0

I have been searching for hours to find a solution to this question, so I apologize if its already been answered.. I have a strong Pix/ASA background, and I am getting lost with iptables...

I am running DD-WRT on a linksys router. I have the DD--WRT "WAN" port plugged into my LAN so its external IP address is on my internal network and uses my normal gateway as its egress. The WiFi is setup essentially as a guest network which I do not want to be able to access my internal network. But in its current configuration, all traffic is passed through the Wifi vlan/network to the WAN interface so the "guests" can scan/access my internal network since my "internal" is on the DD-WRT's WAN interface.

I want to apply an IPTables rule (or other type of rule) to prevent communication to every IP address other than my Internal networks gateway (which is the DD-WRT's External egress).

DD-WRT's Internal Network (linksys routers WAN) = eth0 192.168.1.1/24 gw: 192.168.1.2

WiFi = ath0 Subnet 192.168.200.2/24 (only have 1 interface (2.4ghz) enabled on this for "guest" access)

Does anyone have a recommendation for how to apply an IP tables rule to prevent all communication from ath0 to eth0 with a source of 192.168.200.0/24 to IP addresses 192.168.1.3 - 192.192.168.1.255?

Any advice would be greatly appreciated...

Thank you!

Improve this question

1 Answer 1

Reset to default
0

I was re-reading my question after posting to make sure it was accurate and came up with an idea... It worked.

I adjusted the DD-WRT's external interfaces Subnet mask to a /30 or 255.255.255.252 so all of its external traffic would be sent to its egress and be dropped/ignored...

The DD-WRT WAN/External interface is now configured with

Address: 192.168.1.1

Netmask: 255.255.255.252 = 30

Wildcard = 0.0.0.3

Network = 192.168.1.0/30

Broadcast = 192.168.1.3

First IP = 192.168.1.1

Last IP = 192.168.1.2

Usable hosts = 2

(source: https://www.adminsub.net/ipv4-subnet-calculator )

While this is not using ANY IPTable rules, this will work for what I am trying to accomplish since communication from the external IP on the DD-WRT router will be sent to the wrong IP address (aka: bit bucket) for anything going to my actual internal network.

Keep in mind that this will NOT prevent communication to other subnets/vlans that your main/internal router can communicate/route to (Ex: DMZ, VPN, etc). With that said (and since I didn't mention it) I just added FW rules to prevent communication from the DD-WRT's external IP (192.168.1.1) to those networks and now the only networks my "guests" can access are in the public IP space.

While I figured it out on my own I am going to keep this post active incase anyone else can benefit from this solution since I was struggling for so long...

I welcome anyone to still post IPTable solutions since my solution may not be the best for everyone....

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.