1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Using iptables to split WLAN from the LAN

Discussion in 'Cisco/Linksys Wireless Routers' started by flimpoff, Apr 25, 2005.

  1. flimpoff

    flimpoff Network Guru Member

    I have the need to have some of my wired machines secured and seperate from the wireless machines. Ive read a lot about this and to accomplish this it seems that most people are deleting the br0 bridge and jumping through hoops. This seems like a lot of trouble and may break the web interface, dhcp, internet connectivity etc.

    So, Im wondering if this would work:

    iptables -I FORWARD -d -j ACCEPT #just in case
    iptables -I FORWARD -s #Allow the 1st 30 ips to forward
    iptables -I FORWARD -d -j DROP #Block any packets that did not match the previous 2 rules and are destined for the 1st 30 ips

    I have not tried this yet, but this seems like it would work, thoughts?
  2. flimpoff

    flimpoff Network Guru Member

    I got this working, the proper commands were (pulling from memory here):

    iptables -I FORWARD -d -j ACCEPT
    iptables -I FORWARD -s -j ACCEPT
    iptables -I FORWARD -s -d -j DROP

    This will make "seperate" or "safe" from any addresses higher than (so make sure the wireless DHCP is higher). Obviously someone could pick a static ip under 30 (actions could be taken to prevent that too I suppose) but this is a quick way to make things a bit more safe.

    Im sure there are some better ways to do this (some just popped into my head) but this is a start.

    My WRT54G is offline at the moment, but this could probably be done really well with the physdev iptables modules (if it comes with alchemy).
  3. Manip

    Manip Network Guru Member

    This is an example but..

    iptables -P INPUT -i eth0 -o eth1 -j DROP

    Just insert the WiFi port on the -i and the LAN on the -o.

Share This Page