Hi list We're operating a few wifi access-points that allow connecting without any password/encryption.To tighten security a bit, I've added ebtables rules on the individual AP. (The AP are Pc-engines Alix running Debian, hostapd.) I'd appreciate feedback on the effectiveness of my approach and whether there are other low-hanging fruit to further separate clients.These are the rules:
# Flush ebtables -F ebtables -t nat -F # Block packets from the wifi side that purport to be from a gateway address ebtables -A FORWARD --in-interface wlan+ --protocol arp --arp-ip-src 10.0.0.1 -j DROP ebtables -A FORWARD --in-interface wlan+ --protocol arp --arp-ip-src 10.1.1.1 -j DROP ebtables -A FORWARD --in-interface wlan+ -s 02:ba:de:af:fe:00 -j DROP # Block DHCP server responses and IP6 router advertisements from wifi side ebtables -A FORWARD --in-interface wlan+ --protocol ipv4 --ip-protocol udp --ip-source-port 67 -j DROP ebtables -A FORWARD --in-interface wlan+ --protocol IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 134 -j DROP # Allow visitors to talk to the gateway only # Just send all packets to the gateway at 02:ba:de:af:fe:00 regardless of target address ebtables -t nat -A PREROUTING --in-interface wlan0_+ -j dnat --to-destination 02:ba:de:af:fe:00 ebtables -t nat -A PREROUTING --in-interface wlan1_+ -j dnat --to-destination 02:ba:de:af:fe:00 # Block STP on the wifi side for T in OUTPUT FORWARD; do ebtables -A $T --out-interface wlan+ --source BGA -j DROP; done for T in OUTPUT FORWARD; do ebtables -A $T --out-interface wlan+ --destination BGA -j DROP; done Explanation of the interfaces: wlan0, wlan1: used for internal WPA-secured traffic wlan0_0, wlan1_0: are open for guests 10.0.0.1/24: Internal network (somewhat trusted) 10.1.1.1/24: Guest network (untrusted) 02:ba:de:af:fe:00: MAC-address of the gateway interface in 10.1.1.1 The idea is to prevent guests from talking to each other. This improves security and removes broadcast noise because broadcast traffic is only seen by the gateway. In particular, I expect this approach to prevent wifi-clients from impersonating the IP-gateway. This should prevent the most common form of MitM attacks. I'm aware that it's not a total separation and that there are still opportunities for client-address spoofing. Maybe you see areas where clients could be separated further? Thanks Stephan
