# Any iptables/netfilter experts?

## mgnut57

Is it possible to identify (and filter) packets that arrive from a specific last hop?

Currently, I have 2 LANs, one of which is wireless. I have an Ethernet card that is connected to a WiFi router which is configured not as a router, but as a switch/access point. 

Instead of using a separate NIC to connect to the access point, I wonder if it is possible to apply netfilter rules for packets that arrive at my server from the access point. Obviously, it's really the packets from the wireless devices that I want to filter, but all of these packets go via the access point.

----------

## Ant P.

Sounds like you want to filter on MAC address, which (iirc) is done using arptables, not the regular iptables.

----------

## mgnut57

 *Ant P. wrote:*   

> Sounds like you want to filter on MAC address, which (iirc) is done using arptables, not the regular iptables.

 

Not really, because the MAC addresses that the server sees are those of the wireless devices. While I could filter based on these, I would have to reconfigure for every new device.

----------

## 1clue

Wouldn't your last hop always be the ISP's router that your edge router is hooked to? Do you mean second to last?

And in any case it seems to me that unless your specific router is thought to be compromised, what you're really after is filter by geolocation?

Maybe you could be more specific about what you want? Can you give us some background story on this?

----------

## Ant P.

Can you match by the IP range the wifi traffic comes from? I'm looking at tcpdump output from my own router and there doesn't seem to be any way to differentiate besides that, or MAC (which you said doesn't work).

----------

## mgnut57

 *1clue wrote:*   

> Wouldn't your last hop always be the ISP's router that your edge router is hooked to? Do you mean second to last?
> 
> And in any case it seems to me that unless your specific router is thought to be compromised, what you're really after is filter by geolocation?
> 
> Maybe you could be more specific about what you want? Can you give us some background story on this?

 

It's not the Internet side that I want to filter like this. 

My architecture is that I have a server/router/firewall which connects to the Internet. This server/router has two additional NICs, one of which is connected to a switch on which other Ethernet devices are connected, the other one connects to my wireless access point. 

I don't want to trust WiFi connected devices as much as the Ethenet connected devices. While I have a solution that works today, I was wondering if it is possible to do something similar with only one NIC instead of two NICs serving the LAN side of my network.

----------

## mgnut57

 *Ant P. wrote:*   

> Can you match by the IP range the wifi traffic comes from? I'm looking at tcpdump output from my own router and there doesn't seem to be any way to differentiate besides that, or MAC (which you said doesn't work).

 

I could .... if I could make the DHCP server hand out different IP addresses based on the last hop.

The other solution would be to convert my access point into a NAT router, but that would bring many other problems.

----------

## Hu

 *mgnut57 wrote:*   

> This server/router has two additional NICs, one of which is connected to a switch on which other Ethernet devices are connected, the other one connects to my wireless access point. 

 If I understand your network topology, then the answer is simple.  You have three NICs.  NIC #0 connects to the Internet.  NIC #1 connects to a trusted switch.  NIC #2 connects to a wireless access point, which is untrusted.  You want to treat all traffic from the wireless access point as untrusted, since most such traffic is relayed from wireless clients.  The solution is interface-based filtering.  You can write a rule that matches depending on which NIC was used to receive the traffic.  Look at the --in-interface option on iptables.

----------

## mgnut57

 *Hu wrote:*   

>  *mgnut57 wrote:*   This server/router has two additional NICs, one of which is connected to a switch on which other Ethernet devices are connected, the other one connects to my wireless access point.  If I understand your network topology, then the answer is simple.  You have three NICs.  NIC #0 connects to the Internet.  NIC #1 connects to a trusted switch.  NIC #2 connects to a wireless access point, which is untrusted.  You want to treat all traffic from the wireless access point as untrusted, since most such traffic is relayed from wireless clients.  The solution is interface-based filtering.  You can write a rule that matches depending on which NIC was used to receive the traffic.  Look at the --in-interface option on iptables.

 

You understand my current setup perfectly. 

