| View previous topic :: View next topic |
| Author |
Message |
mgnut57
Guru
Joined: 12 Jan 2008
Posts: 309
|
 Posted: Mon Mar 11, 2019 2:09 am Post subject: Any iptables/netfilter experts? |
 |
|
Is it possible to identify (and filter) packets that arrive from a specific last hop?
Currently, I have 2 LANs, one of which is wireless. I have an Ethernet card that is connected to a WiFi router which is configured not as a router, but as a switch/access point.
Instead of using a separate NIC to connect to the access point, I wonder if it is possible to apply netfilter rules for packets that arrive at my server from the access point. Obviously, it's really the packets from the wireless devices that I want to filter, but all of these packets go via the access point. |
|
| Back to top |
|
 |
Ant P.
Watchman
Joined: 18 Apr 2009
Posts: 6920
|
| Posted: Mon Mar 11, 2019 2:34 am Post subject: |
|
|
| Sounds like you want to filter on MAC address, which (iirc) is done using arptables, not the regular iptables. |
|
| Back to top |
|
|
mgnut57
Guru
Joined: 12 Jan 2008
Posts: 309
|
| Posted: Mon Mar 11, 2019 3:24 am Post subject: |
|
|
| Ant P. wrote: | | Sounds like you want to filter on MAC address, which (iirc) is done using arptables, not the regular iptables. |
Not really, because the MAC addresses that the server sees are those of the wireless devices. While I could filter based on these, I would have to reconfigure for every new device. |
|
| Back to top |
|
|
1clue
Advocate
Joined: 05 Feb 2006
Posts: 2569
|
| Posted: Mon Mar 11, 2019 3:38 am Post subject: |
|
|
Wouldn't your last hop always be the ISP's router that your edge router is hooked to? Do you mean second to last?
And in any case it seems to me that unless your specific router is thought to be compromised, what you're really after is filter by geolocation?
Maybe you could be more specific about what you want? Can you give us some background story on this? |
|
| Back to top |
|
|
Ant P.
Watchman
Joined: 18 Apr 2009
Posts: 6920
|
| Posted: Mon Mar 11, 2019 3:40 am Post subject: |
|
|
| Can you match by the IP range the wifi traffic comes from? I'm looking at tcpdump output from my own router and there doesn't seem to be any way to differentiate besides that, or MAC (which you said doesn't work). |
|
| Back to top |
|
|
mgnut57
Guru
Joined: 12 Jan 2008
Posts: 309
|
| Posted: Mon Mar 11, 2019 3:45 am Post subject: |
|
|
| 1clue wrote: | Wouldn't your last hop always be the ISP's router that your edge router is hooked to? Do you mean second to last?
And in any case it seems to me that unless your specific router is thought to be compromised, what you're really after is filter by geolocation?
Maybe you could be more specific about what you want? Can you give us some background story on this? |
It's not the Internet side that I want to filter like this.
My architecture is that I have a server/router/firewall which connects to the Internet. This server/router has two additional NICs, one of which is connected to a switch on which other Ethernet devices are connected, the other one connects to my wireless access point.
I don't want to trust WiFi connected devices as much as the Ethenet connected devices. While I have a solution that works today, I was wondering if it is possible to do something similar with only one NIC instead of two NICs serving the LAN side of my network. |
|
| Back to top |
|
|
mgnut57
Guru
Joined: 12 Jan 2008
Posts: 309
|
| Posted: Mon Mar 11, 2019 3:49 am Post subject: |
|
|
| Ant P. wrote: | | Can you match by the IP range the wifi traffic comes from? I'm looking at tcpdump output from my own router and there doesn't seem to be any way to differentiate besides that, or MAC (which you said doesn't work). |
I could .... if I could make the DHCP server hand out different IP addresses based on the last hop.
The other solution would be to convert my access point into a NAT router, but that would bring many other problems. |
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23064
|
| Posted: Mon Mar 11, 2019 4:02 am Post subject: |
|
|
| mgnut57 wrote: | | This server/router has two additional NICs, one of which is connected to a switch on which other Ethernet devices are connected, the other one connects to my wireless access point. |
If I understand your network topology, then the answer is simple. You have three NICs. NIC #0 connects to the Internet. NIC #1 connects to a trusted switch. NIC #2 connects to a wireless access point, which is untrusted. You want to treat all traffic from the wireless access point as untrusted, since most such traffic is relayed from wireless clients. The solution is interface-based filtering. You can write a rule that matches depending on which NIC was used to receive the traffic. Look at the --in-interface option on iptables. |
|
| Back to top |
|
|
mgnut57
Guru
Joined: 12 Jan 2008
Posts: 309
|
| Posted: Mon Mar 11, 2019 4:06 am Post subject: |
|
|
| Hu wrote: | | mgnut57 wrote: | | This server/router has two additional NICs, one of which is connected to a switch on which other Ethernet devices are connected, the other one connects to my wireless access point. |
If I understand your network topology, then the answer is simple. You have three NICs. NIC #0 connects to the Internet. NIC #1 connects to a trusted switch. NIC #2 connects to a wireless access point, which is untrusted. You want to treat all traffic from the wireless access point as untrusted, since most such traffic is relayed from wireless clients. The solution is interface-based filtering. You can write a rule that matches depending on which NIC was used to receive the traffic. Look at the --in-interface option on iptables. |
You understand my current setup perfectly.
