Re: IPTABLES rule for separating users

To: debian-user@lists.debian.org
Subject: Re: IPTABLES rule for separating users
From: Stan Hoeppner <stan@hardwarefreak.com>
Date: Sat, 05 Mar 2011 06:49:25 -0600
Message-id: <[🔎] 4D723155.6010302@hardwarefreak.com>
In-reply-to: <[🔎] 12e853d4ede.8890573220592407506.-7535953799143151425@zoho.com>
References: <[🔎] 12e853d4ede.8890573220592407506.-7535953799143151425@zoho.com>

erikmccaskey64 put forth on 3/5/2011 2:58 AM:
> I have an OpenWrt 10.03 router [ IP: 192.168.1.1 ], and it has a DHCP server pool: 192.168.1.0/24 - clients are using it through wireless/wired connection. Ok!
> 
> 
> Here's the catch: I need to separate the users from each other.
> 
> 
> How i need to do it: by IPTABLES rule [ /etc/firewall.user ]. Ok!
> 
> 
> "Loud thinking": So i need a rule something like this [on the OpenWrt router]: 
> 
> 
> - DROP where SOURCE: 192.168.1.2-192.168.1.255 and DESTINATION is 192.168.1.2-192.168.1.255

This likely won't work because all hosts are on the same subnet, and
only traffic destined outside the subnet is forwarded to the gateway
address, which is the LAN port of the firewall in this scenario.
Traffic within the same subnet will bypass the OpenWrt IP stack.  This
is simply how TCP/IP is designed to function.  You _might_  be able to
get around this with some funking client stack masking and some bizarre
iptables rules, however I've never attempted nor heard of such a thing.

The way your goal is accomplished in high security environments in the
real world is with MAC address filtering at the ethernet switch level,
but more often with VLANs.  Usually this is used to separate
departments, but not the hosts within a given department.  The
integrated switch in your consumer router probably does not offer this
level of capability.

Also, due to the built in switch chip and ARP discovery, the private
ethernet interface chip of the router device won't even see the ethernet
frames in which the subnet IP packets are transported.  In layman's
terms, the kernel won't have any clue such subnet traffic even exists,
due to the switch.  Simplified functional diagram:

              Switch Chip
              -----------
Wired--------|           |----------Wireless
              -----------
                   <--- Intra-subnet traffic barrier
                   |
                   |
                 -----        ------        -----
       Eth0 LAN |     |------|      |------|     | Eth1 WAN
                 -----        ------        -----
                           Linux Stack


If you shared your *reasoning* behind this with us we might be able to
offer you alternative solutions.

-- 
Stan

Reply to:

Follow-Ups:
- Re: IPTABLES rule for separating users
  - From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>

References:
- IPTABLES rule for separating users
  - From: erikmccaskey64 <erikmccaskey64@zoho.com>

Prev by Date: Re: opened OpenSSL port
Next by Date: Re: IPTABLES rule for separating users
Previous by thread: IPTABLES rule for separating users
Next by thread: Re: IPTABLES rule for separating users
Index(es):
- Date
- Thread