My question is, can I eliminate NIC #2, connect the wireless access point to a switch that connects to NIC #1 and still do the same filtering on the devices that connect via the wireless access point?

----------

## 1clue

 *mgnut57 wrote:*   

>  *1clue wrote:*   Wouldn't your last hop always be the ISP's router that your edge router is hooked to? Do you mean second to last?
> 
> And in any case it seems to me that unless your specific router is thought to be compromised, what you're really after is filter by geolocation?
> 
> Maybe you could be more specific about what you want? Can you give us some background story on this? 
> ...

 

Are you using a typical WIFI router?

Usually those things hand out their own range of addresses, in the nonroutable ipv4 address range and possibly ipv6. So you would be using NAT on ipv4. 

If your setup works like this, you could always make rules based on the network number right? Surely you will assign the wireless router its own static upstream ip address for your own sanity.

IMO if you have an extra NIC on your router, I can't think of a better use for it than to keep the peasants out of the castle.

----------

## 1clue

 *mgnut57 wrote:*   

>  *Hu wrote:*    *mgnut57 wrote:*   This server/router has two additional NICs, one of which is connected to a switch on which other Ethernet devices are connected, the other one connects to my wireless access point.  If I understand your network topology, then the answer is simple.  You have three NICs.  NIC #0 connects to the Internet.  NIC #1 connects to a trusted switch.  NIC #2 connects to a wireless access point, which is untrusted.  You want to treat all traffic from the wireless access point as untrusted, since most such traffic is relayed from wireless clients.  The solution is interface-based filtering.  You can write a rule that matches depending on which NIC was used to receive the traffic.  Look at the --in-interface option on iptables. 
> 
> You understand my current setup perfectly. 
> 
> My question is, can I eliminate NIC #2, connect the wireless access point to a switch that connects to NIC #1 and still do the same filtering on the devices that connect via the wireless access point?

 

Does your networking hardware support VLANs? Your switch could assign a single vlan to the port your wifi is on and everything else to another one, and you could filter on that? In that case the wifi router need not know VLANs.

What sort of switch do you have? Is unmanaged, smart or managed? And how fast is it, is the firewall/router a higher speed connection than the wifi supports? Or is your bandwidth small enough that it doesn't matter?

----------

## mgnut57

Thanks for all the comments. 

I don't think it's possible to eliminate one of the NICs without a much more expensive switch, or configuring my wireless access point as a NAT router instead of a switch.

----------

## 1clue

I wouldn't call myself an iptables expert by any means, but I think you're right. A smart switch might do you, and if you have a gigabit network with low traffic (at least between the switch and the router) then you might get by with VLANs.

There are consumer-grade "smart" switches on amazon for about the same price as unmanaged ones, and they have VLAN support. But I don't know how quick the processor is. I have one but it's in service on a low-bandwidth network. I'll post a link to an equivalent on amazon if I can.

https://www.amazon.com/D-Link-EasySmart-Gigabit-Ethernet-DGS-1100-08/dp/B008ABLU2I/ref=sr_1_6?keywords=smart+switch&qid=1552279552&refinements=p_n_feature_keywords_two_browse-bin%3A7306161011%2Cp_n_feature_four_browse-bin%3A5662321011&rnid=5662319011&s=pc&sr=1-6

I'm not sure if that's the one I got, but you search on "vlan gigabit smart switch" and pick one of the consumer ones.

Again I'm not sure what they have for back plane, I would think it would not be like a commercial grade switch. But it might be worth a try.

I'm assuming your router is the Gentoo box. In that case your router can have VLAN support, and if you get one of these switches (make sure it says smart and vlan both!) then you might have a shot at this.

----------

## Ant P.

You could configure it as a plain router, if it'll allow it. That'll require all routers on your network to know about non-default routes, but it should make the netfilter part much simpler.

----------

## mgnut57

 *Ant P. wrote:*   

> You could configure it as a plain router, if it'll allow it. That'll require all routers on your network to know about non-default routes, but it should make the netfilter part much simpler.

 

A router, but no NAT. 

I hadn't thought of that. I'll have to see if it's possible.

----------

