Author Topic: Saving IPTABLES?  (Read 4082 times)

Offline JoRo79

  • Full Member
  • ***
  • Posts: 26
Saving IPTABLES?
« on: December 06, 2014, 02:43:27 am »
at reboot of hotspot all my modifications to iptables are gone....already tried with script&symlink in init.d&rc.d...never called or overwritten ...i dont know...anyone with a solution?

default network config of worldspot firmware (trunk-39923-1) lacks in security btw...public wifi clients must not "see" clients of the private wifi ...nor have access to any infrastructure of parent network (i.e. where the dhcp server/hotspot itself/internet gateway is located) ...i can ssh to the hotspot and access web interface of my lte router  (all from public network!) :-X :-[

« Last Edit: December 06, 2014, 04:18:07 am by JoRo79 »

Offline JoRo79

  • Full Member
  • ***
  • Posts: 26
Re: Saving IPTABLES?
« Reply #1 on: December 06, 2014, 11:09:02 am »
found the solution myself in a howto

"The creators of CoovaChilli have predefined rules for iptables, but their script needs a little help before it works. CoovaChilli's iptables config is done in the /etc/chilli/up.sh script which runs after the tun interface is up, so that the exact tun interface is known.

/etc/chilli/up.sh calls /etc/chilli/ipup.sh, if it exists. By default, it does not. If you need to run your own commands after the main iptables configuration is done, create /etc/chilli/ipup.sh and populate it however you like, being sure to make it executable (chmod +x /etc/chilli/ipup.sh) when done."

+++++++++
Still searching for two rules:

1) How can i disable/reject all remote access to the hotspot (telnet,ssh,web interface,...) from 10.1.0.0/24 ?
2) How can i prevent clients from seeing each other in 10.1.0.0/24 ?

anyone got a iptable rules for that? thx in advance.
« Last Edit: December 06, 2014, 11:12:06 am by JoRo79 »

Offline WorldSpot

  • Administrator
  • Hero Member
  • *****
  • Posts: 2472
Re: Saving IPTABLES?
« Reply #2 on: December 06, 2014, 12:40:57 pm »
Yes the iptables are set in /etc/chilli/up.sh

However I'm not an iptables expert.

1) I think your best protection is to use a BIG root password, and never access your hotspot from the public wifi.
2) I think this is done in the wifi settings, in uci wireless. Please look at the openwrt wireless uci documentation