[isf-wifidog] IPTables AuthServers is too loose, how can I tighten it up?

pslists pslists at gmail.com
Mer 22 Juil 10:37:01 EDT 2009

My solution is to add a couple of rules to the start of the FORWARD 
chain using the following commands in the DD-WRT startup script:

sleep 60 && iptables -I FORWARD -d -j REJECT 
--reject-with icmp-port-unreachable &
sleep 60 && iptables -I FORWARD -p tcp -d --dport 8880 -j 

The sleeps ensure that WiFiDog has built its own rules before I put mine 
at the front. This blocks all access to the subnet except 
for access to the Auth web server at

I was stalled for a while as my original rules specified 
as the reject subnet, and in that case, both rules saw the packets as 
shown by "iptables --list FORWARD -vn" and the 8880 packets were 
rejected. Is this right? And why, surely the accept should have 
prevented the reject rule from being tested as is the case with /24?

Thanks for your help,

listserv.traffic at sloop.net wrote:
> I'm pretty sure the gateway conf file for wifidog will allow you to
> block stuff pretty easily. (This only works if the GW is between the
> wifi clients and the points/hosts you need protected - which in your
> case appears to be the case.)
> It's been a while since I looked at it, but I know there are
> universal blocks, such as blocking port 25 all the time.
> I'd assume that blocking CIFS for all wifi users might well be
> appropriate.
> I also recall there being sections to define rules for un-authed
> clients etc, so I'm guessing there's somewhere you can fit in what
> you need.
> On openWRT IIRC the wifidog.conf file is in /etc/
> Cheers,
> Greg
>> I am running the WifiDog that comes with DD-WRT v24-sp2. The WiFi router
>> is connected to my private LAN ( and thence to a ZyXel 
>> ADSL router and so to the Internet. I want to block all access from the
>> WiFi subnet ( to the LAN with the exception of the Auth
>> server on and the ZxXel gateway.
>> The problem is that the IPTables created by WiFiDog have a group for 
>> AuthServers as the first WiFiDog group and this allows unrestricted 
>> access to the Auth server IP address, not just to the port providing the
>> Auth services.
>> As a result, even unknown users have unrestricted, e.g. CIFS, access to
>> the server, which is in fact a Synology DS207+ NAS server with NFS and
>> CIFS shares and other services that I don't want to make public.
>> I could update the IPTables by hand, or by script after WiFiDog is 
>> started , or by cron job to make sure they are not overwritten, but this
>> seems like a bit of a kludge.
>> Is there a way to get WiFiDog configuration to protect my server, or 
>> should I raise a ticket for this exposure?
>> Pete Shew

__________ Information from ESET Smart Security, version of virus signature database 4267 (20090722) __________

The message was checked by ESET Smart Security.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://listes.ilesansfil.org/pipermail/wifidog/attachments/20090722/762366e2/attachment.htm 

Plus d'informations sur la liste de diffusion WiFiDog