Wireless networks: IPtables does not block Wi-Fi traffic at the Raspberry Pi access point

I have an rPi running as a wireless AP for my IoT devices. I would like to configure a firewall rule to avoid suspicious traffic (why would the camera need access to SSH?). The rPi is connected to my router through an ethernet cable and I am connecting to the rPi wifi with my phone to test the connection.

So far I have tried

iptables -A FORWARD -i wlan1 -p tcp --dport 443 -j DROP
iptables -A FORWARD -i wlan1 -j DROP
iptables -I FORWARD -o wlan1 -j DROP

I've also tried to block all internal traffic, but without dice

iptables -A FORWARD -i wlan1 -s 192.168.0.0/24 -j DROP

The output of iptables -L -v:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  wlan1  any     anywhere             anywhere            

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 

When testing with vnstat, I can see that there is traffic on wlan1

wlan1  /  traffic statistics

                           rx         |       tx
--------------------------------------+------------------
  bytes                      255 KiB  |        6.13 MiB
--------------------------------------+------------------
          max             165 kbit/s  |     5.06 Mbit/s
      average           22.70 kbit/s  |   558.99 kbit/s
          min               0 kbit/s  |        3 kbit/s
--------------------------------------+------------------
  packets                       3392  |            4858
--------------------------------------+------------------
          max                255 p/s  |         455 p/s
      average                 36 p/s  |          52 p/s
          min                  0 p/s  |           1 p/s
--------------------------------------+------------------
  time                  1.53 minutes

And here is my htapd configuration:

# Bridge mode
bridge=br0

# Networking interface
interface=wlan1

# WiFi configuration
ssid=superdupernetwork
channel=1
hw_mode=g
country_code=US
ieee80211n=1
ieee80211d=1
wmm_enabled=1

# WiFi security
auth_algs=1
wpa=2
wpa_key_mgmt=WPA-PSK
rsn_pairwise=CCMP
wpa_passphrase=superduperpass

I ran Meerkat on wlan1 and it detected good traffic, and I also ran iptables -P INPUT DROP It kills my SSH connection, so something must be working. Thank you.

iptables – Does the configuration to use choose the hardware interface for the request?

I have a Linux machine (operating system based on Debian 10), with 3 hardware interfaces connected to the Internet, 2 are USB modems: ifconfig da -> https://termbin.com/st3r

wlan0 is the default interface here, when I try: curl –interface ppp1 ifconfig.me or curl –interface ppp0 ifconfig.me the request timed out, with sudo, sudo curl –interface ppp1 ifconfig.me responds but the equivalent for ppp0, what are the correct routing rules to add in order to select the hardware interface to route?

Real routing rules: https://termbin.com/wi9b

domain name system: iptables does not work when applied to 2 subnets

This command successfully forces OpenDNS on my subnet 1:

iptables -t nat -I PREROUTING -i br0 -m iprange --src-range 192.168.1.10-192.168.1.69 -p udp --dport 53 -j DNAT --to 208.67.222.222
iptables -t nat -I PREROUTING -i br0 -m iprange --src-range 192.168.1.10-192.168.1.69 -p tcp --dport 53 -j DNAT --to 208.67.222.222

However, when I added additional commands for subnet 2, it does not apply on subnet 2.

iptables -t nat -I PREROUTING -i br0 -m iprange --src-range 192.168.1.10-192.168.1.69 -p udp --dport 53 -j DNAT --to 208.67.222.222
iptables -t nat -I PREROUTING -i br0 -m iprange --src-range 192.168.1.10-192.168.1.69 -p tcp --dport 53 -j DNAT --to 208.67.222.222
iptables -t nat -I PREROUTING -i br1 -m iprange --src-range 192.168.2.1-192.168.2.253 -p udp --dport 53 -j DNAT --to 208.67.222.222
iptables -t nat -I PREROUTING -i br1 -m iprange --src-range 192.168.2.1-192.168.2.253 -p tcp --dport 53 -j DNAT --to 208.67.222.222

Routing: NATing with iptables + OpenVPN without affecting the host

I am looking to take advantage of a Linux device as a default gateway, routing traffic outside the host through an OpenVPN connection without impacting hosts route the internet. I don't want traffic to leave the host through the VPN, just that traffic that comes from other devices.

I have correctly configured NATing, I have traffic from devices that use my host as a default gateway exit using any default route on the host (for example, if the VPN is open, it goes through the VPN, if not it is like this, it goes through the host a normal Internet connection, with the host as an additional jump in traceroute)

However, I cannot configure this correctly so that the OpenVPN connection do not impact the host network Y have the host route gateway traffic through the OpenVPN interface

Things I did:
– Configured and verified IP forwarding that works
– I was able to stop the OpenVPN update of the default route on the host with route-nopull Y pull-filter ignore redirect-gateway

I suppose there is a dynamic part of this (extract the route information from the open vpn configuration), or hopefully a "no, really, just apply these routes to the NAT traffic flag / configuration".

Network Configuration:

  • Internet access is through a boring router without sophisticated capabilities
  • Linux device (Raspberry Pi) connected to the network, running ufw, iptables, openvpn
  • Other connected devices, some of which I want to manually configure your default gateway for the Linux device
  • Subnet is 192.168.0.0/24

iptables – Limiting access of Lan Openvpn

I have had some problems to limit LAN access to my clients on my openvpn server. Currently the client can access the entire network. I've been playing with the “ client configuration directory & # 39; & # 39; but I can't seem to make it work properly.

I want the client to only be able to access 10.10.0.118

Here is my server.conf

#Server.Conf



port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key  
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
client-config-dir ccd
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
;client-to-client
;duplicate-cn
keepalive 10 120
#tls-auth 
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log         /var/log/openvpn/openvpn.log
log-append  /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1

customer settings

client
;dev tap
dev tun
;proto tcp
proto udp
remote xx.xx.xx.xxx 1194
;remote my-server-2 1194
;remote-random
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
;mute-replay-warnings
#ca ca.crt
#cert client.crt
#key client.key
remote-cert-tls server
#tls-auth ta.key 1
cipher AES-256-CBC
verb 3
;mute 20

ip routes

default via 10.10.1.1 dev eth0 proto dhcp src 10.10.1.128 metric 100 
10.8.0.0/24 via 10.8.0.2 dev tun0 
10.8.0.2 dev tun0 proto kernel scope link src 10.8.0.1 
10.10.1.0/24 dev eth0 proto kernel scope link src 10.10.1.128 
10.10.1.1 dev eth0 proto dhcp scope link src 10.10.1.128 metric 100 

CCD FILE

ifconfig-push 10.10.0.118 10.8.0.0/24

I am quite new to networks and I have been using numerous guides, but I cannot make this last part work.

