Re: IPTABLES rule for separating users
On Sat, 2011-03-05 at 00:58 -0800, erikmccaskey64 wrote:
> I have an OpenWrt 10.03 router [ IP: 192.168.1.1 ], and it has a DHCP
> server pool: 192.168.1.0/24 - clients are using it through
> wireless/wired connection. Ok!
>
>
> Here's the catch: I need to separate the users from each other.
>
>
> How i need to do it: by IPTABLES rule [ /etc/firewall.user ]. Ok!
>
>
> "Loud thinking": So i need a rule something like this [on the OpenWrt
> router]:
>
>
> - DROP where SOURCE: 192.168.1.2-192.168.1.255 and DESTINATION is
> 192.168.1.2-192.168.1.255
>
>
> The idea is this. Ok!
>
>
> Questions!
> - Will i lock out myself if i apply this firewall rule?
> - Is this a secure method? [ is it easy to do this?: hello, i'm a
> client, and i say, my IP address is 192.168.1.1! - now it can sniff
> the unencrypted traffic! :( - because all the clients are in the same
> subnet! ]
> - Are there any good methods to find/audit for duplicated IP
> addresses?
> - Are the any good methods to find/audit for duplicated MAC addresses?
> - Are there any good methods to do this IPTALBES rule on Layer2?:
> `$ wget -q
> "http://downloads.openwrt.org/backfire/10.03/ar71xx/packages/"; -O - |
> grep -i ebtables`
> `$ `
>
>
>
>
>
>
> p.s.: The rule would be [is it on a good chain?]:
> iptables -A FORWARD -m iprange --src-range 192.168.1.2-192.168.1.255
> --dst-range 192.168.1.2-192.168.1.255 -j DROP
>
>
> Thank you!
>
This is hard to do. We actually achieved this in the test lab by
integrating the ISCS project (http://iscs.sourceforge.net) with 802.1x.
The result was true, centrally managed, perimeterless security that did
not depend upon the end point or user based clients. However, it was
only in the test lab. Until we find a switch vendor willing to ISCS
enable (actually, we call it firepiping as opposed to firewalling) their
devices, the test lab is where it will stay :( - John
Reply to: