[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: IPTABLES rule for separating users


Stan Hoeppner a écrit :
> erikmccaskey64 put forth on 3/5/2011 2:58 AM:
>> I have an OpenWrt 10.03 router [...]

> Also, due to the built in switch chip and ARP discovery, the private
> ethernet interface chip of the router device won't even see the ethernet
> frames in which the subnet IP packets are transported.  In layman's
> terms, the kernel won't have any clue such subnet traffic even exists,
> due to the switch.  Simplified functional diagram:
>               Switch Chip
>               -----------
> Wired--------|           |----------Wireless
>               -----------
>                    <--- Intra-subnet traffic barrier
>                    |
>                    |
>                  -----        ------        -----
>        Eth0 LAN |     |------|      |------|     | Eth1 WAN
>                  -----        ------        -----
>                            Linux Stack

This diagram may not be completely correct, depending on the router
model design. For a Linksys WRT54GL, the built-in ethernet switch and
the wireless interface are bridged together using a Linux bridge, so the
kernel does actually sees the traffic between an ethernet host and a
wireless host. If the kernel was built with the BRIDGE_NETFILTER option
enabled, iptables can even see and filter the bridged traffic. Otherwise
if it has ebtables support it can filter the bridged traffic at the link
layer level. But indeed it won't see the traffic between ethernet hosts
or wireless hosts.

Reply to: