• Securing open access points

    From Stephan Balmer@21:1/5 to All on Sat Mar 3 13:20:02 2018
    Hi list

    We're operating a few wifi access-points that allow connecting without
    any password/encryption.To tighten security a bit, I've added ebtables
    rules on the individual AP. (The AP are Pc-engines Alix running Debian, hostapd.) I'd appreciate feedback on the effectiveness of my approach
    and whether there are other low-hanging fruit to further separate
    clients.These are the rules:

    # Flush
    ebtables -F
    ebtables -t nat -F

    # Block packets from the wifi side that purport to be from a gateway address ebtables -A FORWARD --in-interface wlan+ --protocol arp --arp-ip-src -j DROP
    ebtables -A FORWARD --in-interface wlan+ --protocol arp --arp-ip-src -j DROP
    ebtables -A FORWARD --in-interface wlan+ -s 02:ba:de:af:fe:00 -j DROP

    # Block DHCP server responses and IP6 router advertisements from wifi side ebtables -A FORWARD --in-interface wlan+ --protocol ipv4 --ip-protocol udp        --ip-source-port 67 -j DROP
    ebtables -A FORWARD --in-interface wlan+ --protocol IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 134 -j DROP

    # Allow visitors to talk to the gateway only
    # Just send all packets to the gateway at 02:ba:de:af:fe:00 regardless
    of target address
    ebtables -t nat -A PREROUTING --in-interface wlan0_+ -j dnat
    --to-destination 02:ba:de:af:fe:00
    ebtables -t nat -A PREROUTING --in-interface wlan1_+ -j dnat
    --to-destination 02:ba:de:af:fe:00

    #  Block STP on the wifi side
    for T in OUTPUT FORWARD; do ebtables -A $T --out-interface wlan+
    --source BGA -j DROP; done
    for T in OUTPUT FORWARD; do ebtables -A $T --out-interface wlan+
    --destination BGA -j DROP; done

    Explanation of the interfaces:

    wlan0, wlan1:   used for internal WPA-secured traffic
    wlan0_0, wlan1_0:    are open for guests    Internal network (somewhat trusted)    Guest network (untrusted)
    02:ba:de:af:fe:00:    MAC-address of the gateway interface in

    The idea is to prevent guests from talking to each other. This improves security and removes broadcast noise because broadcast traffic is only
    seen by the gateway. In particular, I expect this approach to prevent wifi-clients from impersonating the IP-gateway. This should prevent the
    most common form of MitM attacks. I'm aware that it's not a total
    separation and that there are still opportunities for client-address

    Maybe you see areas where clients could be separated further?


    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)