[isf-wifidog] IPTables AuthServers is too loose, how can I tighten it up?
pslists
pslists at gmail.com
Mar 21 Juil 16:00:30 EDT 2009
Greg,
the first chain inserted by WiFiDog is the one that allows all ports
on the Auth Server, and there is no configuration that I can see, either
GUI or wifidog.conf, that allows me to touch that.
I have sort of cracked it by inserting rules into the FORWARD chain
before the WiFiDog_WIFI2Internet jump. However my understanding of the
rules seems to be incomplete :-)
I wanted to use ..
iptables --insert FORWARD --protocol all --destination 192.168.0.0/16
--jump REJECT --reject-with icmp-port-unreachable
iptables --insert FORWARD --protocol tcp --destination 192.168.0.16
--destination-port 8880 --jump ACCEPT
.. which puts the ACCEPT rule first. But looking at the packet count
when trying to telnet to 192.168.0.16 8880 I saw that both rules saw the
packets and the REJECT seemed to win. I thought that once an ACCEPT was
matched that was the end. Perhaps my match wasn't good enough.
What I have now is ..
iptables --insert FORWARD --protocol tcp --destination 192.168.0.16
--destination-port ! 8880 --jump REJECT --reject-with icmp-port-unreachable
iptables --insert FORWARD --protocol udp --destination 192.168.0.0/16
--jump REJECT --reject-with icmp-port-unreachable
.. which doesn't quite protect everything, but covers most of the bases,
certainly CIFS.
I think I'm getting there, thanks,
Pete
listserv.traffic at sloop.net wrote:
> I'm pretty sure the gateway conf file for wifidog will allow you to
> block stuff pretty easily. (This only works if the GW is between the
> wifi clients and the points/hosts you need protected - which in your
> case appears to be the case.)
>
> It's been a while since I looked at it, but I know there are
> universal blocks, such as blocking port 25 all the time.
>
> I'd assume that blocking CIFS for all wifi users might well be
> appropriate.
>
> I also recall there being sections to define rules for un-authed
> clients etc, so I'm guessing there's somewhere you can fit in what
> you need.
>
> On openWRT IIRC the wifidog.conf file is in /etc/
>
> Cheers,
> Greg
>
>
>> I am running the WifiDog that comes with DD-WRT v24-sp2. The WiFi router
>> is connected to my private LAN (192.168.0.0/24) and thence to a ZyXel
>> ADSL router and so to the Internet. I want to block all access from the
>> WiFi subnet (192.168.6.0/24) to the LAN with the exception of the Auth
>> server on 192.168.0.16:8880 and the ZxXel gateway.
>>
>
>
>> The problem is that the IPTables created by WiFiDog have a group for
>> AuthServers as the first WiFiDog group and this allows unrestricted
>> access to the Auth server IP address, not just to the port providing the
>> Auth services.
>>
>
>
>> As a result, even unknown users have unrestricted, e.g. CIFS, access to
>> the server, which is in fact a Synology DS207+ NAS server with NFS and
>> CIFS shares and other services that I don't want to make public.
>>
>
>
>> I could update the IPTables by hand, or by script after WiFiDog is
>> started , or by cron job to make sure they are not overwritten, but this
>> seems like a bit of a kludge.
>>
>
>
>> Is there a way to get WiFiDog configuration to protect my server, or
>> should I raise a ticket for this exposure?
>>
>
>
>> Pete Shew
>>
>
>
__________ Information from ESET Smart Security, version of virus signature database 4265 (20090721) __________
The message was checked by ESET Smart Security.
http://www.eset.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://listes.ilesansfil.org/pipermail/wifidog/attachments/20090721/3000d095/attachment.htm
Plus d'informations sur la liste de diffusion WiFiDog