My question is, can I eliminate NIC #2, connect the wireless access point to a switch that connects to NIC #1 and still do the same filtering on the devices that connect via the wireless access point? |
|
| Back to top |
|
|
1clue
Advocate
Joined: 05 Feb 2006
Posts: 2569
|
| Posted: Mon Mar 11, 2019 4:10 am Post subject: |
|
|
| mgnut57 wrote: | | 1clue wrote: | Wouldn't your last hop always be the ISP's router that your edge router is hooked to? Do you mean second to last?
And in any case it seems to me that unless your specific router is thought to be compromised, what you're really after is filter by geolocation?
Maybe you could be more specific about what you want? Can you give us some background story on this? |
It's not the Internet side that I want to filter like this.
My architecture is that I have a server/router/firewall which connects to the Internet. This server/router has two additional NICs, one of which is connected to a switch on which other Ethernet devices are connected, the other one connects to my wireless access point.
I don't want to trust WiFi connected devices as much as the Ethenet connected devices. While I have a solution that works today, I was wondering if it is possible to do something similar with only one NIC instead of two NICs serving the LAN side of my network. |
Are you using a typical WIFI router?
Usually those things hand out their own range of addresses, in the nonroutable ipv4 address range and possibly ipv6. So you would be using NAT on ipv4.
If your setup works like this, you could always make rules based on the network number right? Surely you will assign the wireless router its own static upstream ip address for your own sanity.
IMO if you have an extra NIC on your router, I can't think of a better use for it than to keep the peasants out of the castle. |
|
| Back to top |
|
|
1clue
Advocate
Joined: 05 Feb 2006
Posts: 2569
|
| Posted: Mon Mar 11, 2019 4:15 am Post subject: |
|
|
| mgnut57 wrote: | | Hu wrote: | | mgnut57 wrote: | | This server/router has two additional NICs, one of which is connected to a switch on which other Ethernet devices are connected, the other one connects to my wireless access point. |
If I understand your network topology, then the answer is simple. You have three NICs. NIC #0 connects to the Internet. NIC #1 connects to a trusted switch. NIC #2 connects to a wireless access point, which is untrusted. You want to treat all traffic from the wireless access point as untrusted, since most such traffic is relayed from wireless clients. The solution is interface-based filtering. You can write a rule that matches depending on which NIC was used to receive the traffic. Look at the --in-interface option on iptables. |
You understand my current setup perfectly.
My question is, can I eliminate NIC #2, connect the wireless access point to a switch that connects to NIC #1 and still do the same filtering on the devices that connect via the wireless access point? |
Does your networking hardware support VLANs? Your switch could assign a single vlan to the port your wifi is on and everything else to another one, and you could filter on that? In that case the wifi router need not know VLANs.
What sort of switch do you have? Is unmanaged, smart or managed? And how fast is it, is the firewall/router a higher speed connection than the wifi supports? Or is your bandwidth small enough that it doesn't matter? |
|
| Back to top |
|
|
mgnut57
Guru
Joined: 12 Jan 2008
Posts: 309
|
| Posted: Mon Mar 11, 2019 4:37 am Post subject: |
|
|
Thanks for all the comments.
I don't think it's possible to eliminate one of the NICs without a much more expensive switch, or configuring my wireless access point as a NAT router instead of a switch. |
|
| Back to top |
|
|
1clue
Advocate
Joined: 05 Feb 2006
Posts: 2569
|
|
| Back to top |
|
|
Ant P.
Watchman
Joined: 18 Apr 2009
Posts: 6920
|
| Posted: Mon Mar 11, 2019 4:50 am Post subject: |
|
|
| You could configure it as a plain router, if it'll allow it. That'll require all routers on your network to know about non-default routes, but it should make the netfilter part much simpler. |
|
| Back to top |
|
|
mgnut57
Guru
Joined: 12 Jan 2008
Posts: 309
|
| Posted: Mon Mar 11, 2019 5:55 pm Post subject: |
|
|
| Ant P. wrote: | | You could configure it as a plain router, if it'll allow it. That'll require all routers on your network to know about non-default routes, but it should make the netfilter part much simpler. |
A router, but no NAT.
I hadn't thought of that. I'll have to see if it's possible. |
|
| Back to top |
|
|
|
Networking & Security
