Everything else is accessible.
I'm personally more concerned with the fact that public clients can ping/portscan my gateway, although it would be nice to be able to access the Linksys HTTP config from my main internal machines without having to go down to my basement, swap cables, go up, config, go down again, reswap... etc.
Suggestions for these 2 snags would be appreciated, but also any general pointers on my layout, bearing in mind that my networking & Linux knowledge is entirely self-taught. Relevant configs below, and I've attatched a crude graphic of the network layout as well.
============ GATEWAY 172.16.16.1,192.168.68.1
/etc/iptables/iptables.rules
Code:
# Generated by iptables-save v1.4.12.1 on Fri Dec 16 23:02:51 2011
*nat
:PREROUTING ACCEPT [281:34682]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [36:2520]
:POSTROUTING ACCEPT [54:3432]
-A PREROUTING -i external -p udp -m udp --dport 1194 -j DNAT --to-destination 172.16.16.2
-A PREROUTING -i external -p tcp -m tcp --dport 12345 -j DNAT --to-destination 172.16.16.10
-A PREROUTING -i external -p tcp -m tcp --dport 12346 -j DNAT --to-destination 172.16.16.11
-A PREROUTING -i external -p tcp -m tcp --dport 12347 -j DNAT --to-destination 172.16.16.12
-A PREROUTING -i external -p tcp -m tcp --dport 12348 -j DNAT --to-destination 172.16.16.13
-A PREROUTING -i external -p tcp -m tcp --dport 12349 -j DNAT --to-destination 172.16.16.15
-A POSTROUTING -s 172.16.0.0/16 -o external -j MASQUERADE
-A POSTROUTING -s 192.168.68.0/24 -o external -j MASQUERADE
COMMIT
# Completed on Fri Dec 16 23:02:51 2011
# Generated by iptables-save v1.4.12.1 on Fri Dec 16 23:02:51 2011
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [2486:1827440]
:LOGDROP - [0:0]
:TCP - [0:0]
:UDP - [0:0]
:fw-interfaces - [0:0]
:fw-open - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i internal -j ACCEPT
-A INPUT -i wifi -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j LOGDROP
-A INPUT -i external -d 255.255.255.255 -j DROP
-A INPUT -j LOGDROP
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.68.0/24 -d 172.16.16.0/16 -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m iprange --src-range 192.168.68.3-192.168.68.252 -d 172.16.16.1 -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j fw-interfaces
-A FORWARD -j fw-open
# -A LOGDROP -j LOG
-A LOGDROP -j DROP
-A fw-interfaces -i internal -j ACCEPT
-A fw-interfaces -i wifi -j ACCEPT
-A fw-open -d 172.16.16.2/32 -p udp -m udp --dport 1194 -j ACCEPT
-A fw-open -d 172.16.16.10/32 -p tcp -m tcp --dport 12345 -j ACCEPT
-A fw-open -d 172.16.16.11/32 -p tcp -m tcp --dport 12346 -j ACCEPT
-A fw-open -d 172.16.16.12/32 -p tcp -m tcp --dport 12347 -j ACCEPT
-A fw-open -d 172.16.16.13/32 -p tcp -m tcp --dport 12348 -j ACCEPT
-A fw-open -d 172.16.16.15/32 -p tcp -m tcp --dport 12349 -j ACCEPT
COMMIT
# Completed on Fri Dec 16 23:02:51 2011
ifconfig
Code:
external: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 76.22.129.200 netmask 255.255.254.0 broadcast 255.255.255.255
ether 00:1b:21:c8:3d:34 txqueuelen 1000 (Ethernet)
RX packets 74632844 bytes 81437420902 (75.8 GiB)
RX errors 0 dropped 14 overruns 0 frame 0
TX packets 46827110 bytes 24718141441 (23.0 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 18 memory 0xdffe0000-e0000000
internal: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.16.16.1 netmask 255.255.0.0 broadcast 172.16.255.255
ether bc:ae:c5:c9:89:35 txqueuelen 1000 (Ethernet)
RX packets 46412639 bytes 24537896845 (22.8 GiB)
RX errors 4 dropped 0 overruns 4 frame 1019
TX packets 65897399 bytes 79666471431 (74.1 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 16436
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 0 (Local Loopback)
RX packets 9 bytes 612 (612.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 9 bytes 612 (612.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
wifi: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.68.1 netmask 255.255.255.0 broadcast 192.168.68.255
ether c4:3d:c7:80:51:56 txqueuelen 1000 (Ethernet)
RX packets 480208 bytes 44247161 (42.1 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 866158 bytes 965450608 (920.7 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
================= SERVER1 172.16.16.2,192.168.68.2
/etc/dhcpd.conf
Code:
option domain-name "pLAN9.site";
option domain-name-servers 172.16.16.2,208.67.222.222,208.67.220.220;
option routers 172.16.16.1;
default-lease-time 604800;
min-lease-time 604800;
max-lease-time 604800;
authoritative;
ddns-update-style interim;
#ddns-updates on;
ddns-domainname "pLAN9.site.";
ddns-rev-domainname "in-addr.arpa.";
#update-static-leases on;
key dhcpupdate {
algorithm HMAC-MD5;
secret "QQulgwgPf7wMy1sFSZuc/A==";
}
log-facility local7;
zone pLAN9.site. {
primary 172.16.16.2;
key dhcpupdate;
}
zone 16.16.172.in-addr.arpa. {
key dhcpupdate;
primary 172.16.16.2;
}
subnet 172.16.0.0 netmask 255.255.0.0 {
range 172.16.16.20 172.16.16.250;
}
subnet 192.168.68.0 netmask 255.255.255.0 {
range 192.168.68.50 192.168.68.100;
option domain-name "";
default-lease-time 1800;
min-lease-time 1800;
max-lease-time 1800;
option domain-name-servers 208.67.222.222,208.67.220.220;
ddns-updates off;
option routers 192.168.68.1;
}
# ====================== STATIC LEASES ========================
(omitted)
ifconfig
Code:
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.16.16.2 netmask 255.255.0.0 broadcast 172.16.255.255
ether 00:17:31:ce:e4:85 txqueuelen 1000 (Ethernet)
RX packets 16649959 bytes 11648420576 (10.8 GiB)
RX errors 13398509 dropped 0 overruns 13398509 frame 1248
TX packets 9660417 bytes 37822424020 (35.2 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 16436
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 0 (Local Loopback)
RX packets 11102 bytes 1355566 (1.2 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 11102 bytes 1355566 (1.2 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.11.12.1 netmask 255.255.255.255 destination 10.11.12.2
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 735490 bytes 39715469 (37.8 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1735079 bytes 2287547456 (2.1 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
wifi: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.68.2 netmask 255.255.255.0 broadcast 192.168.68.255
ether 00:17:31:ce:dc:85 txqueuelen 1000 (Ethernet)
RX packets 23795 bytes 1784358 (1.7 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 5902 bytes 468703 (457.7 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
