| View previous topic :: View next topic |
| Author |
Message |
Cheesefoam
Tux's lil' helper
Joined: 02 Jan 2003
Posts: 89
|
 Posted: Fri Dec 03, 2004 6:11 pm Post subject: Arptables script |
 |
|
I know this isn't as elegant as the way the iptables script works, but I couldn't figure how to parse and save the rules like iptables does. So I came up with this instead.
Can anyone see any problems with this particular arptables configuration?
| Code: |
#!/sbin/runscript
#Set up initial network configuration. Set IFACE to the external
#interface. IP address will be automatically detected.
EXTERNAL_IFACE="eth1"
EXTERNAL_IP=`ifconfig | grep -A 1 ${EXTERNAL_IFACE} | awk '/inet/{print $2}' | sed -e 's:addr\:::'`
ARPTABLES=`which arptables`
HIGH_SECURITY_IFACE="<interfaces other than the WAN you want to filter, e.g. wlan0>"
ALLOWED_MACS="<put MACS of interfaces you want to pass here>"
depend() {
need net
}
start() {
ebegin "Starting arptables."
#Flush old rules.
${ARPTABLES} -F INPUT
${ARPTABLES} -F OUTPUT
${ARPTABLES} -F FORWARD
#Set up the arp tables rules. Configure as needed.
for a in ${ALLOWED_MACS}
do
${ARPTABLES} -A INPUT --source-mac ${a} -j ACCEPT
done
for a in ${HIGH_SECURITY_IFACE}
do
${ARPTABLES} -A INPUT -i ${a} -j DROP
done
${ARPTABLES} -A INPUT -i ! ${EXTERNAL_IFACE} -j ACCEPT
${ARPTABLES} -A INPUT -i ${EXTERNAL_IFACE} -d ${EXTERNAL_IP} -j ACCEPT
${ARPTABLES} -A INPUT -i ${EXTERNAL_IFACE} -j DROP
${ARPTABLES} -A OUTPUT -o ${EXTERNAL_IFACE} -s ${EXTERNAL_IP} -j ACCEPT
${ARPTABLES} -A OUTPUT -o ${EXTERNAL_IFACE} -j DROP
}
stop(){
ebegin "Stopping arptables"
#Flush old rules.
${ARPTABLES} -F INPUT
${ARPTABLES} -F OUTPUT
${ARPTABLES} -F FORWARD
}
|
In my case, this gives the following:
| Quote: |
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
-j ACCEPT -i * -o * --src-mac XX.XX.XX.XX.XX.XX , pcnt=0 -- bcnt=0
-j ACCEPT -i * -o * --src-mac XX.XX.XX.XX.XX.XX , pcnt=0 -- bcnt=0
-j ACCEPT -i * -o * --src-mac XX.XX.XX.XX.XX.XX , pcnt=0 -- bcnt=0
-j DROP -i wlan0 -o * , pcnt=0 -- bcnt=0
-j ACCEPT -i eth1 -o !* , pcnt=0 -- bcnt=0
-j ACCEPT -i eth1 -o * -d xxx.xxx.xxx.xxx , pcnt=8 -- bcnt=224
-j DROP -i eth1 -o * , pcnt=12623 -- bcnt=353K
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
-j ACCEPT -i * -o eth1 -s xxx.xxx.xxx.xxx , pcnt=8 -- bcnt=224
-j DROP -i * -o eth1 , pcnt=0 -- bcnt=0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
|
This seem like a reasonable starting ruleset for arptables? |
|
| Back to top |
|
 |
jkt
Retired Dev
Joined: 06 Feb 2004
Posts: 1250
Location: Prague, Czech republic, EU
|
| Posted: Fri Dec 03, 2004 7:08 pm Post subject: |
|
|
| it seems that you're using arptables only to block unauthorised wifi clients from using your network, however, better solution is to ban them from the AP, I thing iwconfig has some option for it (definitely for hostap) |
|
| Back to top |
|
|
Cheesefoam
Tux's lil' helper
Joined: 02 Jan 2003
Posts: 89
|
| Posted: Mon Dec 06, 2004 5:10 pm Post subject: |
|
|
No - I am using arptables to block arp packets from eth1 (my cable modem connection) and wifi0. I've already locked down wifi0 via iptables MAC filtering and requiring users to log in via a PPTP vpn before getting access to the local network.
Besides which, I am unfortunately stuck with using ndiswrapper for my wireless nic.
I was just adding the wifi0 stuff to block extra arp packets which don't belong in the first place. The last line of the chain is the catch-all which kills all inbound arp packets which don't belong on eth1. I know it looks wierd, but the fifth line is to accept packets from all interfaces that are NOT eth1. Which is why wifi0 is filtered first. I wonder if it is a bug in arptables?
This is the line that produces that rule:
| Quote: |
${ARPTABLES} -A INPUT -i ! ${EXTERNAL_IFACE} -j ACCEPT
|
...Though now that I look at result of that rule, it basically says, "All arp packets inbound in eth1 which do not come from anywhere, pass" ?!?
Wierd. I'll look into this.
Since my last reboot (2 days ago), I've blocked 296 Megs of arp traffic.
| Code: |
-j DROP -i eth1 -o * , pcnt=11M -- bcnt=296M
|
Which means the filter is working, since it is blocking erroneous ARP packets. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
