OpenWRT, firewall to block public wireless users from private lan behind wan

The updated and more flexible way to do this is outlined here. It also requires updated hardware. The wrt54gl only supports openwrt v10 (backfire). I would like to add that despite the wrt54gl literally being ancient, its still a rock solid device today. Of course, only if openwrt is installed!

A while ago Second Street Brewery asked for a good stable public wireless internet connection. Of course, the solution was obvious, openwrt! In this case a linksys wrt54gl. The office, point of sale and public networks all share the same gateway. The problem was segregating the public wireless network from the private office lan. Sam (http://thepromisedlan.org) and I set out to setup a firewall to protect them. This is what we came up with:

         "secured office wifi"
                /
ISP <-fw-> office LAN 10.1.10.0/24 <-fw-> (linksys) "open public wifi" 
(clients on public wifi cannot reach 10.1.10.0/24 or any other private subnet)

check if the following is in /etc/config/firewall otherwise, add it

config include
option path /etc/firewall.user

and in /etc/firewall.user we put:

#Insert this into the chain, so 10.1.10.0/24 (office) can connect to public 192.168.10.0/24.
#This rule gets repeated by the setup script /etc/init.d/firewall.
iptables -I FORWARD 1 -m state --state RELATED,ESTABLISHED -j ACCEPT

#block all traffic to any possible private network address (10.*.*.*, 172.16-32.*.*, 192.168.*.*)
iptables -I FORWARD 2 -d 192.168.0.0/16 -j DROP
iptables -I FORWARD 2 -d 172.16.0.0/12 -j DROP
iptables -I FORWARD 2 -d 10.0.0.0/8 -j DROP

If you would like to have remote administration on the openwrt so you can access the luci web interface and ssh from the wan side of the router, you can change /etc/config/firewall wan zone to allow it. !!WARNING!! If you are directly connected to the internet, this will expose your open ports to the world. You should take precautions to secure them before changing this firewall rule.

config 'zone'
  option 'name' 'wan'
  option 'input' 'REJECT' #

or if you just want to allow remote ssh access

config rule
  option target 'ACCEPT'
  option src 'wan'
  option proto 'tcp'
  option dest_port '22'
  option name 'ssh'

 


Comments

Leave a Reply

Your email address will not be published. Required fields are marked *