# Prevent hosts from accessing local network

## litan

I don't know much about IP networking and have no idea if what I want is even possible.

My router runs Gentoo.

I am already filtering unwanted IP addresses and MAC addresses and do checks if

a host uses only his allowed IP address. This works fine from network to network,

but since the router has only 3 ethernet cards, I have to use switches.

The switches allow for direct communication between hosts; the router will not even see

the packets. If there is a way to prevent this, please let me know, since it would be great to

configure only one firewall and not many.

Now I wonder if it is possible to deny unwanted hosts (identified by MAC or otherwise) to

get IP addresses at all. I believe this is possible with DHCP, but I would like to not use DHCP,

and all DHCP routers I have seen allowed static IP's anyway.

I am aware that MAC filtering is security through obscurity, but it is very effective against

non-technical users trying to hook their notebooks on my network  :Smile: 

Most already fail because of the lack of DHCP, but I also want to keep out those who don't know

how to sniff packets and do MAC spoofing.

----------

## szatox

I don't really see your point, but who knows, maybe I'm turning psychic.

In case of wifi any enryption (even old, broken WEP) would keep non-technical (ab)users away. In case of wires, lack of visible sockets gives you similar security.

Don't be afraid of assigning addresses with DHCP, it makes configuration easier (even with static IP) and you can even set separate pools for known and unknown users, so they all would get an IP, perhaps even see and talk to each other, but you can cut unknown users out of access to external network using firewall on your router (so they only have access to local network, but not the internet  connection)

Finaly, if you want to do it in "secure" way go for radius and make users login to your network. They will still be able to talk to other computers connected to local network though. Or cut the power cords if you're paranoid  :Very Happy: 

Anyway, you can't ensure hosts within your local network will not attack each other unless you controll them all. That's what firewall on every single machine is for. The only thing you should be concerned about it your end of the link.

----------

## litan

szatox, thank you for your reply.

Hiding of the sockets would not be easy and would get in my way.

If it is not possible for the router to deny the hosts IP adresses,

I will just do it the hard way and configure mac filtering on every single host, as you suggest.

----------

## szatox

I don't suggest filtereing macs at all. Unfortnately I don't understand your setup and your problem so I've just made a guess.

If you have dhcp on your router, you can use it to assign static IP, dynamic IP, or deny IP at all, but if you deny IP your client is likely to get one himself with APIPA, avahi, neighbour discovery or another decentralized kind of stuff designed for zero-configuration network.

Once you have IP assigned you can set iptables to allow connections from the same pool dhcp assigns to known hosts and reject (or silently drop) packets from others, but most likely you either don't need security rules against PCs from your local network at all (I assume if you can connect to my network I already trust you  :Very Happy: ), or you should go for VPN or ssh tunel if that extra security is really nessesery.

Also, you say your router has 3 network devices, so why won't you make one network "trusted", the other "public" and go to the internet with 3-rd device?

You could to whatever you want with data sent between public and trusted this way, doesn't matter how many switches are in each of those networks as long as router is the only connection between them.

If you described what you want to acieve, finding  a sollution would be easy

----------

## olek

You could set up VPNs on your main router and set up different firewall rules for each VPN. You can even block client-to-client-communication, as in a VPN you can force each packet to pass the router.

But you would have to set up every machine as a VPN-client.

----------

## litan

szatox,

thank you for the pointers. I did some reading about APIPA, avahi, and

neighbour discovery.

I don't use avahi or the like, and since my network is ipv4 only, neighbour

discovery is also out of the picture.

I will describe my setup a bit more:

One of the three network devices of the router is connected to the internet,

the second is connected to a local network containing workstations, and servers

for local services. This network is trusted. The thrird network device is

connected to a second local network containing some servers to which the

router forwards corresponding public ports. This network is also trusted,

because it also hosts services, which are only accessible locally.

I want to seperate those two, because the one containing the workstations

is actually much more trusted than the other.

As you see, I have no network cards left for a "public" network, which

wouldn't do any good, since some ports of the other two networks would be

exposed anyway (I'm no cable guru). So I don't want my security to rely on

physical access restrictions to the cables or the switches. This is not feasible.

Even if I could trust the poeple who are using or trying to use my network

(over which I do not always have control on a social level), I can certainly

not trust their devices. I assume that a worm or virus will try anything to

infect other machines on the network (if this is realistic or not is not my

concern, I just like to be prepared).

I tested the following:

After connecting a new host (which MAC address is not allowed by the router

firewall) to the second local network, which I will call

LAN_2, I configured a static IP address (which is also not

allowed on the firewall) and as expected, I was not able to send packets to

the router or to LAN_1. But I was able to send packets to all hosts on LAN_2

(which is not wanted).

Did I understand correctly that DHCP could prevent that?

And if so, would this scenario then still be possible with a link local / APIPA address?

olek,

thanks for your idea. I find this really interesting, especially because it

would also prevent packet sniffing, if I'm not mistaken.

So I would block all traffic on, say, eth0, and allow on tun0. Like this I could

maintain a single centralized firewall on the router, without worrying about

the clients' firewall config, right?

----------

## olek

 *Quote:*   

> > prevent packet sniffing

 

I'm no expert in such things, but as you can encrypt the VPN-connection, yes?

