LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 07-10-2014, 06:14 AM   #1
matty234
LQ Newbie
 
Registered: Jul 2014
Distribution: Debian \ Ubuntu
Posts: 1

Rep: Reputation: Disabled
IPTables Hotspot Setup


Hi,

I'm trying to setup IPTables for a hotspot. I only want the hotspot users to be able to access a certain IP for HTTP traffic (in this case, 10.0.0.1). They also need to be able to access DNS and DHCP from this same IP. Finally, the clients must be able to access another IP (say 192.168.0.44) from inside the hotspot.

So to sum up:
  • HTTP (to 10.0.0.1 and 192.168.0.44), DNS and DHCP from inside the Hotspot
  • Everything else blocked

I'm trying to run this on a Raspberry PI running Raspbian.

Thanks for any help,

Matt
 
Old 07-15-2014, 10:45 PM   #2
dkm999
Member
 
Registered: Nov 2006
Location: Seattle, WA
Distribution: Fedora
Posts: 407

Rep: Reputation: 35
The "everything else blocked" part is easy; iptables allows you to set the policy for both input and output packets; you will eventually want DROP as the policy for both.

But first, I recommend setting up the other rules and making sure they are functioning; otherwise, frustration is bound to ensue.

HTTP uses TCP port 80
DNS uses UDP port 53
DHCP uses UDP ports 67 (to server) & 68 (to client)

Further, I will assume your Raspberry Pi has two ethernet interfaces: one for the hotspot, and one to connect to the outside world. I have randomly chosen eth1 as the hotspot interface for this server.

So the rules you will need are

Code:
iptables -A INPUT -i eth1 -d 192.168.0.44 -j ACCEPT
iptables -A OUTPUT -i eth1 -s 192.168.0.44 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp -dport 80 -j ACCEPT
iptables -A OUTPUT -i eth1 -p tcp -sport 80 -j ACCEPT
iptables -A INPUT -i eth1 -p udp -dport 53 -j ACCEPT
iptables -A OUTPUT -i eth1 -p udp -sport 53 -j ACCEPT
iptables -A INPUT -i eth1 -p udp -dport 67 -j ACCEPT
iptables -A OUTPUT -i eth1 -p udp -dport 68 -j ACCEPT
With these rules, run the server for a bit, using it as a hotspot, and check that all the rules are getting used (iptables has a list command iptables -nvL, which will display the number of packets processed by each rule).

Note that DHCP does not work the same way as either HTTP or DNS; it uses one port for traffic directed to the server, and a different port for traffic directed to the requesting client.

Once everything seems to be working correctly, add these rules at the beginning of your configuration:
Code:
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A OUTPUT -i eth0 -j ACCEPT
iptables -P INPUT DROP
iptables -P OUTPUT DROP
These will implement the "everything else blocked" part of your requirements. Note that your server still needs to talk to the external interface, and to internal processes via the loopback interface; therefore, you need the 4 rules at the beginning of this block.

Good luck
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
setup hotspot style login using shorewall macktic Linux - Server 1 05-30-2012 07:37 AM
Firewall Setup (IPTABLES) on a Virtual Server in a LVS Setup justemail Linux - Networking 1 06-24-2009 12:00 AM
Need help to migrate from mikrotik hotspot to Linux Hotspot for I-net cafe.. thewhitelion Linux - Server 4 10-31-2007 03:47 AM
Need help to migrate from mikrotik hotspot to Linux Hotspot for I-net cafe.. thewhitelion Linux - Enterprise 5 10-03-2007 05:14 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 10:58 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration