<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
My solution is to add a couple of rules to the start of the FORWARD
chain using the following commands in the DD-WRT startup script:<br>
<br>
sleep 60 && iptables -I FORWARD -d 192.168.0.0/24 -j REJECT
--reject-with icmp-port-unreachable &<br>
sleep 60 && iptables -I FORWARD -p tcp -d 192.168.0.16 --dport
8880 -j ACCEPT &<br>
<br>
The sleeps ensure that WiFiDog has built its own rules before I put
mine at the front. This blocks all access to the 192.168.0.0/24 subnet
except for access to the Auth web server at 192.168.0.16:8880.<br>
<br>
I was stalled for a while as my original rules specified 192.168.0.0/16
as the reject subnet, and in that case, both rules saw the packets as
shown by "iptables --list FORWARD -vn" and the 8880 packets were
rejected. Is this right? And why, surely the accept should have
prevented the reject rule from being tested as is the case with /24?<br>
<br>
Thanks for your help,<br>
Pete<br>
<br>
<a class="moz-txt-link-abbreviated" href="mailto:listserv.traffic@sloop.net">listserv.traffic@sloop.net</a> wrote:
<blockquote cite="mid:1575311511.20090721093313@sloop.net" type="cite">
<pre wrap="">I'm pretty sure the gateway conf file for wifidog will allow you to
block stuff pretty easily. (This only works if the GW is between the
wifi clients and the points/hosts you need protected - which in your
case appears to be the case.)
It's been a while since I looked at it, but I know there are
universal blocks, such as blocking port 25 all the time.
I'd assume that blocking CIFS for all wifi users might well be
appropriate.
I also recall there being sections to define rules for un-authed
clients etc, so I'm guessing there's somewhere you can fit in what
you need.
On openWRT IIRC the wifidog.conf file is in /etc/
Cheers,
Greg
</pre>
<blockquote type="cite">
<pre wrap="">I am running the WifiDog that comes with DD-WRT v24-sp2. The WiFi router
is connected to my private LAN (192.168.0.0/24) and thence to a ZyXel
ADSL router and so to the Internet. I want to block all access from the
WiFi subnet (192.168.6.0/24) to the LAN with the exception of the Auth
server on 192.168.0.16:8880 and the ZxXel gateway.
</pre>
</blockquote>
<blockquote type="cite">
<pre wrap="">The problem is that the IPTables created by WiFiDog have a group for
AuthServers as the first WiFiDog group and this allows unrestricted
access to the Auth server IP address, not just to the port providing the
Auth services.
</pre>
</blockquote>
<blockquote type="cite">
<pre wrap="">As a result, even unknown users have unrestricted, e.g. CIFS, access to
the server, which is in fact a Synology DS207+ NAS server with NFS and
CIFS shares and other services that I don't want to make public.
</pre>
</blockquote>
<blockquote type="cite">
<pre wrap="">I could update the IPTables by hand, or by script after WiFiDog is
started , or by cron job to make sure they are not overwritten, but this
seems like a bit of a kludge.
</pre>
</blockquote>
<blockquote type="cite">
<pre wrap="">Is there a way to get WiFiDog configuration to protect my server, or
should I raise a ticket for this exposure?
</pre>
</blockquote>
<blockquote type="cite">
<pre wrap="">Pete Shew
</pre>
</blockquote>
<pre wrap=""><!----></pre>
</blockquote>
<BR>
<BR>
__________ Information from ESET Smart Security, version of virus signature database 4267 (20090722) __________<BR>
<BR>
The message was checked by ESET Smart Security.<BR>
<BR>
<A HREF="http://www.eset.com">http://www.eset.com</A><BR>
</body>
</html>