 *Quote:*   

> > So I would block all traffic on, say, eth0, and allow on tun0.

 

For eth0, you would only allow income on the ports necessary for the VPN-servers and maybe DHCP, DNS, whatever else needed to make a connection to the VPN-server and maybe the things you want everything on your network to have access to. 

Then you can create multiple VPNs with different subnetworks. Maybe one for trusted network-members, one for guests, etc. With openvpn configured to authenticate by certificates, you could generate certificates for every specific trusted network-member (so that you can revoke access for single members later) and one certificate for the guests-VPN which can be used by multiple members at once, for convinience .

 *Quote:*   

> > Like this I could maintain a single centralized firewall on the router, without worrying about the clients' firewall config, right?

 

That way you'll have different interfaces (tun0, tun1, ...) and subnetworks, which you can route and make rules for very specifically in the only one firewall on the server hosting the VPNs. So, yes  :Wink: 

----------

## szatox

Ok, I get it now.

It doesn't matter if you don't trust user or device. If there is any single point that you don't trust, it's not a trusted network.

However, I'm afraid what you're trying to do it cutting all hands off to avoid theft when someone leaves his door open.

ok, so here we go: you don't have a controll over your users, you don'ttrust their devices, so I'm gonna consider it a public, untrusted and insecure network. In such an environment don't even bother filtering traffic on router. Why? Becouse it's pointless, overegeeniered, and most likely would fail anyway.

You don't protect your pcs on network level, you do it on service level using target's own firewall. Make firewall drop all packets sent do "invalid" (like in unused) ports, and make sure every single service you don't block is secure.

You want ssh? no problem it requires you to log in.

You want writable NFS? Uuh... either do that with trusted VPN or only allow it over secure tunel that requires you to log in.

You want read-only NFS that doesn't contain confidential data? Setting it to read only in export optins is good enough.

Talking about decentralised IP systems: every network device can have multiple IPs assigned and might use different methods to get them. Even if your pc doesn't use it, another device might (same goes about IPv6, switches don't care). With APIPA it will simply ask network who owns some IP and if nobody responds, it will claim it. If there are more devices plugged in, they will form another subnet using the same wires. This is something you can't prevent with switches (but you can claim all adresses for yourself   :Wink:   and an attacker can ignore your claim). Also, they will be able to send packets to your known pcs. To prevent this completly, you'd either have to go with PPPoE or WPA over wired connection. Either of those seems to be an overkill though.

----------

## litan

olek,

thank you. This sounds very good to me,

I will look into that. (example config below)

szatox,

thank you for your further explanations.

 *Quote:*   

> It doesn't matter if you don't trust user or device. If there is any single point that you don't trust, it's not a trusted network. 

 

yeah, I got that backwards.. I have only untrusted networks.

Thank you for getting me out of that delusion.

 *Quote:*   

> In such an environment don't even bother filtering traffic on router. Why? Becouse it's pointless, overegeeniered, and most likely would fail anyway. 

 

How about the VPN idea olek pointed out? Would that fail, too?

I don't have too much experience with VPNs, but it sounds pretty viable to me,

and if I understand it correctly, this approch would allow me to dumb down the firewall configuration

on the VPN clients to a bare minimum and do it all in one place.

On a client I would do something like this:

```
iptables -P INPUT DROP

iptables -P OUTPUT DROP

iptables -P FORWARD DROP

iptables -A OUTPUT -o eth0 -d ${router} -p udp --dport openvpn -j ACCEPT

iptables -A INPUT -i eth0 -s ${router} -p udp --sport openvpn -m state --state ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o tun0 -d ${router_vpn} -j ACCEPT

iptables -A INPUT -i tun0 -s ${router_vpn} -j ACCEPT

```

Then on the router I would to the real filtering for all devices connected via a VPN,

and block all traffic on the physical interfaces except for VPN traffic, like I do on the clients.

In this setup, assuming all clients connect to a different VPN, I would be able to be certain that if

a packet comes in to my routers corresponding tun device, which I configured for that client,

that it really is a packet origination from the device of which I think it is and can filter it accordingly.

Doing protection on a service level for each client on its tun device would then be redundant, right?

(but I don't dislike redundancy either, so maybe I will implement both approaches if I really go paranoid)

The problem I see with protection on the service level only, while not preventing IP access to those

services by untrusted devices, like I would do on the internet for public services, is that

I don't want that 0-day vulnerability on my whatever service exploited by an untrusted device,

if I don't have to expose it, as most of my services are not meant to be public.

Lets suppose I grant IP access only to a MySQL server, and drop packets on all other ports and that my

MySQL configuration is bulletproof;

as I understand, there is always the possibility that MySQL has a weird bug, allowing access to anyone

and ignoring any authentication, if they only ask often enough (I believe something like that was actually

the case some time ago).

This should only serve as an example as I would not really do MySQL on an untrusted network without

a secure tunnel anyway, but it's easier to bash MySQL than OpenSSH for example   :Very Happy:  , and you get the idea.

Therefore I would like to grant only specific trusted clients access on the IP layer to those services,

which as you pointed out, is not possible with switches, except if I do WPA or PPPoE.

So how about VPNs as outlined above?

(I like it since it would also solve the >secure tunnel for insecure connections< problem as a whole)

Please point out if I understand something wrong again. Thanks!

----------

