[isf-wifidog] Firewall Iptables
Joe Bowser
bowserj at unbc.ca
Sam 11 Fév 23:52:27 EST 2006
On Sat, 2006-02-11 at 23:32 -0500, D Frohman wrote:
> Is it possible to block all outgoing TCP ports until a user has
> authenticated via Wifidog's login page? If they just connect to the
> WAP they can use all ports except port 80.
>
> We tried blocking the ports in the FORWARD chain of iptables, it
> works, but when they authenticate the same rules apply. Any ideas?
>
> Thanks in advance.
What are your firewall rules like? If you are running the WiFiDog
software on a WRT54G running a later OpenWrt firmware, the current
firewall rules do not permit such behaviour. You are going to have to
disable forwarding from the bridge interface to the wan interface:
# The following have been commented out for WiFiDog to work
# iptables -A FORWARD -i br0 -o br0 -j ACCEPT
# iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
Is this in the documentation yet? I'm sure most of the groups that use
WiFiDog are already aware of this issue, however this does need to be documented.
--
Joe Bowser <bowserj at unbc.ca>
More information about the WiFiDog
mailing list