Exit after initializing the connection

Mon Feb  3 16:57:18 2020 library versions: OpenSSL 1.1.1  11 Sep 2018, LZO 2.08
Mon Feb  3 16:57:18 2020 TCP/UDP: Preserving recently used remote address: (AF_INET)XX.XX.XX.XXX:1194
Mon Feb  3 16:57:18 2020 Socket Buffers: R=(212992->212992) S=(212992->212992)
Mon Feb  3 16:57:18 2020 UDP link local: (not bound)
Mon Feb  3 16:57:18 2020 UDP link remote: (AF_INET)XX.XX.XX.XXX:1194
Mon Feb  3 16:57:18 2020 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Mon Feb  3 16:57:18 2020 TLS: Initial packet from (AF_INET)XX.XX.XX.XXX:1194, sid=59c69af5 b1a2a0d0
Mon Feb  3 16:57:18 2020 VERIFY OK: depth=1, C=UK, ST=UK, L=London, O=XXX, OU=XXX, CN=XXX, name=server, emailAddress=XXX
Mon Feb  3 16:57:18 2020 VERIFY KU OK
Mon Feb  3 16:57:18 2020 Validating certificate extended key usage
Mon Feb  3 16:57:18 2020 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Mon Feb  3 16:57:18 2020 VERIFY EKU OK
Mon Feb  3 16:57:18 2020 VERIFY OK: depth=0, C=UK, ST=UK, L=XX, O=XXX, OU=XX LMF, CN=server, name=server, emailAddress=XXX
Mon Feb  3 16:57:18 2020 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Mon Feb  3 16:57:18 2020 (server) Peer Connection Initiated with (AF_INET)XX.XX.XX.XXX:1194
Mon Feb  3 16:57:19 2020 SENT CONTROL (server): 'PUSH_REQUEST' (status=1)
Mon Feb  3 16:57:19 2020 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 1,cipher AES-256-GCM'
Mon Feb  3 16:57:19 2020 OPTIONS IMPORT: timers and/or timeouts modified
Mon Feb  3 16:57:19 2020 OPTIONS IMPORT: --ifconfig/up options modified
Mon Feb  3 16:57:19 2020 OPTIONS IMPORT: route options modified
Mon Feb  3 16:57:19 2020 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Mon Feb  3 16:57:19 2020 OPTIONS IMPORT: peer-id set
Mon Feb  3 16:57:19 2020 OPTIONS IMPORT: adjusting link_mtu to 1624
Mon Feb  3 16:57:19 2020 OPTIONS IMPORT: data channel crypto options modified
Mon Feb  3 16:57:19 2020 Data Channel: using negotiated cipher 'AES-256-GCM'
Mon Feb  3 16:57:19 2020 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Feb  3 16:57:19 2020 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Feb  3 16:57:19 2020 ROUTE_GATEWAY 192.168.140.254/255.255.255.0 IFACE=wlp1s0 HWADDR=2c:6e:85:ed:49:19
Mon Feb  3 16:57:19 2020 TUN/TAP device tun0 opened
Mon Feb  3 16:57:19 2020 TUN/TAP TX queue length set to 100
Mon Feb  3 16:57:19 2020 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Mon Feb  3 16:57:19 2020 /sbin/ip link set dev tun0 up mtu 1500
Mon Feb  3 16:57:19 2020 /sbin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.5
Mon Feb  3 16:57:19 2020 /sbin/ip route add XX.XX.XX.XXX/32 via 192.168.140.254
RTNETLINK answers: File exists
Mon Feb  3 16:57:19 2020 ERROR: Linux route add command failed: external program exited with error status: 2
Mon Feb  3 16:57:19 2020 /sbin/ip route add 0.0.0.0/1 via 10.8.0.5
Mon Feb  3 16:57:19 2020 /sbin/ip route add 128.0.0.0/1 via 10.8.0.5
Mon Feb  3 16:57:19 2020 /sbin/ip route add 10.8.0.1/32 via 10.8.0.5
Mon Feb  3 16:57:19 2020 GID set to nogroup
Mon Feb  3 16:57:19 2020 UID set to nobody
Mon Feb  3 16:57:19 2020 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Feb  3 16:57:19 2020 Initialization Sequence Completed

If someone could guide me in the right direction, it would be much appreciated.
Thanks in advance.

network: iptables string matching does not work when the –to option is

when I enter the iptables rule that matches the string and the --to the option is >= 52

example

iptables -I FORWARD 1 -m string --string anypattern --algo bm --to 100 -j DROP

The above works correctly and blocks IP packets that contain the "anypattern" string.

Now if I change the --to at a value < 52 then it won't work

iptables -I FORWARD 1 -m string --string anypattern --algo bm --to 50 -j DROP

And the ip packets will not be blocked!

Am I missing something? Or is this an iptables problem?

Example:

linux:~$ sudo iptables -I OUTPUT 1 -m string --algo bm --string 7oula --to 52 -j DROP
linux:~$ echo 7oulaaaaaaaaaaa | nc  212.227.247.109 80
^C  #<---- Blocked here ==> Good
linux:~$ sudo iptables -I OUTPUT 1 -m string --algo bm --string coula --to 51 -j DROP
linux:~$ echo coulaaaaaaaaaaa | nc  212.227.247.109 80
HTTP/1.1 400 Bad Request
Server: nginx
Date: Sun, 26 Jan 2020 15:35:55 GMT
Content-Type: text/html
Content-Length: 150
Connection: close


400 Bad Request

400 Bad Request


nginx

iptables: Linux VPN VPN client connected as a gateway for other devices

I followed this tutorial https://support.hidemyass.com/hc/en-us/articles/202721486-Using-Linux-Virtual-Machine-instead-of-a-router-for-VPN.

