Blocking Local LAN Access in Open Mode
The PublicIP WiFi system has two modes of operation – Open and Closed. Normally – Open mode is just what it’s name implies – the wireless client is open to access once the Splash page has been agreed to and the OK button is clicked. The Open Mode configures the firewall to allow the IP/Mac address combination to pass through the firewall – hince the “control” of access…. but does NOT perform any configuration of the firewall to “block” access to the local LAN the zonecd machine is connected to.
The “control” of access to specific ports is handled in the nocat.conf file in the open mode.
In both Free Closed mode and Premium mode the control server has the configuration for the zone as configured by the zone account for the zone. The zone machine (the one you have) downloads it’s configuration for the zone from the control server to configure the zone machine instead of
using the default nocat.conf and firewall configuration files. You also have more granularity control over the settings through the control servers than you have by configuration of the local config files.
Actually – you have the same amount of control but it is MUCH harder to setup locally than through the control servers – the control server have a point-click gui (web-based) interface with the different settings so is much easier for neophite computer types (read – point and click only people).
Now – blocking access to the local lan is actually NOT the default configuration in the default open mode of operation – if it were then you would run into the situation where someone wanted to have a local web
server for information and would not be able to access it at all.
It’s a catch-22… some want it one way and some want it the other (Grin).
The following are the commands to send to the firewall within the Gateway server to block access to the local LAN network by wireless clients. This is the same command the Free and Premium Control Servers send during the configuration phase of the Gateway Server but since you are running in Open Mode you have to supply it yourself. The command would be placed in a file called “init.sh” which you would place in the /mnt/floppy/zonecd directory on your Gateway Server. You would need to change the file permissions to executable for the init.sh file in order for the PublicIP system to execute the file during the configuration phase of the bootup process. If you are not sure how to do this see the article on configuring ssh access for the individual steps needed.
Here is the command:
/usr/local/sbin/iptables -t nat -A NoCat_Capture -i eth1 -d xxx.xxx.xxx.xxx/24 -j DROP
Given the above – the command line means:
Command to execute: /usr/local/sbin/iptables
Protocol is TCP/IP: -t
Network address translation: nat
Add the firewall rule: -A
To the firewall table: NoCat_Capture
Applicable interface: -i eth1
domain subnet: -d xxx.xxx.xxx.xxx
domain netmask: /24
Drop packet if matches rule: -j DROP
Now – if you don’t know what the /24 means here is the answer:
The /24 is an alternate method (old school) of denoting the netmask value – what it “means” is the first 24 bits of the 32 bit netmask are logical one values – IE:
base-2 : 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0
base-10: 255 255 255 0
base-16: F F F 0
So – /24 = 255.255.255.0 for the netmask value ( the decimal equivelent)
The above firewall command to block access to the local lan is all inclusive – in other words nothing can access the local lan from the wireless side as the firewall command drops ANY packet destined for the local LAN side….
In order for you to have a machine access the local lan from the wireless side you will need to add an additional firewall rule prior to the rule you added for the local lan block rule. This rule will allow the IP
address you specified for your laptop to access the local lan through the firewall:
/usr/local/sbin/iptables -t nat -I NoCat_Capture 1 -i eth1 -s zzz.zzz.zzz.zzz/32 -d xxx.xxx.xxx.xxx/24 -j ACCEPT
If I have the command setup properly (firewalls are tricky beasts) the command basically says:
TCP/IP mode Insert into table NoCat_Capture in the first entry position (the 1 after the table name tells the firewall it is the first entry) monitoring interface eth1 for source IP to destination IP and allow if match.
You will still need your other command for the mac address part to be placed into the system to allow access as well – the above is not a replacement for that command.
> Also, I am able to connect to the wireless router setup from any machine on the wireless side by going to 10.10.10.2 (I assigned the router that address as the Local network IP). I really don’t want any machine to
be able to do that…only the one laptop that I am trying to allow total access for remote support.
Hmmm – the zonecd system can NOT block access on the wireless side to a device that is NOT sending information through the zonecd machine itself. You would need a wireless router/AP that has provisions to limit access – most of today’s units require logging into the device for configuration and I would suggest configuring the device to use https so someone with a wireless sniffer can not obtain the username:password for the login to the device (grin).
In other words – think of the wireless side as it’s own network (which it is). The zonecd machine is the default gateway for the network to access the outside world but like any other gateway the zonecd machine can NOT control access from devices to other devices on the wireless network itself! It is not a design flaw of the zonecd machine but more the way a layer-2 switching network operates…
In order to block access to the wireless router connected to the wireless network you will need to activate ssl for access to a wireless router on the wireless router itself. Others can still detect the device on the wireless network but will not be able to gain access or see anything you are doing on the device via wireless packet sniffing.
One other thing – the zonecd machine can NOT block access from one wireless client to another (for exactly the same reason as stated above). If you need to keep wireless clients from “seeing” each other you will
need to use a wireless router that has the capability of “blocking” that type of access.
I hope you find this information helpful.