IMcPwn Posted January 3, 2016 Share Posted January 3, 2016 Hello. I would like to have an option to exclude clients on the Pineapple from being able to access the network the Pineapple is getting Internet from. For example, I have a home router with the subnet of 192.168.1.1/24 The pineapple has a subnet of 172.16.42.1/24 and is getting Internet from a computer on the subnet 192.168.1.1/24. I would like users on 172.16.42.1/24 to NOT be able to access IPs on the 192.168.1.1/24 subnet. Is this possible? Thanks for any responses! Quote Link to comment Share on other sites More sharing options...
dre2007 Posted January 3, 2016 Share Posted January 3, 2016 There are several ways to achieve this. I will explain 3: 1.: Don't allow any of the IP addresses in 172.16.42.x to access the internet ( pineapple nano also won't be able ). - Delete the default routing rule aka gateway. - Dissalow it via IPtables 2.: Allow the pineapple to access the internet but don't allow the clients - Create an iptables rule that dissalows the clients 172.16.42.2-254 3.: Change the scope options so that clients don't get a default gateway Of all 3 the last is the worst secured ( anyone can add a default gateway after reading its scope and doing an IP scan.. ) The 2nd is pretty secure, however, your own wifi device connected to it also won't be able to access the internet, you can work around it but this is out of the scope for this question The 1st option is the most secure, if anyone has other suggestions, please feel free to join in as I am curiouse with what you guys come up with. Quote Link to comment Share on other sites More sharing options...
phpsystems Posted January 3, 2016 Share Posted January 3, 2016 There is a simpler way on the pineapple: Using iptables: iptables -A forward-s 172.16.42.1/24 -d 192.168.1.1/24 -j drop Quote Link to comment Share on other sites More sharing options...
IMcPwn Posted January 3, 2016 Author Share Posted January 3, 2016 Thanks guys I'll take a look when I get home and report back! Quote Link to comment Share on other sites More sharing options...
IMcPwn Posted January 3, 2016 Author Share Posted January 3, 2016 The command iptables -A forward-s 172.16.42.1/24 -d 192.168.1.1/24 -j drop had some issues. I changed it to iptables -A FORWARD -s 172.16.42.1/24 -d 192.168.1.1/24 -j DROP but that still didn't work. Any other ideas? Quote Link to comment Share on other sites More sharing options...
galileo961 Posted January 3, 2016 Share Posted January 3, 2016 Check if the Ip forward is enable on the Nano . don't have my on hand so I don't know if it's enable by default, I will check tonight. If you don't know how to check here or search on the web http://www.ducea.com/2006/08/01/how-to-enable-ip-forwarding-in-linux/ Quote Link to comment Share on other sites More sharing options...
IMcPwn Posted January 4, 2016 Author Share Posted January 4, 2016 (edited) IP Forwarding is enabled by default, so that's not effecting it. root@Pineapple:~# sysctl net.ipv4.ip_forward net.ipv4.ip_forward = 1 I also tried iptables -A FORWARD -d 192.168.1.1/24 -j DROP and this did not succeed either. Edited January 4, 2016 by IMcPwn Quote Link to comment Share on other sites More sharing options...
phpsystems Posted January 4, 2016 Share Posted January 4, 2016 Are you definitely forwarding the packets? Not proxying them at all? Either way, you could try: iptables -A OUTPUT -s 172.16.42.1/32 -d 192.168.1.1/24 -j ACCEPT iptables -A OUTPUT -s 172.16.42.1/24 -d 192.168.1.1/24 -j DROP Assuming the pineapple is still on 172.16.42.1 Sorry about the capitalization before, I was on my mobile, and capitalization is a bit of a PITA. Quote Link to comment Share on other sites More sharing options...
phpsystems Posted January 4, 2016 Share Posted January 4, 2016 (edited) By the way, I've just looked on my pineapple, and seen that IPtables has lots of rules. Rule ordering may be your issue. Edited January 4, 2016 by phpsystems Quote Link to comment Share on other sites More sharing options...
Sebkinne Posted January 4, 2016 Share Posted January 4, 2016 All you need to do is edit /etc/config/firewall and specify the rules there. Once done, restart the firewall and your changes will take effect. Quote Link to comment Share on other sites More sharing options...
IMcPwn Posted January 4, 2016 Author Share Posted January 4, 2016 I've never used /etc/config/firewall before, what sort of rules do I specify there exactly? Thanks! Quote Link to comment Share on other sites More sharing options...
Sebkinne Posted January 4, 2016 Share Posted January 4, 2016 This should help: https://wiki.openwrt.org/doc/uci/firewall Best Regards, Sebkinne Quote Link to comment Share on other sites More sharing options...
IMcPwn Posted January 4, 2016 Author Share Posted January 4, 2016 Huh. I still can't seem to figure it out. Thanks anyway. Here's a few of the many things I've tried: config rule option src lan option dest wan option dest_ip 192.168.1.1/24 option target REJECT config rule option src lan option dest wan option dest_ip 192.168.1.1/24 option proto tcpudp option target REJECT They seem to not be doing anything. Even after /etc/init.d/firewall restart. Sorry for being a noob. Quote Link to comment Share on other sites More sharing options...
IMcPwn Posted January 8, 2016 Author Share Posted January 8, 2016 So I learned the order of iptables rules matters and that solved my problem. Below are the commands I appended to my /etc/firewall.user file to block access to local subnets. The pineapple is still accessible though (possibly because it's the default gateway?). #block all traffic to any possible private network address (10.*.*.*, 172.16-32.*.*, 192.168.*.*) iptables -I FORWARD 1 -d 192.168.0.0/16 -j DROP iptables -I FORWARD 1 -d 172.16.0.0/12 -j DROP iptables -I FORWARD 1 -d 10.0.0.0/8 -j DROP Quote Link to comment Share on other sites More sharing options...
audibleblink Posted January 8, 2016 Share Posted January 8, 2016 (edited) This guy is phenomenal teacher, I thought. Edited January 8, 2016 by audibleblink 1 Quote Link to comment Share on other sites More sharing options...
gozer Posted December 2, 2016 Share Posted December 2, 2016 On 1/8/2016 at 10:49 AM, IMcPwn said: So I learned the order of iptables rules matters and that solved my problem. Below are the commands I appended to my /etc/firewall.user file to block access to local subnets. The pineapple is still accessible though (possibly because it's the default gateway?). #block all traffic to any possible private network address (10.*.*.*, 172.16-32.*.*, 192.168.*.*) iptables -I FORWARD 1 -d 192.168.0.0/16 -j DROP iptables -I FORWARD 1 -d 172.16.0.0/12 -j DROP iptables -I FORWARD 1 -d 10.0.0.0/8 -j DROP You appended this on your Linux, host or on the pineapple itself? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.