I set the default gw for the connected VPNClient in a test client.
If I now try to ping 8.8.8.8 I always get a "request timeout" error.

Everything I found indicates the same commands, did I miss something?

Objective:
Other devices can use the connected VPN to access the Internet without installing a VPN client.

Prepare:

Client X --Default GW--> Connected VPNClient --VPN--> Internet 
Client X: Windows
VPNClient: Debian Stable

As indicated in the tutorial, I did the following:

sysctl -w net.ipv4.ip_forward=1
iptables -A FORWARD -o tun0 -i enp0s3 -s 192.168.1.0/24 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A POSTROUTING -t nat -j MASQUERADE

Route:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.8.8.1        128.0.0.0       UG    0      0        0 tun0
default         192.168.1.1     0.0.0.0         UG    0      0        0 enp0s3
10.8.8.0        0.0.0.0         255.255.255.0   U     0      0        0 tun0
82.102.16.198   192.168.1.1     255.255.255.255 UGH   0      0        0 enp0s3
128.0.0.0       10.8.8.1        128.0.0.0       UG    0      0        0 tun0
link-local      0.0.0.0         255.255.0.0     U     1000   0        0 enp0s3
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 enp0s3

ip addr:

2: enp0s3:  mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 08:00:27:a4:37:0c brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.24/24 brd 192.168.1.255 scope global dynamic enp0s3
       valid_lft 86081sec preferred_lft 86081sec
    inet6 fe80::a00:27ff:fea4:370c/64 scope link 
       valid_lft forever preferred_lft forever
3: tun0:  mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    link/none 
    inet 10.8.8.4/24 brd 10.8.8.255 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::e5a1:abcf:ceaa:708c/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever

VPN:

Protonvpn cli
OpenVPN configuration, same problem

iptables -L -v -n

Chain INPUT (policy ACCEPT 567 packets, 61034 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  enp0s3 tun0    192.168.1.0/24       0.0.0.0/0            ctstate NEW
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT 596 packets, 84473 bytes)
 pkts bytes target     prot opt in     out     source               destination   

iptables -t nat -L

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  anywhere             anywhere 

linux – iptables blocks the fragmented stream that contains a specific string

I want to block traffic that contains a specific chain "anypattern".

I know that the correct iptables rule for that is:

iptables -m string --algo bm --string "anypattern" -j DROP

The problem that data could be divided into many TCP sequences. And there is a risk that the rope "anypattern" It could be divided into 2 packages. For example, package 1 contains "anyp" and the second package will contain "attern"

How can I make iptables detect TCP fragmentation and verify the final TCP payload?
Or is there a solution for such a problem?

iptables – NAT source per user in firewalld Centos 7

I am not an expert on the new firewalld packages used in Centos 7.

I have a VPS, for example, with an account of 3 different users, say user1 user2 user3; I created with:

adduser user1
adduser user2
adduser user3

With my VPS I also bought +2 more IP, so I have a main IP plus two others, for a total of three IP.

I would like to establish rules for the connection EXIT, per user:

user1-> exit conn with source main IP

user2-> exit conn with source second IP

user3-> exit conn with source third IP

So, when user1 logs in, I am sure that every connection initiated by him will be obtained from the "point of view" of the external website as the source with the primary IP (first IP); for user2 (second IP) and user3 (third IP).

In the past, I did this with the iptables rule:

id -u user1
iptables -m owner -t nat -A POSTROUTING --uid-owner  -j SNAT --to 

id -u user2
iptables -m owner -t nat -A POSTROUTING --uid-owner  -j SNAT --to 

( … and so )

Now with Firewalld it seems little different. It's possible?

Forwarding traffic wlan0 to apache ip server (iptables)

I want to forward all traffic from the wlan0 interface (that some devices are connected to the hotsapd access point) to my apache index.html server so that it is like a captive portal. What are the rules that I must add to iptables to do that?