Thanks for your reply Gordon!
Gordon wrote:The big issue in your setup is that you have the WRT router connected to your LAN, meaning that everyone on your guest network provided by the WRT can in fact access every address on your LAN without the possibility for the B3 to block this kind of traffic. You will therefore need to configure both the WRT firewall and add a rule for the B3
On the WRT (in order):
- allow target 192.168.0.1/32
- drop target 192.168.0.0/24
Why would that be needed?
Yes, it would hinder the WRT devices to contact anything on 192.168.0.x except for 192.168.0.1 but ...
Gordon wrote:On the B3:
- drop source 192.168.0.2/32 on interface br0 on chain INPUT
Why can't the something similar be accomplished on the B3-side alone by e.g.
- as a precaution (maybe not needed) drop anything from 192.168.1.x
- drop anything from 192.168.0.2/32 to 192.168.0.3-254 (or 255?)
- drop anything from 192.168.0.2/32 to 192.168.0.1
except for - a list of
- services needed
- like dns
- forward the rest to eth0
Gordon wrote:The most straightforward method would be to connect the WRT to the WAN line and put the B3 on the LAN side of the WRT. That will mean an additional hop for you on the LAN, meaning a marginally slower response from internet sources, but no fiddling with firewalls.
That would, as explained, cut the maximum throughput on my Internet line to 30 Mbps (limited py CPU performance in the WRT) for all users and that's not what I want.
I know all of this in theory but am pretty new to networking on Linux and have been trying to get a clear picture of which interface is which and how they are logically connected, the routing etc.
Code: Select all
root@B3# ifconfig | grep "Link encap"
br0 Link encap:Ethernet HWaddr 00:0b:6b:7e:xx:yy
eth0 Link encap:Ethernet HWaddr 00:22:02:00:xx:yy
eth1 Link encap:Ethernet HWaddr 00:22:02:00:xx:yy
lo Link encap:Local Loopback
mon.wlan0 Link encap:UNSPEC HWaddr 00-0B-6B-7E-62-xx-yy-00-00-00-00-00-00-00-00-00
wlan0 Link encap:Ethernet HWaddr 00:0b:6b:7e:xx:yy
and
Code: Select all
root@B3# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default c-83-233-200-1. 0.0.0.0 UG 0 0 0 eth0
83.233.200.0 * 255.255.255.0 U 0 0 0 eth0
192.168.0.0 * 255.255.255.0 U 0 0 0 br0
and
Code: Select all
root@B3# cat /etc/network/interfaces
iface br0 inet static
address 192.168.0.1
bridge_fd 0
bridge_maxwait 0
bridge_ports eth1 wlan0
netmask 255.255.255.0
iface eth0 inet dhcp
auto lo
iface lo inet loopback
From this I conclude that
- eth0 is the WAN port
- eth1 is the LAN port
- wlan0 is (what a surprise) the WLAN interface
- br0 is a logical representation of the intranet interfaces eth1 (LAN) and wlan0 (WLAN)
- lo in not interesting
These should be the default rules since I've not made any changes and seems consistent with /etc/network/firewall.conf, from which I believe that they originate.
Code: Select all
root@B3# iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i br0 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
-A FORWARD -i br0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p icmp -m icmp --icmp-type 3/4 -j ACCEPT