How to block access to your LAN from your hotspot users

[WorldSpot]

from the dd-wrt wiki:

Creating A Firewall

There's one optional, but HIGHLY recommmended thing you should do before advertising the Hotspot. As it stands, anyone connected to the hotspot SSID will have full access to the whole 192.168.X.X network including your router's web admin page. To stop this you need to add the below code to the firewall. Do this by pasting the into the box on the Admin > Commands page and hitting Save Firewall.

The main lines controlling which addresses are avilable are the "iptables -t nat -I PREROUTING -i tun0 -d xxx.xxx.xxx.xxx/xx -j DROP" lines. The first (with nvram get lines) automatically gets your router's local address and blocks access to that and all it's clients. The others can be removed if you so wish, but as they stand will block access to all privately used IP addresses. You must keep the ...192.168.182.1/32 -j ACCEPT rule in to allow the hotspot clients to access the Chillispot server.


PPPOE users should add the MTU bugfix line below the first two "##"'s. see below


The script also contains a commented part that limit the speed of any uploads or download on the hotspot SSID. These can be altered by changing the numbers after DOWNLINK and UPLINK, currently set a 1 Mbps down and 256 Kbps up.
Note that bandwidth is controlled per user in the worldspot access profile. This is why I commented this part. If you still wish an overall bandwidth limit, please uncomment the last part.

Code: [Select]

#!/bin/sh

##

iptables -I INPUT -i tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o vlan1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i tun0 -o ppp0 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j logdrop

# secure access to local addresses other than chillispot
iptables -A FORWARD -i tun0 -j DROP;
iptables  -t nat -I PREROUTING -i tun0 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -j DROP
iptables  -t nat -I PREROUTING -i tun0 -d 192.168.0.0/16 -j DROP
iptables -t nat -I PREROUTING -i tun0 -d 169.254.0.0/16 -j DROP
iptables -t nat -I PREROUTING -i tun0 -d 172.16.0.0/12 -j DROP
iptables -t nat -I PREROUTING -i tun0 -d 10.0.0.0/8 -j DROP
iptables  -t nat -I PREROUTING -i tun0 -d 192.168.182.1/32 -j ACCEPT

##bandwidth limitation for all hotspot users.
##uncomment below to activate

#DEV="tun0"
#DOWNLINK="1024"
#UPLINK="256"
#
#tc qdisc del dev $DEV root
#tc qdisc del dev $DEV ingress
#
## limit download
#tc qdisc add dev $DEV root handle 1: htb
#tc class add dev $DEV parent 1: classid 1:1 htb rate  ${DOWNLINK}kbit burst 6k
#tc filter add dev $DEV parent 1: protocol ip prio 16 u32 match ip dst 192.168.182.1/24 flowid 1:1
#
## limit upload
#tc qdisc add dev $DEV ingress handle ffff:
#tc filter add dev $DEV parent ffff: protocol ip u32 match ip src 0.0.0.0/0 police rate ${UPLINK}kbit burst 10k drop flowid :1


For PPPOE users:
There is a bug in Chillispot that causes connection problems to websites (specifically https and larger domains) while using a PPPOE connection from the DD-WRT router with an MTU other than the default Ethernet value of 1500. PPPOE users can find thier current MTU setting by checking the Setup > Basic Setup tab of the DD-WRT web config pages under Optional Settings then MTU. PPPOE users therefore MUST use the following fix to enable Chillispot to function correctly. This does not apply if you have a seperate modem that connects to the net using PPPOE but then connects to the rest of your network (eg. your dd-wrt router) using a regular local IP address.

In the web config pages, go to Administration > Commands and paste the following code in to the Command Shell box, then click Save Firewall. If there is already a Firewall box with text present then click Edit under the Firewall box and add the code to the top of the Command Shell box, replacing only any #!/bin/sh text already present and leaving the rest intact.

Code: [Select]

#!/bin/sh

iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1452:65535 -j TCPMSS --clamp-mss-to-pmtu
NOTE: If your MTU is different from 1492, you must replace the 1452 in the above code with your current MTU value, minus 40. Eg: If your MTU is 1362, replace the 1452 in the code with 1322 (that's 1362 - 40).

[DenbyWireless]

I've been wondering about this. I have a Couple of questions;

Does this block remote Admin via the WAN?
What if I need the admin pages to be accessible via the WLAN?

Can this be done selectively for a specific port (or a port excluded?) ?

Thanks
Aa

[WorldSpot]

I've been wondering about this. I have a Couple of questions;

Does this block remote Admin via the WAN?

I think no, the -i tun0 says only from chillispot, but you should test before.

What if I need the admin pages to be accessible via the WLAN?

I think you should add
iptables  -t nat -I PREROUTING -i tun0 -d <your router lan ip>/32 -j ACCEPT

not tested... Please tell me if this works.

Can this be done selectively for a specific port (or a port excluded?) ?

Yes probably, I will find the port syntax.

[Polykrates]

I would like to make my hotspot more secure, but I cannot connect to my linksys with with the dyndns, if I activate the firewall, or can I enter an exception rule for this purpose?

Regards
Pit Polykrates

[Polykrates]

I got back to the security issue and found:

The IP-table gives security only for those cases, where the hacker finds out the local IP addresses.
Now if he gives his WLAN adapter a fixed address from the same net and chooses the IP address of the Router as Gateway and DNS, he is not asked to logon to the hotspot and will have no access to the internet, but to all routers/computers on the local net.

How can I block those attacks?

[WorldSpot]

In dd-wrt, the 'separate wifi from lan' option should address this problem.
Could you please try?
Could you also please try coovaAP to see if the security rules are better?

[Polykrates]

In dd-wrt, the 'separate wifi from lan' option should address this problem.
Could you please try?

No, this is not possible for me, since I am using two routers as WDS.
see http://worldspot.net/forum/index.php/topic,37.0.html

Could you also please try coovaAP to see if the security rules are better?

I will try, if I find time, when the hotspot is not frequented.

[jamie398]

In dd-wrt, the 'separate wifi from lan' option should address this problem.
Could you please try?

No, this is not possible for me, since I am using two routers as WDS.
see http://worldspot.net/forum/index.php/topic,37.0.html

Could you also please try coovaAP to see if the security rules are better?

I will try, if I find time, when the hotspot is not frequented.

I am also running wds and will have the same problems.Has anyone ever come up with a good soloution without running coova?

[WorldSpot]

I think there is no choice but separating the networks.
The only solution I see is to modify dd-wrt scripts to make WDS work on the on the WIFI network instead of the LAN bridge.

Or Maybe make a filter at the ethernet level with ebfilter?

I don't know how to do this.

Sorry.

[bbmak0]

It seems to me the iptable commands are not working anymore.
I try to apply the command, but it is still able to access to my network shared folders.


When I follow this guide, [size=78%]http://www.dd-wrt.com/wiki/index.php/Multiple_WLANs[/size]
and use the commands in the guide, everything works fine.
All my network shared folders are unable to access by guests.


===================
Main Router: 192.168.0.2
--------------------------------
Repeater: 192.168.2.1
Guest: 192.168.3.1
===================

[WorldSpot]

Have you separated wifi from lan?
Could you please post the output of the following commands :
iptables -L
ifconfig


thanks