Guest network routing, WLAN extension (e.g. WDS) etc

Got problems with your B2 or B3? Share and get helped!
gonk
Posts: 93
Joined: 30 May 2012, 01:53

Re: Guest network routing, WLAN extension (e.g. WDS) etc

Post by gonk » 14 Jul 2013, 17:54

Maybe someone find the extensive tutoral at http://www.frozentux.net/documents/iptables-tutorial/ worth digging into.

Image

Gordon
Posts: 1360
Joined: 10 Aug 2011, 03:18

Re: Guest network routing, WLAN extension (e.g. WDS) etc

Post by Gordon » 15 Jul 2013, 10:29

gonk wrote:Thanks for the explanation but I'm not very interested in protecting other client machines on the internal network from guests trying to access them since they all have their software firewalls so disallowing access to the B3 is the topic for my request.
Okay, if you're sure than that simplifies the exercise and you can restrict yourself to adding a single firewall rule to the B3.
gonk wrote:I'll try to figure out how to manually add firewall rules that will persist reboots and software updates.
Every firewall rule that you add to the B3 will persist reboots. That is actually very dangerous and the reason why I did a rewrite of the standard INIT-V firewall script that makes this behaviour optional. You'll find it in the Howto section on this forum. I also created a package for it, by annoyingly DynDNS service flunked my hostname even though the updater returned a success every time and I can't get it back.

So anyone who was/is linking to my repository: it's gone. I'm truly sorry.
gonk wrote:I'll try to figure out how to manually add firewall rules that will persist reboots and software updates.

In the B3 web interface you can only set up two type of firewall rules and neither match the need of blocking some internal clients from accessing the B3...
That is correct. The basic principle of the home server is that everything that is on the LAN side is trusted and that everything on the WAN side should be stopped. Excito did not provide a way to disallow certain clients on the LAN side and that is probably a good thing since a mistake is easily made.

The listing of /etc/network/firewall.conf is indeed a backup (and the source) of the active firewall rules. What you need is two rules inserted between the third and fourth INPUT line
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i br0 -s 192.168.0.2 -j DROP
-A INPUT -i br0 -j ACCEPT
The first rule is very important and also I suggest that you do not edit /etc/network/firewall.conf directly

Use the following command sequence instead to insert at lines 4 and 5:

Code: Select all

iptables -I INPUT 4 -i br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I INPUT 5 -i br0 -s 192.168.0.2 -j DROP
Verify that you can setup a new SSH connection, but do not disconnect your current SSH session !!!

If you find that you can no longer connect than run

Code: Select all

iptables-restore < /etc/network/firewall.conf
This will restore the original firewall

If you find that your original SSH session has also become unresponsive than pull the power cord on your B3. Really: I'm not joking! This is the only thing that will stop the B3 from saving the rule that is now prohibiting you to access it and restore it during boot time.

If you're happy with the result than save the rules by running

Code: Select all

iptables-save > /etc/network/firewall.conf
If you need to give the guest network access to specific services, such as DNS, then repeatedly insert the corresponding rule at line 5 (i.e. between the two already inserted lines).

Code: Select all

iptables -I INPUT 5 -i br0 -p tcp --dport 53 -j ACCEPT
iptables -I INPUT 5 -i br0 -p udp --dport 53 -j ACCEPT
(do note that domain lookups should use UDP but can also sometimes use TCP - hence two rules in this case)

Gordon
Posts: 1360
Joined: 10 Aug 2011, 03:18

Re: Guest network routing, WLAN extension (e.g. WDS) etc

Post by Gordon » 15 Jul 2013, 10:45

gonk wrote:Maybe someone find the extensive tutoral at http://www.frozentux.net/documents/iptables-tutorial/ worth digging into.
Yes there is a lot of stuff that you can do with netfilter. Some useful, some just for play (mostly to annoy hackers). Most people will never use anything but a basic MASQUERADE rule and possibly a few filter (INPUT) rules though.

