jason schaefer » firewall http://jasonschaefer.com documentation and stuff :(){ :|:& };: Thu, 12 Jan 2012 20:15:55 +0000 en hourly 1 http://wordpress.org/?v=3.3.1 * openwrt, firewall to block public wireless from private lan http://jasonschaefer.com/archives/3 http://jasonschaefer.com/archives/3#comments Thu, 08 Oct 2009 02:14:09 +0000 admin http://jasonschaefer.com/?p=3 [...]]]> A while ago Second Street Brewery asked for a good stable public wireless internet connection. Of course, the solution was obvious, openwrt on a linksys wrt54gl. The office, point of sale and public networks all share the same gateway. The problem was segregating the public wireless network from the private office lan. Sam (http://thepromisedlan.org) and I set out to setup a firewall to protect them. This is what we came up with:

check if the following is in /etc/config/firewall otherwise, add it

config include
option path /etc/firewall.user

and in /etc/firewall.user we put:

#Insert this into the chain, so 10.1.10.0/24 (office) can connect to public 192.168.10.0/24.
#This rule gets repeated by the setup script /etc/init.d/firewall.
iptables -I FORWARD 1 -m state --state RELATED,ESTABLISHED -j ACCEPT

#block all traffic to any possible private network address (10.*.*.*, 172.16-32.*.*, 192.168.*.*)
iptables -I FORWARD 2 -d 192.168.0.0/16 -j DROP
iptables -I FORWARD 2 -d 172.16.0.0/12 -j DROP
iptables -I FORWARD 2 -d 10.0.0.0/8 -j DROP

If you would like to have remote administration on the openwrt so you can access the luci web interface and ssh from the wan side of the router, you can change /etc/config/firewall wan zone to allow it. !!WARNING!! If you are directly connected to the internet, this will expose your open ports to the world. You should take precautions to secure them before changing this firewall rule.

config 'zone'
option 'name' 'wan'
option 'input' 'REJECT' #<- change this to ACCEPT
option 'output' 'ACCEPT'
option 'forward' 'REJECT'
option 'masq' '1'
]]> http://jasonschaefer.com/archives/3/feed 0