Exclude Pineapple Subnet from Shared Network

[IMcPwn]

Hello. I would like to have an option to exclude clients on the Pineapple from being able to access the network the Pineapple is getting Internet from.

For example,

I have a home router with the subnet of 192.168.1.1/24

The pineapple has a subnet of 172.16.42.1/24 and is getting Internet from a computer on the subnet 192.168.1.1/24.

I would like users on 172.16.42.1/24 to NOT be able to access IPs on the 192.168.1.1/24 subnet.

Is this possible?

Thanks for any responses!

[dre2007]

There are several ways to achieve this.

I will explain 3:

1.: Don't allow any of the IP addresses in 172.16.42.x to access the internet ( pineapple nano also won't be able ).

- Delete the default routing rule aka gateway.

- Dissalow it via IPtables

2.: Allow the pineapple to access the internet but don't allow the clients

- Create an iptables rule that dissalows the clients 172.16.42.2-254

3.: Change the scope options so that clients don't get a default gateway

Of all 3 the last is the worst secured ( anyone can add a default gateway after reading its scope and doing an IP scan.. )

The 2nd is pretty secure, however, your own wifi device connected to it also won't be able to access the internet, you can work around it but this is out of the scope for this question

The 1st option is the most secure, if anyone has other suggestions, please feel free to join in as I am curiouse with what you guys come up with.

[phpsystems]

There is a simpler way on the pineapple:

Using iptables:

iptables -A forward-s 172.16.42.1/24 -d 192.168.1.1/24 -j drop

[IMcPwn]

Thanks guys I'll take a look when I get home and report back!

[IMcPwn]

The command

iptables -A forward-s 172.16.42.1/24 -d 192.168.1.1/24 -j drop

had some issues. I changed it to

iptables -A FORWARD -s 172.16.42.1/24 -d 192.168.1.1/24 -j DROP

but that still didn't work.

Any other ideas?

[galileo961]

Check if the Ip forward is enable on the Nano . don't have my on hand so I don't know if it's enable by default, I will check tonight.

If you don't know how to check here or search on the web

http://www.ducea.com/2006/08/01/how-to-enable-ip-forwarding-in-linux/

[IMcPwn]

IP Forwarding is enabled by default, so that's not effecting it.

root@Pineapple:~# sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1

I also tried

iptables -A FORWARD -d 192.168.1.1/24 -j DROP

and this did not succeed either.

Edited January 4, 2016 by IMcPwn

[phpsystems]

Are you definitely forwarding the packets? Not proxying them at all?

Either way, you could try:

iptables -A OUTPUT -s 172.16.42.1/32 -d 192.168.1.1/24 -j ACCEPT 
iptables -A OUTPUT -s 172.16.42.1/24 -d 192.168.1.1/24 -j DROP

Assuming the pineapple is still on 172.16.42.1

Sorry about the capitalization before, I was on my mobile, and capitalization is a bit of a PITA.

[phpsystems]

By the way, I've just looked on my pineapple, and seen that IPtables has lots of rules. Rule ordering may be your issue.

Edited January 4, 2016 by phpsystems

[Sebkinne]

All you need to do is edit /etc/config/firewall and specify the rules there.

Once done, restart the firewall and your changes will take effect.

[IMcPwn]

I've never used /etc/config/firewall before, what sort of rules do I specify there exactly?

Thanks!

[Sebkinne]

This should help: https://wiki.openwrt.org/doc/uci/firewall

Best Regards,

Sebkinne

[IMcPwn]

Huh. I still can't seem to figure it out. Thanks anyway.

Here's a few of the many things I've tried:

config rule
option src lan
option dest wan
option dest_ip 192.168.1.1/24
option target REJECT

config rule
option src lan
option dest wan
option dest_ip 192.168.1.1/24
option proto tcpudp
option target REJECT

They seem to not be doing anything. Even after /etc/init.d/firewall restart. Sorry for being a noob.

[IMcPwn]

So I learned the order of iptables rules matters and that solved my problem. Below are the commands I appended to my /etc/firewall.user file to block access to local subnets. The pineapple is still accessible though (possibly because it's the default gateway?).

#block all traffic to any possible private network address (10.*.*.*, 172.16-32.*.*, 192.168.*.*)
iptables -I FORWARD 1 -d 192.168.0.0/16 -j DROP
iptables -I FORWARD 1 -d 172.16.0.0/12 -j DROP
iptables -I FORWARD 1 -d 10.0.0.0/8 -j DROP

[audibleblink]

This guy is phenomenal teacher, I thought.

Edited January 8, 2016 by audibleblink

[gozer]

On 1/8/2016 at 10:49 AM, IMcPwn said:

So I learned the order of iptables rules matters and that solved my problem. Below are the commands I appended to my /etc/firewall.user file to block access to local subnets. The pineapple is still accessible though (possibly because it's the default gateway?).

#block all traffic to any possible private network address (10.*.*.*, 172.16-32.*.*, 192.168.*.*)
iptables -I FORWARD 1 -d 192.168.0.0/16 -j DROP
iptables -I FORWARD 1 -d 172.16.0.0/12 -j DROP
iptables -I FORWARD 1 -d 10.0.0.0/8 -j DROP

You appended this on your Linux, host or on the pineapple itself?