Henri
Posts: 62
Joined: 14 Jul 2009, 07:56

Re: Guest network routing, WLAN extension (e.g. WDS) etc

Post by Henri » 25 Aug 2013, 05:12

Hi

If your aim is to disable guests access to your files in Bubba, you could also do it with Samba file server (Windows file share). Setting up password protection in Samba. This way your guests can knock on your file server as much they like but cannot access the files unless they have valid username and password.

Unfortunately this can't be setup from Bubba's web interface. You have to ssh in to the Bubba and edit the Samba settings and so on.

Just a thought.

ingo2
Posts: 81
Joined: 06 Feb 2012, 10:32

Re: Guest network routing, WLAN extension (e.g. WDS) etc

Post by ingo2 » 25 Aug 2013, 11:43

Gordon wrote: Every firewall rule that you add to the B3 will persist reboots. That is actually very dangerous and the reason why I did a rewrite of the standard INIT-V firewall script that makes this behaviour optional. You'll find it in the Howto section on this forum. I also created a package for it, by annoyingly DynDNS service flunked my hostname even though the updater returned a success every time and I can't get it back.
Hi Gordon,

Regarding your DynDNS-Problem: porbably it is not yet too late!
I received a mail from them on July 11th and they announced that the free services have been terminated. However existing users (like me as well) will be further served if "they log into their account at https://account.dyn.com/ at least 1x per month". And there is a 1 month grace period untiul they finally drop your hostname! So first of all - try to log into your account by web browser and check!!!

By the way, I got a shell script which performs that login unattended and have set up a cron job. If it helps, please let me know and I'll send that script to you via PM,

Regards,
Ingo
UNIX is user friendly, it's just picky about who its friends are.

Gordon
Posts: 1360
Joined: 10 Aug 2011, 03:18

Re: Guest network routing, WLAN extension (e.g. WDS) etc

Post by Gordon » 25 Aug 2013, 14:04

Hi Ingo,

I have a similar cron job, logging on and prolonging the registered name twice every month. Even now I do not get any error message on me extending the life on the domain name that does not exist anymore. Let's just say it was fun as long as it lasted. Luckily I'd already moved everything that was sort of important to me away by registering my own domain name. This effectively costs me less than €5,- per year, which is less than what Dyndns asks for their premium service. I'm done with them and I just keep the cron job active to annoy them for flunking me without any notice.

I'm usually very reasonable, but I tend to get very unreasonable when treated incorrectly.

ingo2
Posts: 81
Joined: 06 Feb 2012, 10:32

Re: Guest network routing, WLAN extension (e.g. WDS) etc

Post by ingo2 » 25 Aug 2013, 14:24

Gordon wrote:Hi Ingo,

I have a similar cron job, logging on and prolonging the registered name twice every month.
I think you got my information wrong:
It is not sufficient to "refresh your hostname" regularly (as many routers do). You are additionally asked to login on their web site checking your account. You (browser or script) also must handle/accept cookies for that! That are 2 prerequisites to maintain your domain name. That's why I posted that here - there may be a lot of other users affected.

/Ingo
UNIX is user friendly, it's just picky about who its friends are.

Gordon
Posts: 1360
Joined: 10 Aug 2011, 03:18

Re: Guest network routing, WLAN extension (e.g. WDS) etc

Post by Gordon » 26 Aug 2013, 03:42

Ah, I see.

But the point is: I did login when I discovered that the DNS name had become inactive, even though running the inadyn client twice a month (they said at least once a month, but they also said they'd ban you if you'd do it every few hours) should have prevented that. And I can still logon, but I cannot get my domain name back because it must be reregistered and they closed the primary domain it was on (dnsalias.net) for free users.

So yes it is too late and it is permanently gone. And you can't check the logs to see what went wrong, because they only show the logs to paying customers - for "as low $29,95". Sorry, but I can register my own domain name for 5 years for that same amount, so that's a no way Jose!

In any case, bubba easyfind offers the same functionality. So why bother with a company that has proven to be unreliable and asks too much money for something that in itself does not offer any guarantee of better service.

Post Reply